Addicted to IT

How-To: Configure SSTP RAS VPN server on 2008 R2

2011-07-07T21:01:00.002-05:00

For anyone working on getting a 2008 SSTP server running properly, or just looking for some guidance, I strongly recommend Microsoft's "SSTP Remote Access Step-by-Step Guide: Deployment" . The step-by-step walk through is useful. Before you get started through, make sure you check out "How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013" (KB961880).

As for tips... if you're following the step-by-step guide... after you've installed the Active Directory Certificate services, and the Certification Authority Web Enrollment (essentially the same step), but before you "request a server authentication certificate" by hitting http://localhost/certsrv on your new SSTP/RAS server do the stuff explained in KB961880 before proceeding on and finishing the SSTP step-by-step guide. This is an important step, because if you do not do it, and instead just follow the step-by-step guide... when you finish and you're testing the SSTP VPN client, you will get the following error: "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013".

For what it's worth... I actually spent some time researching a couple of other non-Microsoft guides when getting started, and those turned out to cause me more problems than had I just started with the Microsoft guide. Also, if you're knee deep in errors, like "error 812", or "ID 4402"... and in the back of your mind you're wondering things like... "Do I need Active Directory functional level to be at 2008?", or "Do I need a 2008 DC?", the answer to both is no. Your 2003 Native mode DC's are just fine.

So if you're running into errors like the above, or windows local authentication works, but domain authentication doesn't, and it's not yet a production server... save yourself some time, check out Microsoft's guide, and start-over.

ThinManager: Enable Detailed Logging

2011-02-17T20:19:00.005-05:00

In order to enable detailed/debug-type logging in ThinManager, do the following... create a DWORD registry value called "LogOutput" here... HKLM\Software\Automation Control Products\ThinManager ... set the value to 14 (or 78 to enable detailed security logging as well), and restart the ThinServer service. This will start generating log files in your ThinManager program files directory - keep an eye on it though, and don't leave it in place forever, or you'll consume the drive. It's useful for troubleshooting synchronization issues between Thinservers, and time sync issues that look like "synchronization failed" events in Thinmanager event log.

Load Balancing Terminal Services and an intro to ThinManager

2010-11-08T22:13:00.004-05:00

If you think about Terminal Services and the core functionality that terminal services provides (remote desktop), the ThinManager platform extends that core functionality. What I mean by that, is that it introduces configuration management, rapid thinclient deployment/replacement, and incorporates high-end features (like load balancing, and fail-over) into a platform that is maintainable. What's also interesting about ThinManager is that it doesn't necessarily require the degree of specialized skill-sets that a platform like Citrix Metaframe/XenAPP requires. In short, it's interesting.

I bring this all up, because I've recently been working with ThinManager. While the platform perhaps caters to manufacturing - it isn't necessarily exclusive to that market. If load balancing is your only problem, there are many ways to handle that. But ThinManager has an interesting way of approaching the problem, and has a host of mature features that help to make it an attractive option. From just a load-balancing standpoint, ACP's SmartSession technology looks at the utilization of your terminal servers before placing new connections on a given server. While that's clever, right off the bat it's doing more than round-robin DNS, or NLB with less complexity, and probably less configuration effort. While ThinManager might not be the only load-balancing game in the town, it's a capable one - and if you're in need extending the core functionality of terminal services, or might benefit from the other features included in ThinManager - you might want to check it ou

As I work more with the platform more, I'll include some more posts.

SAN Shutdown Script

2010-09-27T22:32:00.000-05:00

Here's a short python script that you can use to automate a clean shutdown of a Equallogics PS6000xv. I threw it together so that I could run/schedule it from an ESX 4 host; it implements the telnetlib module to automate a telnet session with a Dell PS6000xv (tested on firmware v4.1.3, R91175). I thought it might come in handy for someone else, as Dell/Equallogics doesn't publish any code to do this kind of work for you. Make sure that when you run this, you don't have any active I/O going on.


import sys
import telnetlib

hostIP = "192.168.0.2"
user: "sanadminaccount"
password: "password"

tn = telnetlib.Telnet(hostIP)
tn.read_until("login: ")
tn.write(user + "\r\n")
tn.write(password + "\r\n")
tn.read_until("SANNAME> ")
shutdownstring = tn.write("shutdown" + "\r\n")
tn.read_until("[no]")
shutdownresponse = tn.write("yes" + "\r\n")
tn.write("logout" + "\r\n")

print tn.read_all()

Installing VMtools on a Binnami Redmine appliance

2010-08-19T20:39:00.000-05:00

Here's how to install VMtools into a Redmine bitnami appliance, running OpenSuse 11.1.

1. Use "zypper" (the OpenSuse equivalent of aptget) to install the following packages...

1. "zypper install tar, make, gcc, linux-kernel-headers, linux-sources

2. Use the VIclient to right-click the Redmine appliance, and select "Install VMtools"

3. Then just mount the virtual CD that includes vmtools, and install the rpm.

1. "mkdir /mnt/virtual"

2. "mount /dev/cdrom /mnt/virtualcd"

3. "ls /mnt/virtualcd"

4. "rpm -ivh VMwareTools-1.0.3-44356.i386.rpm"

5. Reboot ("shutdown -r now")

6. "vmware-config-tools.pl -default"

After the installer completes, open the VMware Infrastructure Client and verify that Vmware Tools is listed as being installed on the summary tab.

vSphere: VM Stuck during Power down at 95%

2010-08-19T07:09:00.001-05:00

Occasionally I've run into a VM that gets stuck at 95% while powering down. I know the issue isn't unheard of, but I didn't run into it until working with a few ESXi 4.0.0 208167 servers. So - if you have a virtual machine hangs while shutting down - and you're certain that you're just not waiting for it to finish powering down, and you've already tried to "power off" from the client- but the power-off command is stuck at 95%, you may have to manually kill the hung VM.

1. Login to the host with the hung machine via SSH (enable SSH if you haven't already)

2. do a /sbin/services.sh restart (or services vmware-mgmt restart on ESX)... which is the same thing as doing this from the ESXi console

1. This command will restart the agents that are installed in /etc/init.d/ ... including hostd, ntpd, sfcbd, sfcbd-watchdog, slpd and wsmand (and HA if you have it)

2. When you do this, the VI/vsphere client will loose connectivity as those services restart, but VM's that are running will not be affected

3. After the services have restarted, you can re-connect via the VI client.

3. Via SSH, go to the right datastore (such as, /vmfs/volumes/DatastoreName/VMname), and delete (rm -r) the *.vswp file (the swap file).

4. If you can't delete it, and you're getting an error message to the effect... can not remove VM: device or resource busy... go find the processes associated with the VM.

1. "ps auxfww|grep "vmname"

2. "kill -9 ProcessIDNumber"

5. After doing so, remove the orphaned VM from inventory... just right-click the "unknown" VM, and select "remove from inventory", being careful to not delete it.

6. Then delete the *.log, and *.0*. If you don't, re-adding the VM may cause the interface to hang, and you'll have to go through some of this all over again.

7. Add the VM back to the inventory, and you should be able to start the VM.

I have run into a situation once, where a host reboot was the only way to solve the problem. But other than that, this seems to be quite effective.

Equallogic PS 4.3.6 firmware upgrade process

2010-08-04T13:50:00.003-05:00

Dell released their PS-series 4.3.6 firmware upgrade last week. I've applied the update to one of the PS6000xv devices that I have running. While Dell seems to do a thorough enough job with validating these before they get released... I thought I'd document my experience with applying the firmware in case anyone's interested in knowing what to expect.

The environment that I'm working in on this one consists of 7 vSphere 4.1 hosts, with all of the VM's running off of this particular PS6000xv.

My first step was to shutdown most of the VM's and make sure the SAN doesn't have a lot of I/O running on it. Depending on what firmware you're at, you don't need to have your I/O completely stopped , Dell just recommends not having much I/O going on. While your thinking about that statement, make sure you factor in any I/O that's happening outside of your virtualization stack. For instance, if you have servers mounting LUNs directly off of the PS, they too will create I/O.
Download the firmware 4.3.6 from the Equallogics support site using your individual credentials. If you get the zip, extract it because the PS6000xv just wants the *.tgz
FTP into the PS using your grpadmin credentials and upload the tgz file to the root of the FTP site.
If you have old *.tgz's in there, you can delete them to clear up space. So if you get a failure notification about not having enough free space, it's probably talking about the FTP site - check and see what all you have in there.
After the upload, logout.
SSH into the PS using grpadmin credentials - connect to one of the individual ports, not the group IP.
Use the "update" command, and the firmware will validate and begin updating the controllers - 1 at a time. It took about 4 minutes per controller for me... I had shut all of my VM's down (expect 1), so there wasn't much I/O going on at the time.
Use the "restart" command when finished... keep in mind, this restart effects the controllers 1 at a time. It does the first, and then the second. The Group IP will stop responding during the update of the second controller restart, in my case there were 6 dropped packets during in a continuous ping to the Group IP. Also realize that your SSH session will drop at some point... that point depending on which IP and controller you connected to earlier.
After the second controller is restarted, go ahead an login into the Web UI (or the CLI if that's your preference) and check that the PS has been successfully upgraded by looking at the controller tab and verifying that the firmware was upgraded to version you expect. If you have vCenter open, you might notice that very briefly (less than 10 seconds in my case) some of the VM's and/or datastores will read as "unavailable".

If you happen to be a bit impatient and login to the Web interface too soon and check the firmware, you might notice an error like "battery failed" on whichever controller was second to restart (even if the firmware revision is not updated). If that's the case for you, just wait a few minutes and refresh the info. Also, if you connected immediately back in via SSH, or were using a serial connection - after your ping to the group IP started to drop, you can wait around in the CLI until the restart firmware complete notification echo's in the CLI.

Adding bginfo to your vSphere Templates

2010-03-12T18:28:00.003-05:00

I don't know about you, but I personally find Sysinternal's BgInfo tool quite useful... having comptuer names, IP addresses, and maybe one or two other things sitting on my desktop helps me keep track of which machine I'm doing work on. Assuming that it makese sense in your situation, you might want to consider adding BgInfo to your vSphere/ESX templates. If you're already familiar with BgInfo - just put a shortcut into your allusers startup profile in the template. Here's the step-by-step procedure.

Grab a copy of BgInfo.
Create your BgInfo template (save-as), and place it and bginfo somewhere like this: c:\windows\system32\bginfo
Create a shortcut, and put it here so that it runs regardless of who logs in:
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Edit the shortcut target like so: C:\windows\system32\bginfo\Bginfo.exe c:\windows\system32\bginfo\update.bgi /NOLICPROMPT /TIMER:0
Now whenever you deploy a new VM, and someone logs into the machine, bginfo puts the relevent data on their desktop.

In your case, it might make more sense to put your bginfo template on a network share somwhere instead of the local machine.

vSPhere 4 on GA-EX58-UD3R

2010-03-06T12:47:00.010-05:00

If you're looking to put together a vSphere whitebox, the Gigabyte GA-EX58-UD3R motherboard with an Intel Core i7 920 isn't a bad choice. If you're thinking about going down this path - there are a few things worth mentioning... and while there's nothing particularly challenging or "show-stopping" about getting this working properly (except maybe the NIC), reading this post might save you some time.

Networking

You should know that the onboard Realtek RTL8168C NIC doesn't work - vSphere doesn't detect it. Ultimatewhitebox has a note about this, as do some forum posts... and sure enough, they're right. I found a few Intel PRO/1000 MT PCI Desktop Adapter's on eBay that work just fine, but if you're buying parts for this - go ahead and get a couple of the Intel NICs now. And you might want to consider disabling the onboard NIC during the setup.

Optical Drive

The takeaway here - make certain that your optical drive and SATA drive are on different channels. Also, if you want to avoid the below consider using a SATA optical drive instead of bothering with using an old IDE drive that you might have laying around.

Things to avoid...

I was using the eval version of vSphere 4 (4.0.0, 208167) on disc. The disc was detected on boot up, and I was able to get launch the vSphere GUI setup and get the installation started.

Initially, I was using an old IDE DVD drive. While the boot process went mostly as expected (with an odd exception sometime after the setup process started I had a message "CDROM Failed to Mount") I was able to get to the point in the setup where I had to create partitions. At that point, the setup process wasn't seeing my onboard SATA hard drive. So I rebooted, checked the BIOS and confirmed that the drive was being detected... I did happen to notice that it was on the same channel as the hard drive. After moving them to different channels, I launched the GUI setup again and when it got to the point of detecting the SATA hard drive, it was there. After seeing that, the setup process needs to copy some files off of the CD... which it suddenly failed to do... no drive detected. That seemed kind of strange, given that I had booted off the DVD drive, but recalling the CDROM failed to mount message - perhaps not. I went back into the BIOS, and changed the mode that the Optical drive was in - rebooted, but again failed to detect CD at the create partitions window. Next, I swapped in a SATA DVD writer from a different machine, launched the vSphere GUI setup (no more CDROM failed to mount message), detected the SATA hard drive, created partitions, and it completed setup without incident.

Overall, not too challenging for a Friday night... and now I have a vSphere host in my lab to start playing with.

Setup

vSphere 4 (4.0.0, 208167) disc

Gigabyte GA-EX58-UD3R bios version FB

Intel Core i7 920 CPU

Realtek RTL8168C on-board NIC disabled

Intel PRO/1000 MT PCI Desktop Adapters

SATA DVD Writer (SH-S223)

Western Digital WD5000 Blue Label, 500GB 7200RPM SATA Drive

Redmine: Email Configuration of Bitnami Appliance

2010-01-25T21:55:00.000-05:00

If you need to configure Redmine so that it will send email notifications to users when they update issues, or projects this might be helpful configuration information. I’m using Redmine 0.8.7 as a Bitnami appliance running under OpenSuse 11.1.

The email configuration is located in this directory: /opt/bitnami/apps/redmine/config . What I recommend is that you copy the example configuration file from email.yml.example to email.ym, and edit the email.ym configuration file with vi. I didn’t see any of the more user-friendly editors like pico, or nano pre-installed on the appliance so you can install them, or just use vi… it really isn’t that difficult to use. If you need a good tutorial you can check out Wikipedia's vi info. In any event, edit the file using vi… “vi email.ym”.. Press “a” to enter edit mode and make the below changes, then press colon “:”, and type “x!” and hit enter to write and exit. If you made a mistake, and want to abandon your changes type “q!” and hit enter to quit. After you’re finished, just restart the Redmine services (or the server).

Also, make sure that your SMTP server is setup to either allow relay from the IP of your Redmine server, or make other arrangements for SMTP delivery.


Production:
delivery_method: :smtp
smtp_settings:
address: SMTPServerIP
port: 25
domain: yourdomainname.com
authentication: :login
user_name: ServiceAccountRedmine01
password: SavedPassword

Redmine LDAP Integration - Active Directory Configuration

2010-01-23T01:52:00.000-05:00

After you have Redmine installed and configured to the point where you can log in - go ahead and do so. Browse to Administration>Settings>Authentication tab>LDAP Configuration (in the bottom right).

Before you go and start changing things here, there are a few things you should keep in mind that will save you some time. Realize that you can't do an anonymous bind to Active Directory. So, you need to actually specify a valid set of credentials for the service account. Now, I suppose they could have done something different here to reduce the configuration work... like relying on user login credentials and passing them to query AD. But in any event, you just need a normal domain user account should do just fine - anything that can query Active Directory. Why a domain account? Think about it another way... if someone plugged their laptop into your network, would they be able to query AD for user or computer objects? No... they wouldn't, because they'd be anonymous. Even if they knew your domain name, had a domain controller's IP address, the distinguished name, etc... no luck. So create a service account. Just FYI, my domain was at 2003 domain functional level.

As far as the Base DN - keep it simple... base DN means base. You probably don't want CN=users, or CN=MyBusiness, or anything like that. In my case, I specified DC=domain,DC=local. As for the the attributes, they all come right out of Active Directory... there's a bunch of places you could find these if you wanted to spend the time to find them. Or, there's a bunch of sites that already have this stuff listed (see the below for my config).

When you're specifying the attributes, keep in mind that you don't want any extra spaces (blank spaces) after the attributes. For instance, it should be 'SAMAccountName' (no quotes), NOT 'SAMAccountName '. If you add a space, it breaks. If you don't have those "optional" attributes, it breaks. Also - just FYI... if you're under Authentication, and trying to run a "Test" of authentication, and it say's successful - that doesn't mean it's actually working. You need to test Active Directory account logins from back on the main menu.

If you want to use on-the-fly account creation... you'll need to make sure all of your Attributes are set correctly and that within Active Directory the attribute fields actually contain data for your users. This is very important. For example, if you have a user trying to login, but their account has "First Name", and/or "Last Name", and/or "E-mail" address fields blank (like if you have a "test" user account) - automatic user account creation in Redmine will fail. On top of that - it's not very verbose about why it failed. So that might be something to file away in the back of your mind, so that when you find one account (or a group of accounts) somewhere that won't login - you can make sure to check that they have all of the Active Directory attributes specified (just open up Active Directory Users and Computers and check-out the user object that is having a problem).

My Settings:

Name: YourDomainOrWhateverYouWant
Host: IP address of a Domain Controller (name is probably best)
Port: 389
Account: Domain\ServiceAccountRedmine01
Password: SavedPassword
Base DN: DC=domain,DC=local
Login: SAMAccountName
First Name: givenName
Last Name: SN
Email: mail

Redmine BitNami Appliance Intro

2010-01-20T19:57:00.001-05:00

I’ve been checking out Project Management platforms lately, and came across Redmine. It’s an open-source project management and issue tracking tool (e.g. bug tracking, feature request, etc.)using a Ruby on Rails framework, with support for multiple databases (MySQL, PostgreSQL, or SQLite). The core features like Project Management and Issue tracking look pretty good, and it includes some nice details like Atom feeds, e-mail notifications, a per-project wiki, basic time tracking, and LDAP support. According to Wikipedia, Redmine is heavily influenced by Trac – which appears to have been around a bit longer, and is fairly mature... probably worth checking out as well (plus Trac it’s written in Python).

In any event, if you’re coming at this from a Microsoft-centric perspective, you can think of Redmine as being “Sharepoint-like”, although by no means is it a Sharepoint-replacement. In working with Redmine a bit, one thing immediately apparent is that Redmine makes sense… the web-based interface is uncluttered, it’s easy to navigate and wrap your head-around. After digging in, you’ll find that there are components to the tool that are obviously still immature but as far as the core functionality goes – it’s there.

The other thing that’s kind of interesting is that I’m running the Redmine stack using a Bitnami appliance on my ESX cluster. The Redmine virtual machine is running OpenSuse 11.1. So far, the Bitnami-appliance experience has been good, and if you haven’t checked out any of their stacks, they're worth investigating. The appliances are fairly light with the excesses trimmed out (no GUI, etc.). Since getting this machine built-out, I also saw that Turnkey Linux also has an Ubuntu-based appliance with the Redmine stack. While I’ve worked with OpenSuse, and Ubuntu, my more recent experience has been Debian-centric so Ubuntu is probably the more natural fit. I’ll follow-up with some How-To posts based on my notes and work so far over soon.

AD-COIT Configuration Video

2009-12-08T21:39:00.006-05:00

I've taken the questions and feedback that I've received on AD-COIT and put together this short video which shows how to download, install, and configure it.

To create the video, I actually setup a small network on an ESX box using an isolated vSwitch to connect a domain controller, and some virtual machines. This entire setup process shown in the video actually occurs from the domain controller, and demonstrates how to download AD-COIT, edit the LDAP path to reflect your environment (minute 1:12), how to run the script (minute 2:05), and then how to modify the script to echo the results to a text file (minute 3:12).

Let me know what you think!

VMware: Defrag Tips

2009-08-09T14:07:00.000-05:00

Here are a few defrag tips when working with VMware ESX/ESXi.

Use your guest OS defragmentation tools to defrag VMs.
Always defrag your VM before you create a template.
Do not defragment a drive while a VM has snapshotting enabled (your VM will grow in size, and slow stuff down
Defragment before you take a snapshot
VMFS filesystems do not need to be defragged, because their block-size is large and VMDK's are pre-allocated.

VMware: Sound Support for remote desktop client and/or thinclients?

2009-08-08T08:06:00.000-05:00

VMware ESX/ESXi does not have a virtual sound card device emulated. So there's no direct support for sound within VM's running on ESX/ESXi hosts. However, sound can be played on the remote desktop client if you've set your client to redirect and play locally (assuming your thinclient/remote desktop session supports sound). Keep in mind that if you have a Terminal Server, you need to enable the "Allow Audio Redirection" within the group policy for that machine.

Group Policy>Local Computer Policy>Computer Configuration>Administrative templates>Winows Components>Terminal Services>Client/Server data redirection>Allow Audio Redirection.

How-To: FreeNAS SAN on ESXi

2009-08-07T23:59:00.001-05:00

Just a quick how-to, as a follow-up to my last post.

Add Disks (Disks>Mgmt), add 2 (RAID1), or add 3+(RAID5).
Format the disks you just created (Disks>Format, Choose the 1st disk, set the FileSystem to SoftwareRAID, click Format, Disks>Format, Choose the 2nd disk, set the FileSystem to SoftwareRAID, click Format).
Create RAID Level (Disks>Software RAID> RAID1, Select both disks created in step)
Format the RAID as an EXT2 file system (if you don't do this, you're going to get an error when you create the mount point. VMware ESXi will want the EXT2 filesystem... but you can then format it after it's been mounted to whatever you want. This includes if you're just adding storage capacity to a Windows system and using the initiator to mount this as a mount point. It's easiest to format the RAID EXT2 initially, and then do whatever you want later).
Create a mount point (Disks>Mount Point, MBR1 type, and records your mount point .. e.g. /dev/mirror/Raids1).
Unmount RAID if need be (Disks>Mount Point>Mgmt Tools>Tools tab, unmount).
Add the iSCSI target (Services>iSCSI>Add New Extent, Skip the Device, Add New Target)
Now you can mount this target on a Windows Server (Download and Install Microsoft iSCSI Initiator, Discovery Tab, add the IP address of the FreeNAS serverm... Computer, Manage, Delete the new partition that is now visible, and create a new NTFS partition, and Quick format it).

Using FreeNAS as a SAN for an ESXi demo

2009-05-20T23:34:00.002-05:00

I recently had to do a virtualization demo for a client. The need was to show a particular application stack running under ESXi, using storage mounted from a SAN. This all needed to be portable, inexpensive, and completed quickly. The requirements limited me to stuff I could find quickly, and that would work. As such, I really only considered FreeNAS, OpenFiler, and Windows Storage Server since they were all readily available.

I ended-up using FreeNAS, and was actually quite impressed. FreeNAS runs the FreeBSD distribution, and interestily, like pfSense (another favorite of mine), it too is based on Monowall. What worked really well for me, was that FreeNAS is downloadable as an ESX virtual machine - which meant I could just download it and run as a VM inside an existing ESXi host. After getting it fired-up on "serverA", I stepped through the base configuration, got some storage carved out and exposed via iSCSI, and then just mounted it up inside a different ESXi machine (serverB). After doing do, I was able to copy my pre-configured VM's to the newly created datastore. I fired up my VM sessions on "serverA", they used the FreeNAS storage provided from serverB, and I had my portable demo environment. I'll follow-up with the steps I used to setup and expose the storage.

Mounting a remote SSH file system in Ubuntu... for Windows Admins

2009-03-12T21:50:00.000-05:00

If you're somewhat new to Ubuntu or Linux you might be looking for a way to mount something like a file share the way we would a network drive in Windows. You know... mount a Z: drive, and then browse, and modify the contents of that drive as if it were local. Well, because Ubuntu is really friendly - you probably don't have to learn a whole lot to actually start getting useful things accomplished (in Ubuntu, Places>Connect to Server gives you most of what you need). But – did you know you can also securely mount a remote file system via SSH and have it look and feel local? Or perhaps you don't know what SSH is. If this is you – then check out this mini how-to. Nothing in here is particularly difficult... but there's enough here and linked-up to more expansive how-to's as to possibly be eye-opening for you.

What do you get out of following this tutorial?

You get a secure Linux alternative to a Windows network drive mapping that works works well... especially over slow connections (VPN tunnels, modems, etc.), and that you can essentially treat as a local resource. After that, you can do even more useful stuff like use grsync/rsync to replicate differences between directory structures. If this is all new to you, you'll also get some useful exposure to openssh, scp, Putty, and SSHFS.

How-To

Install the openssh server and client on the server, and the client on the client. Just use “sudo apt-get install openssh-server openssh-client”.... Like this
Install putty on your client (this isn't strictly necessary - but useful for troubleshooting)...
1. 'sudo apt-get install putty'.
On your server, consider changing the the default port in SSH from 22 to something else (like 512).
1. 'sudo editor /etc/ssh/ssh_config"... change the 'port 22' to 'port 512'... then issue a restart of ssh... 'sudo /etc/init.d/ssh restart'.
If you're using a firewall on the server, make sure you open that new port you just created in the previous step.
1. If you're using"firestarter" in Ubuntu, open Firestarter ( System>Administration>Firestarter). Go to policy, and add an "inbound traffic policy" and let that new port (e.g. 512) in from your network (or perhaps something more restrictive that makes sense).
Putty on your client (from a shell, just type 'putty'). Now determine the IP address of your host server, and point putty at it, on the correct port and connect. It will prompt you for credentials... now you have remote telnet-like access to the remote box. In other words, all we're doing here is proving to ourselves ythat the "server" from earlier steps is actually working correctly.
For good measure, try doing a scp from your client to the server (learn how SCP works).
1. 'scp -p 512 /home/username/somefilethatexists.txt username@remotehostIP:/home/path/NewFileOnThisSystem.txt'.
2. In the above, I'm specifying 512 for my port, and the username@remotehostIP is me forcing the right username... if I didn't do this, it would automatically attempt to use the username of the currently logged-in account on the client .
At this point you've more than proven that everything works right (steps 5, 6). So the last steps are mounting and using that remote filesystem. The credit for the remainder of this goes to this older post by Carthic... but my cliffnotes follow below.
Install sshfs ('sudo apt-get install sshfs'... note that this auto installs fuse as well).
Now create the mount point on the client ('sudo mkdir /mnt/remotecomputer', and make yourself the owner... 'sudo chown yourusername /mnt/remotecomputer')
Now add your username to the fuse group that was auto-created in step 8.
1. 'sudo adduser yourusername fuse'. Or in Ubuntu, System>Administration>Users and Groups
Log-out and log back in (users can't run the fuse binary).
Finally - just mount that SSH filesystem off of the mount point you created earlier...
1. "sshfs -f -p 512 username@ipaddress:/home/path /mnt/remotecomputer".
2. It will prompt you for a password... type it, and now you can browse the file system of the remote server by doing an "ls /mnt/remotecomptuer" from your client. The remote file system works just like it's local... you can open and edit those remote files modify them locally and when you save them, they save to the destination server.

Now that you've got everything working correctly, you can do fun stuff like setup grsync/rsync if you actually want to replicate files from the “server” to your client (perhaps for doing easy backups over the WAN)... or if you didn't have exposure to SSH until now, you've got an easy to do remote control. Hope you found this interesting and useful.

Replacing SBS self-signed certificates with 3rd party SSL certificates

2009-03-11T23:01:00.000-05:00

Just because this question comes up more often than it should...

http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx

Hyper-V Do NOT list...

2009-03-10T22:10:00.001-05:00

The easiest way to get a box loaded with Hyper-V, is to download the "Windows Server 2008 Datacenter, Enterprise and Standard (x64) - DVD" ISO from your MSDN Subscriber Downloads site, build your box, add the Hyper-V role... and go. That's not to say there aren't other options... and 2008 Core certainly is an attractive option. But it obviously depends on your needs, and the the scale of what you're doing. If you just want to build a box with Hyper-V to kick the tires... here is a DO-NOT list to keep in mind...

Don't install any version of the 32-bit 2008 and expect Hyper-V to work... it only works on 64-bit hardware.
Don't install "2008 x64 without Hyper-V" and expect to upgrade to Hyper-V... you can't (or if you can, the how is not obvious).
If you don't want 2008 Core... don't download Hyper-V from http://www.microsoft.com/downloads because it only installs 2008 Core.
Probably obvious... but don't install 2008 x64 Core and expect to manage Hyper-V using an MMC from the console of the core... you'll need a Vista box with the MMC installed.

And the biggest don't I can think of...

Don't ever start a project without a plan (even a "kick the tires" project)! Because your most valuable resource is time! Ten minutes of reading can save you hours of wasted time!

Open-Mesh APs... just-work

2009-03-09T21:16:00.001-05:00

It surprises me that I haven't heard more about Open-Mesh within the context of the SMB community... as it enables you deploy a convenient wi-fi infrastructure quickly, and cost-effectivly. What's more - it really is just-work easy. So... if not open-mesh, perhaps you've heard of Meraki? If not, you probably know some of their handiwork... they took over one of the semi-failed attempts at providing municipal free wifi in San Francisco and essentially turned it into their live lab. I won't bother rehashing most of the history, since there is a lot stuff out there on them, so I'll just leave it at this... Meraki was a really interesting company that evolved from MIT's Roofnet project... unfortunatly some business model changes resulting from round 2 VC funding appear to negativly impacted their relationship with a formerally loyal community.

So, flash forward to the more recent past, and you'll find a growing community over at open-mesh.com. Open-Mesh uses the many of the same bits found on the old Meraki products, expect they now support the OSLR protocol, as well as the BATMAN protocol. What makes Open-Mesh so neat is that all of the complexity and routing intelligence is built into the open-mesh firmware. Open-Mesh wifi consists of what appear to be normal AP's wired to Ethernet, or some high-speed Internet gateway... except these AP's can also serve as repeaters. In other words, if you don't have an Ethernet drop... but can see your wifi signal, just plug in another Open-Mesh AP and it will detect the signal of the other AP, and start functioning as a repeater. Obviously - this useful because you can just put them anywhere near another Mesh signal and they'll 'just work' by auto-configuring themselves.

VMware server 1.0.7 on Ubuntu, "Cannot open the disk... Failed to lock the file" error.

2008-12-15T22:22:00.002-05:00

My searches turned up a number of hits, but nothing specific for VMware server 1.07 build-108231 or Ubuntu 8.10. In any case, my Windows XP guest instance wouldn't start, reporting an error of "Cannot open the disk 'somefile.vmdk' or one of the snapshot disks it depends on. Reason: Failed to lock the file". The scenario that prompted this was that the host OS was shutdown hard while the guest was still in the process of shutting down.

If you check out the path of the problem guest instance... (e.g. /var/lib/vmware/Virtual Machines/ProblemGuest), you should see a few *.WRITELOCK files. Just rename those *.WRITELOCk files to something else... like *.OLDWRITELOCK. After doing so, go back to the VMware Server console and startup your guest - it should fire-up without incident.

AD: How to Determine the Last Logon time of users

2008-09-18T23:14:00.001-05:00

I don't think there's a really good short answer to this one, as your ability to determine last logon times really depends on the AD level that you're at.

For information on the below attributes (and more), check here.

Pre-2003 AD: You can't do it.
2003 AD: Look at the lastlogon attribute on all DCs.
2003 AD functional level: Look at the last-logon-timestamp
2008: Check the msDS-LastSuccessfulInteractiveLogonTime

If you're not at 2008, or 2003 domain functional level, and you want to determine the last logon time, you can use AD-FIND to query each DC, get the time stamp in the nt time epoch format (the time measured in seconds since 1/1/1601) and then use w32tm /ntte to convert the stamp into a readable format... Date, Hour:min:second.

adfind -h DC1:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC1.txt

adfind -h DC2:389 -b dc=domain, dc=local -f "objectcategory=person" lastlogon >DC2.txt

... and so on for each DC.

To convert lastlogon time, take the time stamps for the user's that you're interested in and convert them...

w32tm /ntte value1
w32tm /ntte value2

... and so on.

Then you can compare each. At 2003 functional level the attribute lastlogontimestamp is replicated to each DC - so it's a single source of truth. In 2008 it gets even better with last logons, last failed logons, and more. With some diligence, you can probably take the above steps do some further learning around them to improve things a bit, and then script the the logic. But for one-offs, and small networks this works.

pfSense 1.2: 6-month review

2008-09-11T23:26:00.003-05:00

After spending more than 6 months running pfSense 1.2-RELEASE at the perimeter of our production environment I thought I’d do a short good/bad/ugly review of the experience to help anyone that might be considering using it. In my experience, pfSense has been a great solution. Besides being free, and fast, it has the functionality of ostensibly higher-end solutions like the Cisco PIX/ASA, or Microsoft’s ISA, with the ease-of-use of a Cyberguard SG, or Sonicwall product.

Yeah, but what about the SMB-market – does it make sense?

Our pfSense box sits at the perimeter of our LAN, protecting us from a 10MB Full-Duplex Internet connection. Like most businesses of our size we have a handful of crucial services being served up to the Internet – a stack of LOB apps, and some assorted contractor requirements that can create challenges. While it’s not quite what I'd call a zero-effort experience, everything has run very well and I’ve been quite impressed.

The Good:

The web-interface… it works well. You can do practically anything you need from it – including editing FreeBSD config files if the should arise. Also, since pfSense is based on FreeBSD, you also have the ability to SSH into the shell and work from there. But don’t let that scare you off – you probably won’t ever have the need to do so.

VPN support… pfSense supports just about everything you’d expect. It has a PPTP server built into it, and you can use a local account database, or a RADIUS server for authentication. WINS works across VPN tunnels – which is nice, and something not every PPTP server I’ve used has implemented fully. IPSec is of supported, and pfSense can serve as an end-point and seems to work okay with the Cisco stuff I’ve seen at the other ends of some of our tunnels. OpenSSL is supported… if you’ve not worked with SSL-based VPN’s before – they’re nice – especially if you have remote users who work on-site behind large corporate firewalls that block outbound PPTP, or IPSec.

Traffic… there’s a handy real-time traffic graph that you use to watch inbound/outbound traffic across the firewall. There are also a host of RRD graphs depicting things like traffic, link quality, and processor utilization over time... All handy when it comes to troubleshooting your internet connection, or engaging your ISP should they fail to meet the terms of their SLA.

The ability to do packet captures is one of my favorite features of pfSense. Besides being useful for troubleshooting issues at your office, it’s quite handy when you have pfSense deployed at client sites (yes, we’re selling it to clients). Login to the interface, and start capturing packets to see whose consuming all of your bandwidth for instance.

The Bad:

While there’s not a whole lot of “bad”- I have run into a few challenges – most of which are documented elsewhere on this site.

Hardware support... I’ve mentioned this before, and you probably know that FreeBSD doesn’t have quite as broad of hardware support as Linux or Windows. I ran into some issues with non-Intel NICs and off-brand Wireless cards which were painful. That said, I’ve run into issues with Broadcomm NICs and HP-branded NICs on windows servers before too – so take that with a grain of salt. It’s just a data point and not intended to discourage you. If you're just throwing a box together from spare parts – remember to use Intel NICs that are on the FreeBSD hardware list and you’ll be fine.

FTP Support... The FTP protocol is just plain clunky. It’s been around for decades, and every vendor has a different way of implementing it. There is no security – passwords and data traverse the internet unencrypted – in short, it’s kind of a mess. Pfsense has passive FTP support, and an FTP proxy. In our deployment, we have users who complain about not being able to connect to our FTP site when in the office (i.e. looping out and back in). I understand why they would want to do this (even if from a technical perspective, it doesn't make much sense), but in order to support outbound FTP you need to run the pfSense FTP proxy. Turning that on breaks the ability to loop-out and come back in for FTP which can be frustrating (and yes, a split-DNS configuration would resolve this).

The Ugly:

PPTP... Good and Ugly? Yes indeed. There are some ugly parts to the PPTP support in this version of FreeBSD and pfSense. Like the FTP protocol, PPTP isn’t great. But, like FTP, PPTP is perceived by many to be easy to use and support, and thus is still widely in use. The problem with PPTP support… which is actually highlighted on the pfSense web site is... “there is a pf limitation that stops any outbound PPTP connections from working if the PPTP Server on pfSense is enabled. This is a known issue with no known work around.” Which really means that if you enable the PPTP server on pfSense, internal users supposedly can’t VPN out to a remote PPTP server. In my experience, this is not entirely true. You can turn-on the PPTP server on pfSense, and internal users can often connect to remote PPTP servers. What I mean by “often” is… I’ve found that among our customer base, most have firewall appliances running PPTP servers, and we no have problems connecting to them. Further, we’ve had no problem connecting to any Microsoft PPTP servers (including those running on 2000, 2003, and 2008). Finally, we can connect to nearly all of our Cyberguard SG series firewalls that have PPTP servers. But there are a few of those that we can’t connect to via PPTP. I’ve compared models and firmware revisions, but don’t see any consistency between those units which I can point to as the cause. We’re able to work around this given the small number of clients that were having problems PPTPing into, but it is irritating, and might be a show-stopper for some IT service providers that work in the SMB market.

PPTP continued… There’s another limitation in the version of FreeBSD that pfSense is using which limits the number of simultaneous outbound connections to a given PPTP server to just 1 connection. This means that you can VPN into a client site which lives at a given IP, but if someone else behind pfSense tries to VPN into that exact same remote IP, he/she will not be able to establish a second session. In other words, you can have thousands of simultaneous outbound PPTP connections going on, but you cannot have more than one connection to the same remote IP at a given time. While this is rarely an issue – it does come up from time to time and it may be a show-stopper for some IT service providers.

The good news on the “ugly” front is that both PPTP and FTP are being worked on by for the next release due in 2009 and promising… “Better PPTP and FTP handling in NAT. The PPTP fixes will allow multiple outbound connections to the same external PPTP server using a single public IP. Details of that issue on the Features page on the website under PPTP/GRE NAT limitation”. I’ve been monitoring what’s going on with pfSense 1.3 Alpha – and have it running on a firewall at home, but it’s under continuous development and not production ready. One notable improvement is the configurable dashboard which gives you status and highlight information.

Is it “just work” easy?

I don’t think pfSense necessarily meets the zero-thought, “just work” criteria. If you’re building a box, instead of buying one, then no – it requires some limited thought to find a supported mix of FreeBSD hardware, then you have to install, configure, and use the product. Is it more difficult to configure than something like a Sonicwall, or Cyberguard Snapgear, or other similar appliance? Only because you have to build-it… otherwise, the software and features of the interface are excellent and, in many ways exceed those of the prior-mentioned solutions.

Does it make sense for SBS-sized networks?

Given that the infrastructure business on the low-end is evaporating, selling pfSense into that market might not be a good fit, or make sense… but from a technical standpoint, or if you’re looking more at that middle tier from 50 – 250 users and up, than I think pfSense is a great fit. As I mentioned, I like it so much that I use it at home and keep up with the 1.3-ALPHA updates.

Install SMTP on 2003, can't find adsiisex.dll

2008-08-01T21:47:00.000-05:00

This, as well as a number of other files needed for the SMTP service to be installed are located inside the IMS.cab file on the i386 folder of your CD. Check out the details here... http://blogs.msdn.com/publicsector/archive/2006/03/17/554022.aspx

Scripts: Create Share

2008-07-31T23:22:00.000-05:00

The below code will create a new share on the local system.


On Error Resume Next
Const PType = 0 'value 0 specifies diskdrive
StrPath = "e:\share"
StrShareName = "share"
StrDescription = "This is a File Share"

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objNewShare = objWMIService.Get("Win32_Share")

errReturn = objNewShare.Create _
(StrPath, StrShareName, PType, , StrDescr)
wscript.echo errReturn

pfSense: Link List

2008-06-02T22:05:00.001-05:00

Wrapping up my series of pfSense posts (see here for the entire series), the below link list is a collection of posts and articles that helped me along the way. As I mentioned before, pfSense really exceeded my expectations. Throughout the effort I've been impressed , and continue to learn though the active community (see the forum, and #pfsense on Freenode). If you're interested in pfSense, but are put-off by Open Source or products without paid-support, check out Centipede Networks for hardware and support-based offerings around pfSense.

Random knowledge about pfSense (good for getting started).
NIC Duplex settings (media and mediaopt settings not taking effect)
Dual DSL System
MultiWAN Configuration
More than 16 concurrent PPTP VPN connections
PCI Wireless NIC
Configuring the captive portal
OpenVPN Overview for pfSense
OpenVPN on port 443

pfSense: Associate with a wireless access point

2008-05-30T19:42:00.001-05:00

Getting pfSense to associate with a wireless AP can be a bit confusing. It looks like a lot more has been integrated into the web interface since earlier releases, but it might not be completley obvious how to make the association happen. .

Add a NIC from the supported list... the 3com 3CRDAG675B that I used worked well and was detected right away by the FreeBSD.
Next, add the new interface (Interfaces>Assign), name it, and enable it. If you're not seeing it, then it's probably not being detected by FreeBSD.
You can see a list of local APs by clicking status>wireless
Under Wireless Configuration, put it in Infrastructure Mode (BSS). Then set the SSID to the SSID of the AP you identified in step 3 in order to associate with. Then set the IP (or DHCP) configuration.
If it has encryption enabled, make sure you set that correctly as well.
Check and see if it has associated properly: Status, Interfaces
The status should now read "assoicated", and it should have the IP you configured it with in step 4. You'll then begin to see In/out packets listed if you refresh the page.

pfSense: OpenVPN overview

2008-05-15T19:33:00.001-05:00

There's a really good tutorial available on the pfSense wiki that I followed to get OpenVPN working properly. It walks you though configuration, creating the certificates, installing the client, etc. That said, if you don't have any prior experience with OpenVPN, or your only VPN experience is PPTP, then there are some things to keep in mind using with pfSense and OpenVPN.

As of pfSense 1.2-RELEASE, connection management to OpenVPN is based on certificates (or a pre-shared key) generated by OpenVPN tools that you install on your local workstation. Unfortunately there is no key-management built-into this release of pfSense, making the concept of “user or connection management” a bit of a challenge.

You download the OpenVPN source, and create certificates from your workstation, and then add the certificates into pfSense. You can then revoke certificates using the certificate revocation list (CRL) from the pfSense management console (VPN>OpenVPN>CRL). And this works just fine. The problem with it is that it doesn't scale very well. For instance, most of my clients are running XP Pro, or Vista. All have Active Directory in place, and existing user accounts. For me to deploy OpenVPN throughout my organization, or throughout our client's organizations, it would be a substantial task. We'd have create certificates for all users, deploy OpenVPN GUI clients via a script to our XP Pro systems, and then use scripts or GPO's to push out certificates on a per-user basis. So right now, the lack of key management within the interface is a limiting factor – well that, and the infrastucture we have to deploy to make OpenVPN just work, in the same way the our existing solution just works. For now, we'll plan to use OpenVPN selectively for employees that need to connect from sites where outbound PPTP ports are being blocked.

That said, I understand that OpenVPN is a priority for the pfSense team and that it's likely we'll see some improvements around key-management in the near future.

pfSense: Configure captive portal

2008-05-09T18:08:00.001-05:00

The captive portal in pfSense lets you provide restricted internet access to guests via a web-portal that prompts them to type a username and password. It looks and feels very similar to what you find in Wi-Fi hotspots, hotels, business centers, and coffee shops around the world.

In short, here’s how it works… you configure the captive portal in pfSense, hang some open access points off of it, and have pfSense hand out IP’s to anyone who connects. Guests (contractors, stakeholders, etc.) arrive at your office, see the open AP’s and associate with them. They get an IP, and as soon as they try to browse the internet, DNS resolves their request to a portal for authentication. They authenticate, and now they can access the internet… segmented off of your business LAN.

Now, this isn’t quite the same thing as NAP, but beyond pfSense there’s no infrastructure investment, a limited configuration effort, and it makes life better for everyone.

Configuration in pfSense is pretty straightforward. There’s a video tutorial on the wiki, and my short how-to below.

In pfSense do the following:

Interfaces>Add new interface
Interfaces>OPT1 (new interface)
Optional Interface Configuration>Enable
IP Configuration>Assign an IP address on a new subnet (e.g. 192.168.177.1/24)
No gateway – allow it to use the next hop, then save.
Services>Captive Portal
Enable Captive Portal, On.
Put in the appropriate interface (e.g. OPT1)
Assign a hard timeout that’s appropriate
Use Local User Manager (or RADIUS if you’d prefer), save. Click Users, add a guest account.
Services>DHCP server, and switch to the correct interface tab. Have it hand out IP’s in a range that makes sense… 192.168.177-192.168.177.250. Click Save.

You’re good to go… just hook up a test system to the captive portal segment, and verify connectivity.

pfSense: media and mediaopt settings are not taking effect

2008-05-08T06:57:00.002-05:00

I did run into a small problem my first time through with the 10MB Full-duplex change on my WAN interface. At the time I was using some generic NIC (non-Intel), and found that the XML setting change wasn’t taking effect, even through a reboot. I ended-up needing to SSH into the box, open a shell, and execute the following command:


ifconfig dc0 media 10baseT/UTP mediaopt full-duplex

Where dc0 was my WAN interface (click Status, Interfaces to verify you’re setting the right interface address). If you find yourself in this situation though – go back and check to see what type of NIC you have. I would suggest replacing it with an Intel NIC, or at the very least something else on the FreeBSD list of supported ethernet devices.

pfSense: Editing /conf/config.xml file

2008-05-07T18:48:00.003-05:00

The ISP's internet conenction runs on port expecting a 10MB Full-duplex device to be plugged into it. The WAN interface on our PFSense box is a 10/100 NIC, which when uplinked without making any configuration changes, I found that I was only getting about 25% of the capacity I was expecting. The only way to force the WAN interface to 10MB/Full-duplex is via the /conf/config.xml file. There are two way to edit this… one is using vi from SSH.

To enable SSH do this from the PFSense web-interface:
Click System>Advanced>Secure Shell, Enable Secure Shell

Even if you prefer to use the PFSense web-interface to edit your config.xml file (make a backup copy first), the shell came in handy a few times throughout my configuration process. The other option to edit the config file is using the editor in the PFSense web-interface.

The editor is available here:
Diagnostics>Edit File. The Load/Save path is “/conf/config.xml”.

Scroll down until you find the tag. Then remove the lines that start with <media/> and <mediaopt/> and replace them with ones that say this:

<media>10baseT/UTP</media>
<mediaopt>full-duplex</mediaopt>

Then click Save. You can check to see if this took effect by clicking Status, Interfaces. The WAN interface should now read “10baseT/UTP ”. This change should take effect immediately – if not, give the box a reboot (Diagnostics>Reboot System).

Firewall: pfSense exceeds my expectations

2008-05-05T18:08:00.008-05:00

We recently upgraded our internet connection; going from a strained half-duplex DSL connection for our rapidly growing business, to a 10Mb full-duplex, SONET-based fiber optic connection. So the question naturally becomes – will the existing firewall support the new internet connection (unfortunately it won't), and what type of firewall should we get.

Like most of you, I’ve had the chance to work with a wide range of firewall products… everything from the typical SMB-fare… like Sonicwall and Snapgear, to products such as the Cisco PIX/ASA, Checkpoint appliances, and others (Microsoft ISA of course). What do I like? Well, it really depends on the situation. In general, I’m a fan of Cyberguard’s Snapgear line for the SMB-segment. In my current situation though, the need was for something that we could get up and running in short order, was very configurable, supported connection failover, had some good built-in graphing and logging… and that wasn’t very expensive. That last requirement is important – no need to burn through budget on overhead when we could be investing in something else that would drive revenue.

So, after looking at the usual suspects we added products from Fortigate, Astaro, and pfSense to the list. Having just been through the evaluation exercise, I really think Astaro has a slick product – but fully configured it’s expensive. pfSense on the other hand is an open-source project (based on FreeBSD) that more closely meets our needs. Specifically, it does everything our existing firewall does – except it does most of it better. It’s free. It has RRD-based graphing, which I’m a fan of (replacing the tapped NTOP-based monitoring solution I had in-place). It also has some nice features that we're already taking advantage of, including the captive portal, traffic shaping, and one-touch add-ons (like IDS - though we're not doing this on the firewall yet).

The initial deployment went off without incident, and I’m in the process of putting together a warm spare - which may end up being a backup for Active-Passive failover. I plan to post more of the learning’s that came out of working with pfSense in my test environment in the near future.

SBS - Archive old log files, remove old snapshots, and free up space

2008-05-01T06:28:00.002-05:00

Not cleaning up log files? New client out of space on their SBS server, awaiting the swing migration budget approval? Check these posts out…

http://blogs.technet.com/sbs/archive/2008/02/28/reclaiming-disk-space-lost-to-iis-logs-on-sbs-2003.aspx

http://www.tutorials-win.com/SBS/Safe-disk/

Also - if you've already disabled volume shadow copy, check on it and make sure it's not holding on to old snapshots unnecessarily. Open My Computer, right-click on the drive in question, go to shadow copies, and look at the "Used" column. If it reads some significant amount, and is disabled, click Settings, and change it to the minimum limit to clear out what's being stored and free up some capacity.

Deki Wiki: Uploads larger than 2MB failing

2008-03-29T12:20:00.000-05:00

Under 1.8.3c - after making the recommended changes to /etc/init.d/php.ini, and restarting apache2 and dekihost, and then attempting to upload a file greater than the php.ini default of 2M, the "Uploading" dialog box displayed the contents of the http://deki-hayes site - instead of the upload windows, or generating an error message. After refreshing the browser at http://deki-hayes, LDAP (AD) logins started failing.

I proceeded to modify memory_limit in the php.ini per this forum post. I actually specified 256M to see what would happen - then again restarted apache2 and dekihost - and now all is functioning normally. AD logins work, and I'm able to upload larger files.

Log events to the local application log

2008-03-18T21:23:00.000-05:00

This script uses the LogEvent method to write an event to the local application log. In the below, the value of strResults would have been previously set.


Set WshShell = WScript.CreateObject("WScript.Shell")
if strResults = "0" then
WshShell.LogEvent 0, "Condition 0 happened."
else
WshShell.LogEvent 1, "Condition 1 happened."
end if

Getting email links to Work with Deki Wiki and Exchange

2008-02-25T22:42:00.004-05:00

As I've mentioned, we're running Deki Wiki 1.8.3c on Ubuntu 7.10 and we have an SBS/Exchange 2003 box serving as our SMTP server. In DekiWiki, whenever someone uses the “email link” functionality, we want the email that get’s generated to be delivered to their Exchange mailbox. So, after getting LDAP integration configured properly, we looked at the email piece. In addition to the FAQ, there are some resources in the Deki Wiki forums.

If you’ve got a similar site configuration, you can do everything to get this working through either DekiWiki's Control Panel web interface, or though the LocalSettings.php file. Or, you could install a local MTA on Ubuntu like Exim4 - but it's not really necessary. Since we have an SMTP server in production, we're using PHPMailer which is part of the DekiWiki pre-req install list... it passes messages though to the SMTP server. From Deki Wiki, go here:

Go to Tools>Control Panel>Configuration
admin/smtp-server: Exchange server IP address
mail/smtp-servers: Exchange server IP address (or mail.mydomain.com)

Note, you may need to add the "mail/smtp-servers" option in the control panel.

Automating Restores for Deki Wiki

2008-02-23T15:13:00.004-05:00

If you've got your backup script running for Deki Wiki, and stakeholders are busy adding knowledge - it might be time to build a test environment if you haven't already. After the backup of the production server runs, we're restoring the attachments, and .sql file to our test box. There are some obvious benefits of having a test environment, including...

We have a tested and automated restore procedure that we know works because it happens every day
A box we can test stuff without having to worry about breaking a production box

All you need to do is build out your test box following the same procedures as your production box, then modify your backup script to become a restore script like so... and then schedule the script to run as a cron job.


#!/bin/bash
today="$(date +%a)"

#mount Windows Share
sudo -u root -p password smbmount //server/share /mnt/subdir -o username=user,password=password,rw

#copy down Today's database and attachments
cp /mnt/share/$today.wikidb-backup.sql /home/user/tmprestore
cp /mnt/share/$today.attachments-backup.tar.gz /home/user/tmprestore

#restore Today's database and attachments
cd /home/user/tmprestore
sudo mysql -uroot -ppassword wikidb < $today.wikidb-backup.sql cd /var/www/deki-hayes sudo tar xvzpf /home/user/tmprestore/$today.attachments-backup.tar.gz

Virtmgmt.msc still fails to launch under Vista SP1

2008-02-21T20:46:00.000-05:00

After this post which served as a stop-gap to managing hyper-v guest instances with vmconnect.exe published as a TS Remote-App on a Vista box, I was hoping that I’d be able to use the virtmgmt.msc and vmconnect.exe natively from my Vista box, once patched to SP1. I’m at Vista SP1 now, but when launching the above, it still says MMC could not create the snap-in (and vmconnet.exe just fails to connect to guests). So, hopefully this gets resolved in the final release of either 2008 or Hyper-V… but no luck yet.

Vbscript to delete a folder hierarchy

2008-02-05T21:49:00.000-05:00

If you need to delete a folder hierarchy on a scheduled basis, you can use this vbscript along with the windows scheduler. You might want to consider adding some things like error handling, and logging to clean it up a bit.


Const DeleteReadOnly = TRUE

Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFolder("D:\path\to\folder\*"), DeleteReadOnly
objFSO.DeleteFile("D:\path\to\folder\*"), DeleteReadOnly

In the above snippet, this will delete all folders and their contents below "folder", as well as file objects in the root of "folder".

Getting daily backups running in Deki Wiki

2008-02-04T17:53:00.000-05:00

The backup and restore process for Deki Wiki is pretty easy. No backup agents, no fights, just a short script and a tested procedure.

Dump your database to a .sql file, archive the attachments, put it in a bash script, and schedule it via the root Crontab (sudo crontab -e).

The script linked above is the 95% solution. The only thing you really need to do is have a share on another box somewhere mounted in the /mnt directory. So create a subdirectory “/mnt/backup”, and then use smbmount to mount the new share off of that subdirectory. Just make sure that the credentials you specify with smbmount exist on the target box. Something like this will work in a pinch...


#!/bin/bash
today="$(date +%a)"

#mount Windows Share
smbmount //windowsbox/apps /mnt/backup -o username=username,password=password,rw

#dump today's database
mysqldump -uroot -psqlrootpass wikidb > /mnt/backup/wiki/$today.wikidb-backup.sql

#dump today's attachments
cd /opt/deki-hayes/
tar czf /mnt/backup/wiki/$today.attachments-backup.tar.gz attachments

#Log the job status
echo "Nighly Backup Successful: $(date)" >> /var/log/dekiwikibackup.log

So you moved Deki Wiki to a new box, and now your attachments aren't working?

2008-02-01T17:26:00.000-05:00

If you’re in the process of rebuilding, moving, or testing the backup/restore procedure to get Deki Wiki onto a new box like so, but your attachment links aren’t working, make sure that your attachment path is accurate. You can set this from the Deki Wiki web Control Panel (under Control Panel>Configuration> “storage/fs/path” configuration). In my case, I needed to create an attachments folder and point it here: /opt/deki-hayes/attachments.

Tips: Remote administration of Hyper-V and guests got you down?

2008-01-31T17:15:00.000-05:00

So, remote administration tools aren’t available for Hyper-V yet. And you’re probably fighting the whole relative mouse issue after RDPing into your 2008 box and trying to control your guests. In terms of a work around, I’ve tried just about everything I can think of – including copying the Hyper-V folder to my Vista box (hint – neither the MMC, nor the vmconnec.exe likes that). With Vista SP1 and 2008 releases pending, I’d imagine this will be fixed soon. Until then, Charlie Russel has a nice how-to for publishing the vmconnec.exe via TS-Remote Apps, and installing the resulting MSI on a Vista client. Very cool. And it works surprisingly well. The one caveat– if you don’t have your vmadditions installed in your guests, you’ll still be fighting the relative mouse control in the guest. Unfortunately, my CentOS guests don't have the additions quite yet. So it’s still only the 80% solution for me.

Tips: Adding roles to 2008?

2008-01-30T17:06:00.000-05:00

Need to add a role to 2008? Use ServerManagerCmd. If you’re running Server Core, use ocsetup. On a related note, Ben has a good post on installing Hyper-V in a core configuration.

Windows 2008 with Hyper-V: The hypervisor is not running?

2008-01-25T17:24:00.000-05:00

Trialing Hyper-V on Windows 2008, but not able to get your guest instances to fire-up? If you’re running an HPDL380 G5 for instance, and you’re getting an error message to the effect of “The virtual machine could not be started because the hypervisor is not running”, and you’ve already flashed your BIOS, and made sure to enable hardware virtualization, and it’s still happening – make sure DEP (data execution prevention) is enabled in the BIOS too. On the DL380, this lives in the BIOS under Advanced>Processor Options>No-Execute Memory. After you power down, and power it back up (don’t just do a soft reset), you should be able to start your guest instances.

Time or Money?

2008-01-20T23:16:00.000-05:00

Ask a business owner which is more valuable, and they'll invariably tell you time. But back in undergrad for most computer science folks it was probably the opposite… long nights fiddling with Samba, rebuilding your NT4 PDC, or fighting with your Java apps – there was plenty of time to hack away at problems... just because. But how many of us invest the time in learning new stuff now that we’ve got business’s to run, or teams to manage? I mean doing more than just keeping our heads above water in this rapidly changing IT service provider industry, and actually investing in learning something completely new… especially something where the ROI isn’t obvious?

For SBSers, maybe that’s learning a bit about 2008 core, or maybe it’s Linux, or scripting, or even C#. The point is, if your head is above water, and your business is growing, your model is working for you – so it’s time to start managing you’re most valuable asset – your time. You should be looking for opportunities to delegate more and more of the revenue generating aspects of your business to the people working for you, so that you can invest time in new areas. How? Look around – you probably have really great people working for you. Don’t believe me? Try rewarding them. I know that’ s a bit counter to what you’ll find scattered about “leadership” training programs – who for some reason – seem to think people want to feel good more than they want rewards. Forget that for a minute, and find someone who’s willing to make sacrifices – and then just start rewarding them. Bonus them out, reward them for making your life easier, and push them to fail. Think failure is a bad thing? I’d much rather have employees who will do anything for me, and sometimes fail – than a group of people scared to act because they're scared of what might happen when they do fail.

The bottom line... Time is your most valuable asset. Look for opportunities to delegate the day-to-day aspects of running your business so that you can go off and learn something new. Reward your best people, encourage risk, and move on to bigger and better things.

Ubuntu: Start the Virtual Machine Additions during startup

2008-01-18T18:09:00.000-05:00

If you followed the last post, you might want to configure the vm-additions to run at startup. The Ubuntu-way of making this happen is documented here.

The short version is as follows: (note the trailing ... "S .")

$ sudo update-rc.d vmadd start 51 S .
$ sudo update-rc.d vmadd-heartbeat 51 S.
$ sudo update-rc.d vmadd-timesync 51 S.

Getting Virtual Machine Additions (for Virtual Server) to work in Ubuntu 7.10

2008-01-17T20:56:00.000-05:00

As anyone who’s worked with Linux distros under Virtual Server 2005 R2 SP1 can attest, getting them running is not particularly fun. Assuming you get past video problems, and can get your guest built, you then have to contend with limited support for vm-additions, CPU utilization problems, and the like. With apparent Linux-support improvements forthcoming, you might be able to wait. But if you can’t wait, it is possible to get the vm-additions installed and working in Ununtu. The key to making this work is converting the RPM’s to DEB packages via alien. Despite forum posts to the contrary, it will work.

After you’ve got your Ubuntu guest installed and running, grab a copy of the vm-additions and either mount the ISO in the guest via the management console, or just extract and copy the RPM’s over to the guest instance via SMB . After doing so, use alien to convert the RPM files to .DEB files, like so:

“$ sudo alien -k --script vmadd-full-2.0-1.i386.rpm”

Now that you’ve converted them, you should have *.DEB files in the directory you were working in. Go ahead and launch your package installer (e.g. GDebi Package Installer), and install vmadd-full-rhel_2.0-1_i386.deb. It should display a message to the effect of … “The Microsoft VM additions… (converted by alien)”. At this point, Gnome crashed on me (down at the bottom of VMAdditionsForLinux-README.txt in the vm-additions ISO it refers to having to exit the GUI). I’m telling you this because Gnome crashing doesn’t necessarily mean it’s broken.

If you’ve reached this point, for good measure check the install log.

It lives here… /var/log/vmadd-install.log

The only thing left to do would be test it…

“$ /etc/init.d/vmadd start”
“$ /etc/init.d/vmadd-heartbeat start
“$ /etc/init.d/vmadd-timesync start

DekiWiki - Active Directory Integration

2008-01-16T18:25:00.000-05:00

As far as Active Directory integration with Dekiwiki goes, it's actually not too difficult to setup.

First, they've got some setup instructions here, plus they have active forums.

The only problem I ran into with the instructions was with the searchbase syntax in the configuration. The instructions make it appear that you should specify the hostname twice… once in the hostname configuration, and then again as part of the Distinguished Name (DN) that you’re providing for searchbase. For instance, I was specifying “dc=DCServerName, DC=domain, DC=local. On the client side (the web interface), authentication attempts were failing, but while watching DCServerName’s security log, it showed successful authentication attempts coming from the Dekiwiki box.

To resolve this, all I did was remove the dc=DCServerName from the searchbase. Once I removed it, such that the searchbase configuration was dc=domain, dc=local –it worked.
As an aside, all of this was done in a standard SBS 2003 R2 environment. Nothing extra or special required on the SBS server.

Deki Wiki Intro - CMS and Wiki features in any enviornment

2008-01-15T17:45:00.000-05:00

We’ve been trialing Deki Wiki a bit in a pilot group lately. What’s DekiWiki? Well, at a glance, it’s a CMS platform - targeted at the wiki-space (Microsoft’s case study). If you’ve used Windows SharePoint Services - WSS 3.0 Wiki-features, think about that. If you haven’t, then think Wikipedia. For us, the need is knowledge transfer and some versioning – both on the dev side and IT pro side. So, without a huge time investment we put together a small group to look at the two WSS and DekiWiki side-by-side. Turns out DekiWiki got everyone’s attention and buy-in more quickly. WSS definitely does a lot of stuff – and it’s not that we won’t use it for our team spaces– but everyone really liked DekiWiki’s Wiki features.

Why is DekiWiki good? Well, it’s built on Mono. Yes, that Mono, the .NETish one that runs Visual Studio binaries without recompiling. Internally, our test box is running Linux in a guest instance under Virtual Server, but you can install it on Windows/IIS as well. Is it AD integrated? Yes. So, yes, SBSers it integrates just as easily into SBS enviornments, and we can all install it, deploy it, and leverage it in our client base. Does it all work automagically? Well, no, not exactly. But it’s not terribly difficult to be up and running in short order. What’s more – it’s got a complete API and can be extended by lots of languages –and it’s free.

Exchange Message Tracking Center or findstr?

2008-01-02T06:45:00.000-05:00

If you need to track down messages in Exchange, using the Message Tracking Center in ESM is probably the first place to go for information.; and for the most part that works just fine. But if you need some more detail, or need to be able to search for wildcards or other strings, you might want to consider using findstr against the log folder

Open a command prompt, browse to Exchange log folder and do a search for you’re looking for.

findstr /s /i "StringToSearch" “c:\Program Files\Exchsrvr\servername.log\*.*”

In the example, /s seraches on the current directory and subdirectories and /I indicates that the search is not case-sensitive. If you’ve not used findstr before, take a look as there are plenty of parameters you can use.

As an aside, I usually copy off the *.log files that I'm interested to a separate folder before running findstr - just so as to not get bogged down searching irrelevant logs.

SMB: Margin on Hardware?

2007-12-20T12:02:00.000-05:00

I know most SMB IT service providers are fans of Dell hardware pricing – and I’m not knocking it, we still do quite a bit of volume with them. But if you do have a consistent volume of hardware purchases, you might be surprised by HP’s pricing. Check out HP Smartbuys with your distributor, and spend some time learning about the HP PartnerONE program (I know it’s no fun – but take a look ). I’m not saying that HP is the solution, but in my experience there's more opportunities to find margin. Some of the partner pricing and quarterly internal benefits are interesting too.

Another thing to consider – if you’re consumed with running your business - hire someone to do the vendor management piece. When it was just me ordering everything though Dell – we got by. But since adding someone to manage the vendor piece, we’ve easily covered their cost, and now someone is incentivized to work the pricing.

Scripts: Create a list of email addresses in use by the organization

2007-12-18T20:41:00.000-05:00

I had a client ask for this the other day… while I had a few things that I probably could have used for a template, I decided to skim though the Microsoft Script Center repository, and found something close in their AD section. After checking the MSDN site, I found the attribute I was looking for, “mail”. Modified the script a bit – and it worked.


On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
"SELECT givenName, sn, Mail, homeDirectory FROM 'LDAP://dc=domain,dc=local' WHERE objectclass='user' "
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strGivenName = givenName
Wscript.Echo "Name: " & objRecordSet.Fields("givenName").Value
Wscript.Echo "Last Name: " & objRecordSet.Fields("sn").Value
Wscript.Echo "EMail: " & objRecordSet.Fields("Mail").Value
Wscript.Echo "Home Drive: " & objRecordSet.Fields("homeDirectory").Value
Wscript.Echo " "
objRecordSet.MoveNext
Loop

Part 2: How does your bandwidth utilization look

2007-11-20T00:00:00.000-05:00

As a follow-up my last post – have you turned ntop inward? In other words, if you’re recommending bandwidth monitoring solutions for your clients, are you also using them on yourself?

If not, then stop right now and turn the tools inward… figure out what’s happening in your own datacenter or office.

Like many IT service providers, we do an excellent job on the client side of things. We evaluate our financial metrics, our client satisfaction metrics, and our billable percentages… and so on. But there are times that being so client-focused causes us to miss internal items.

For instance, we woke up one day and realized that we’d doubled our head-count to 50 people in a short period of time. At the same time, we started getting complaints that “VPN access is slow”, web-sites slow to respond, and other similar stuff. At first, we thought it was our ISP… and it was to a degree. But as we started digging, and doing a better job monitoring at the perimeter, what we found was interesting… and fairly easy to diagnose. We had significantly more outbound FTP traffic than we expected over our business-class DSL. From there, it was easy to address and resolve.

How does your bandwidth utilization look?

2007-11-19T06:51:00.000-05:00

For most of us in the SMB segment, clients predominantly use either DSL or cable connections to the internet. Why? It’s inexpensive for one… and in general it seems to meet or exceed their needs. But how do you know when it ceases to meet those needs? Do you know how much bandwidth they’re utilizing on a daily (or hourly) basis? What about traffic spikes- how often do they occur? Have you considered the upstream limitations?

All of these things require data. As IT service providers, we make data-based recommendations to our clients – we use measurements, and performance metrics to justify these recommendations – and we proactively notify clients when things change about their network. We don't talk about how fast or slow things subjectively feel.

Great… so how do you go about getting this data?

Well, they are lots of different ways to approach this… We like to use ntop. Why? It’s pretty straightforward to install, configure, and get working – even for those new to Linux (apparently W32 binaries do exist). It’s also open-source, and free. Most importantly though, it produces graphs depicting bandwidth utilization over time. And graphs are great for visualizing problems. It does lots of other things too… it eanbles you to track down the biggest bandwidth users at a client site, it helps identify broadcast traffic where it shouldn’t be, and it enables you track down things like unexpected p2p traffic.

Of course, there are lots of other options to getting at bandwidth data… MRTG comes to mind, as does GFI Web Monitor for those looking for an ISA-based solution. You can even do some neat stuff with LogParser, ISA, and IIS. All that being said, ntop is convenient, free, and it produces results that your clients can clearly envision when you discuss utilization with them.

ntop does not display historical graph data - "Unable to create subdirectory"

2007-11-05T17:51:00.000-05:00

Issue description:

Ntop appears to run correctly, but does not display historical graph data when viewing traffic summary data (trafficStats.html). From the Traffic Summary menu (Ntop>Summary>Traffic), under “Traffic Report for 'ethX', below “Network Load” you should find “Historical data”, with a graph icon in the right-hand column.

If you do not see the historical data graph,verify that the rrdPlugin is Active (Plugins>All). If you have an error message “Unable to create subdirectory”, verify that the appropriate subdirectory exists with the appropriate permissions. To do so, click the “rrdPlugin” link, browse down to “RRD Files Path”, and verify that the directory exists (e.g. /var/lib/ntop/rrd). If it does not exist, create it, and set appropriate permissions (if appropriate for the box you're working from - "chmod -Rf 777 /var/lib/ntop/rrd"). If it does exist, consider deleting /var/lib/ntop/rrd and re-creating it the above permissions. Finally shutdown Ntop, and restart it. The historical graph data should now be displayed.

Box: Suse 10.2, Ntop 3.2

Employee Termination Policy in the SMB segment

2007-10-22T17:52:00.000-05:00

Browsing Chris’s blog (which has tons of useful and informed commentary) I came across a post on employee termination policies. This is an often overlooked piece of working in the SMB segment. Why the miss? Good question…

First – perhaps most obvious … Small IT service providers (which really should already have lots of familiarity with security and trust), usually don’t have the right experience here, and as a result most of them are terrible at it. Why? Maybe they’re too small to know what a larger organization needs … or maybe they have the wrong employees (or owners)… but I’d be willing to wager that most who are bad at this, are bad because they’re so concerned about preserving the existing revenue streams… with not rocking the boat, that they turn a blind eye to helping clients manage other forms of risk. Let me give you a couple of examples on risk… Licensing a mess? See no evil. Employee’s with grossly inappropriate (or negligent) access? Hear no evil. Or the worst offender… provider is too busy. They’re too busy to add-value… too scared of risking the revenue stream, or too fill-in-the-blank that they really fail across the board… and unfortunately, it’s the customer who pays.

Need examples of the risks here?
Employee X is terminated, no one tells the IT service provider – and… use your imagination.

Employee X misrepresents their previous employer … or steals sensitive information, or wreaks havoc by deleting files (or randomly modifying data). An endless stream of nightmare-ish events.

And the worst thing about this? Most clients will have no idea that their IT service provider is responsible for this miss. Sure, the client might not have notified you… but did you ever bring it to their attention that the risk existed?

I can hear the complaints now… it’s too hard to sell a client on this. Really? You really can’t sell clients on having a policy and procedure in-place for managing turnover? What kind of effort does it take to put something in-place, and get HR and ownership to buy-in? Hours? Days? Is that too much for your clients to swallow? If so – start upgrading your client-base. Because I haven’t found a business owner – or decision making HR-person that didn’t think this was a reasonable risk to address - it's your job to figure out how to address it within the context of your client's expectations. And remember, this isn’t selling on fear… in fact, if you have to sell this at all, and it’s not a frank conversation between you – the trusted advisor – and your client, then you’re missing more than just this.

If this doesn’t make sense to you, put yourself in the shoes of an IT manager, HR person, or owner of your client organization (and then ask yourself why you haven’t been doing this all along). I guarantee you that if you were in those shoes at a mid-size organization, you’d be taking ownership of this yourself and getting it addressed ASAP. So do, and it might open up more doors at the client. At the very least, you’re cleaning up messes, and addressing real-world risk.

SMB Community Feedback Request...

2007-10-08T18:38:00.000-05:00

Opinions about the value of certs aside for minute - have any of you purchased any tools from Examsaver (as opposed to say, Transcender, or the like)? Based on the sales pitch of the rep – they're selling "all you can eat" exam preparation tools (sound familiar?). Specifically, they explained that I just needed to purchase the one kit for my entire technical team, and multiple people could use their materials simultaneously. Off the bat, it sounds fishy at best… but as my searches didn’t turn up much in the way of negative customer feedback… I wanted to throw this to the community to see if anyone else has had dealings with them.

Let me know what you think.

Lotus Symphony: Free is Good, but familiar is better

2007-09-21T07:05:00.000-05:00

With the Lotus Symphony announcement, we have another Office suite to offer our SMB clients. Having more options is always good. Unfortunately in the past - the "freeness" of OpenOffice, or Google apps - hasn't really caught on among our clients. I don't know if it's because Google apps are so inconsistent in terms of look-and-feel (today we can do X, but tomorrow X is gone), or if it's because OpenOffice has some perception issues - but everyone seems to choose some version of Microsoft office.

Moving forward hopefully that will change. But for now at least - the takeaway seems to be that free is good, but familiar is better.

Do you care about Vista?

2007-09-18T21:52:00.000-05:00

With Vista, what do you get? Some new features, a new environment, new deployment tools, and so on… you know the story. The complaints fly, the developers groan, the desktop deployment teams drag their feet… and in the end, we all beat the dead-horse of change in IT.

Is this news to anyone? People are complaining about Vista as though they’ve never seen a platform change. Let me just stop here and ask… are there really that many new people employed in this profession? Do people actually not remember any of the past upgrade cycles? Surely you remember XP, 2000, NT, or DOS 6.2 (dblspace anyone?).

The cutting edge doesn’t come without pain-points.

Look… I’ve got a descent laptop – 3GB of RAM, some fairly fast Core 2 Duo CPU, nice graphics card, recently re-loaded OS with some up-to-date drivers. Even still… the thing’s not blazingly fast. And it won’t be. A year from now, with newer and faster hardware? Maybe… 2 years? Probably. That’s life. That’s what being on the cutting-edge is like. Are there some misses? Maybe. Will they be fixed? Some will. It is what is.

So do you care about Vista?

Me - as a user? Not really. It’s fine, and it works adequately. Just like my OpenSUSE workstations, my Virtual Server 2005 R2 boxes, and my VMware servers. Each has a place – be it client driven, or solution driven. But frankly – they’re all tools. If my USB-to-Serial adapter on my Vista box doesn’t have a driver, and my Linux box sitting next to is has a serial port… guess what? I’ll be using minicom to configure that switch until I fix the driver issue. If my client is partial to Virtual Server over VMware – guess what? In goes Virtual Server. I can’t say that the desktop is all that exciting. It works – and I work with more Windows boxes than Linux, or Mac boxes.

Vista is neat. Is it Porsche, or a Ferrari neat? No… it’s new $200 OS neat. Keep it in perspective.

Reduce Your IT Workload... where it makes sense

2007-09-11T07:28:00.000-05:00

I saw an interesting post over on Daily Cup of Tech yesterday about identifying application “champions” throughout your organization. The objective is to help manage IT workload in smaller organizations, and to get the right people doing the right jobs (i.e. your receptionists doing Word templates, your CAD people owning AutoCAD, etc.). I'm a big proponent of this - under the right circumstances - but you have to be aware of how IT is perceived by the organization if you want this to be received in the manner that it's intended.

So I posted a comment that ran a bit long (okay… ran too long to be a comment), and I just wanted to link it up here. Reason being, that while I really like the ideal of identifying non-IT people as the application “champions” or “owners”, and I’ve seen it work to varying degrees, I also wanted to post an excerpt to point out the other side of that coin when wearing the leadership/owner hat…

(Putting on the ownership/leadership hat now)If you’re in IT serving in an overhead capacity, and other departments are billable… “you’ve got a problem. It’s your job to be the technology catch-all (just like the receptionist/secretary is a catch-all). Further, I’d argue that if you think you’re perceived as “more valuable” by organizational leadership relative to the receptionist who makes 1/3 (or whatever) of what you make… you’ve probably got your head screwed on wrong. You’re 3x the cost, and your value probably isn’t perceived day-to-day. So from an ownership/ leadership perspective… if IT isn’t pulling their own weight, why keep them around? I kid you not… for the vast majority of small and midsized organizations that I’ve been involved with, the value-add of IT isn’t perceived beyond the break-fix of the day-to-day. So forget all of your big-dreams and interesting Exchange 2007 migration projects. No one really cares besides the IT group. And why does no one care? Because your IT managers consistently (and repeatedly) overpromise and under-deliver. Beyond that, every three years you go and complain about not having new equipment, not having good training, not making enough money. You’re just a cost-center that someone hasn’t gotten around to cutting…”

(Taking the ownership hat off) Harsh? Maybe… but that’s the perspective of ownership in some organizations. And the reason that I point it out is because it’s extremely important for you to understand the context for success inside that type of organization. So, if you can get buy-in for application “owners”, do it… it’s great, and it makes life more manageable in a smaller organization. But keep in mind, that while you’re trying to get buy-in on having application owners, consider the other side of the coin, and make certain that ownership/leadership’s take away isn’t that “IT’s too lazy to do their jobs”.

Dell Pricing via the reseller Premier Site

2007-09-10T07:37:00.000-05:00

If you source hardware from Dell, have you checked out the Dell Premier Site yet?

As a quick spot check, I priced thee identical business-class workstations… one from the regular site, one via our Dell rep, and one via the Premier site. Now, granted, I didn’t talk to our rep and tell him that I needed some extra margin on the order, but the Premier site had the edge beating our rep by 4-5%, and both beat the regular web-site (even with web-site discounts applied).

Not earth-shattering, but not bad either. And no, you don't need to provide your customer information when ordering via the Premier site. For details, check with your rep - he/she can tune up your account.

What’s your value proposition?

2007-08-21T18:35:00.000-05:00

Since my last post, I’ve been reflecting on what others have been posting in comments and elsewhere about partnering with Microsoft, Software without service, and the like. One thing that strikes me about the “infrastructure” side of the work we do is that from a business perspective, delivering infrastructure is really just a necessary evil. If you think about it, infrastructure is certainly the biggest “risk” in terms of the relationship (managing expectations, delivering services, and closing the project), the most capital-intensive (outlays for equipment), and the most difficult to manage from a labor perspective (preventing overruns and the like). Now we certainly do business on the infrastructure side, and we still deliver equipment and infrastructure to our client’s “server rooms”. Are we profitable on a project-basis? – maybe… but I liken it to selling razors. We deliver infrastructure (the razor) at or above our cost, but we make our real margins as we work-up the services stack. What I mean by the services stack, is going from a break-fix shop, to having some type of “managed services” offering, to eventually becoming the trusted advisor and/or virtual IT Director for the businesses that our clients own. As we work up the stack, it’s these “softer skills” that are the most profitable… getting infrastructure on-site is the just the hook that we use to deliver everything else that we do… and the more I think about it, the less I care if I’m delivering via the cloud, or via equipment. To use another analogy… think about gold rush of the 1850’s… sure maybe guys like Hurst (think Microsoft, Google, and Dell) made vast fortunes, but most of the miners (SBSC’s and IT Pros) just scraped by, or worse, went bust. In between, were the guys and gals that moved up the stack, and sold mining tools and equipment. It’s these types of businesses that thrived as people went out seeking their fortune. Look at the SMB IT segment, who’s moving up the stack today, and what exactly does the stack look like?

So I’m looking at the cloud and thinking about IT infrastructure… be it OWN’s offerings, or the various platforms that you can use to build-out solutions… think 3TERA, Amazon, and Sun (and to a lesser extent VMWare, and Virtual Server). The utility/grid computing folks are in business to deliver scalable infrastructure that “just works”, so that they can insert their “infrastructure-tax” (just like the Google advertising tax, or the Microsoft Windows tax) into tomorrow’s solutions. Why? Because it’s zero-touch (and has higher margins than selling boxes). You design a really good scalable “grid”, and you sell computing as a utility to companies that want to offer some type of application or service (this should all sound very familiar). The ASP (for lack of a better term) then treats the utility as an incremental cost of doing business, and can factor it into the solution they’re delivering. What’s great for the grid-folks is that they make money as their customers are successful, but they can offer the utility virtually zero-touch, and as we all know… zero-touch and scalability is where the money is.

Taking into account services via the cloud, where are we – as SBSC’s and IT Pros – going? We’re probably not going to go out and build our own grids (the grid-folks of tomorrow will be the Dell’s and HP’s of today), because grids already exist in some form today; they’re inexpensive, highly complex, and evolving. The one-man-shops and network plumbers who just deliver infrastructure are the businesses at the greatest risk – because they’re going to get squeezed from both sides (i.e. the cloud, and service providers with a niche further up the stack). Next up are the better-run small companies that just do break-fix – it will be slower in coming, but any one of us who can present a reasonable value-based argument is going to be better able to deliver services than that bunch. Next up are the vast majority of us who deliver some mix of managed services, break-fix, and block-hours. We’re the ones who need to be seriously considering how we deliver services – either partnering to deliver infrastructure via the cloud, building our own clouds, and/or moving further up the services-stack. To go back to the mining analogy… if we as SBSC’s, and IT Pros are mining gold… what do we need to do? Well, selling our services to each other is one good option, and moving up the stack to become virtual IT directors, developers, and the like for our clients is another. But as we look at some of the niches within the stack, there’s only so much room… how many different OWNs can the SMB community support… or how many MSPUs can provide really valuable mentoring to the SMB IT community? Sure, maybe we have a rising tide effect going on – but I’d venture that there will only be so many players further up the stack. Now maybe those companies have businesses that do work throughout the services stack… but they each have their own niche and value proposition that is unique and that not everyone in the community can readily deliver. So they’re better miners than us within their niches, and as a result are less vulnerable to a Microsoft or Google.

The future is unwritten.

That's true... and we don’t know how the grid computing game is going to play out just yet. But we can make some informed guesses based on past technology cycles, and I think we really need to be prepared in order to compete and stay relevant. Does that mean I won’t be selling infrastructure tomorrow? No, I probably will be. But I’ll probably be delivering infrastructure via the cloud and via equipment, focusing on service as a subscription, and I’ll keep moving up the stack delivering “IT Director” services to my clients. At the end of the day, it’s about the relationship that you have with your clients, and how good of job you’re able to do at scaling your offering, while remaining competitive.

Softgrid Deployment

2007-08-01T18:45:00.000-05:00

So I’ve managed to start getting up to speed on Microsoft’s SoftGrid Application Virtualization product. And it is… well, let’s just come out and say it… Softgrid is game-changing – even in the SMB space… especially in the SMB space. If you haven’t heard of it, Microsoft bought Softricity last year, changed the name, and hid the product down inside the “Microsoft Desktop Optimization for Software Assurance” product.

So what is application virtualization? Well, let’s start with the vision… Softgrid brings “Software as a Service” and Windows application portability to the masses. Think of it like server virtualization, but on the application level. Confused? That’s okay, keep reading...

Softgrid lets you virtualize the environment that your application lives in. It creates a kind of “sandbox” for your app that includes everything the app needs to know about (a registry, DLL files, ini files, system files, services, user profile data, and so on). This is kind of like the Java Runtime Environment – just not so slow. Building the virtual environment for each app is known as “sequencing” the app. Once an app is properly sequenced, you can throw it on a file share, and use the Softgrid Management console to distribute the app across your entire organization. The app gets streamed to your client desktops, and then resides there permanently. The app runs utilizing the local resources of the desktops (or TS servers) to which it has been deployed, and it runs just fine on laptops, and devices that are out of the office for extended periods.

Forget using group policy to deploy MSI files to groups or OUs (well, with the exception of the Softgrid client – you’ll need to deploy that somehow first), in some environments you can even forget about using SMS. All you need is somewhere to put the server component, and a guest session of XP to test deployment, and a clean virtual PC guest with the “sequencer” installed on it. Then, simply fire up the sequencer, install your app, and the sequencer virtualizes the application. Now you’re ready to deploy.

None of this is to say that everything just works the first time. It takes some time to wrap your head around it while you're doing your testing. Then, even after you figure it out, you’ll invariably have to resequence some stuff, and spend some time fighting various applications (I struggled with Office 2007 until I cleared the Softgrid client, and let my apps reload - fixed). That said failures in sequencing have been the result of my own making. So if you hit a wall, go back and review your process.

If you find that you’re having “Application Failed” errors, go read the deployment whitepapers on the ISO, watch the demo video (paying close attention to minutes 17-25), check the Softgrid blog, and look at Anthony’s SMS site (he has a bit on Sofgrid as well). Also, your testing is pretty low-risk – you can install the server along with the MSDE environment just about anywhere, and be up and running in no time. No AD schema changes or anything to find reason to stress over. If you’ve got an MSDN subscription, or are a Microsoft Certified Partner, just login and download the Microsoft Desktop Optimization for Software Assurance ISO, and get your environment going. From a licensing standpoint, check with your Microsoft licensing team. Yes, there’s a software assurance component to this, so how you sell this – or how you leverage it for your client-base will involve some licensing education – but you should definitely check this out.

How-to: Handle job candidates who back-out after accepting an offer

2007-07-17T18:17:00.000-05:00

It looks like Andy had a job candidate back-out on him after they had already accepted an offer. Thought I’d do a short post on some of the learning’s we’ve had with this already, just in case anyone else is going though the same thing.

First of all… don’t feel bad, because it happens. Try not to get frustrated, and realize that it’s just a cost of doing business. Easier said than done maybe, but it’s a goal, right? Best approach is to find ways to minimize the amount of pain that results when this does happen. As an aside, I’ve had candidates shop the offer after accepting, and it’s something that is hard to eliminate… often an employer will throw money at a good employee who’s considering leaving… so just keep that in mind. That said, the vast majority of the candidates that have accepted an offer seem to come on-board, and I always have a frank conversation with them about their current employer, and the likelihood of them doing a counter-offer, reminding them that we won’t get into a bidding war.

Next, it might be worth seeking legal advice if it really bothers you. It’s been my observation that the threat of legal action is a powerful one, even if there doesn’t appear to be much that can actually be done in this arena that’s really worth doing… but your mileage and options may vary.

After that come the practical things. First of all, get your bases covered… we don’t tune up phone contracts until after the first 90-days (consider letting them expense it, if it’s a sticking point), nor do we order business cards during that time period. In fact, we don’t do a lot of things until those first 90-days have passed. We stipulate that the first 90-days are an “evaluation period” when brining someone on, and that they’ll receive some type of review at the end of that time period. Other stuff we limit or otherwise restrict during that time period... Domain Admin access on client systems is restricted, as is access to the premesis after hours, all server room access, unsupervised access to clients (during the first month), and a few other things more specific to our business.

Things we do…
We do order a laptop/workstation once they accept (we can always use spares).
We do tune up a network account, and phone extension.
We do conduct the various HR tasks related to on-boarding.
We do send out a new employee introduction email to our employees as well as clients
We have lunch with the new person.
We do compensate based on the prevailing market rates (who wants an employee that doesn’t stick around beyond a year?).

Otherwise, pretty much everything is negotiable and flexible - despite the above. Oh yeah, and we try real hard to not let candidates who back out on us bother us too much.

Firewall, SBS: Are we just lucky, or ahead of the curve?

2007-07-17T06:54:00.000-05:00

Recently Chad talked about his reasons for moving off of ISA in SBS deployments, and replacing ISA with CheckPoint’s Safe@Office 500W. In the past, we’ve avoided ISA on SBS, standardizing instead on using the SnapGear (SG) product line for our client's perimeter security. Internally, the basis of this decision is rooted back in the SBS2000 timeframe, but ultimately is a result of the cost-benefit analysis of managing ISA, versus that of a perimeter appliance and the feature-set that our clients were requesting. In other words, ISA while “free” on SBS, and feature-rich in terms of what it can do, ended up being more than our clients tended to need, while the costs of change-management on ISA tended to exceed those of the SG-series that we were moving to standardize on.

None of this is to say that I don’t personally like ISA, nor do I consider it inherently insecure as some seem to. In fact, we’ve used it on a stand-alone box internally for some time, and have enjoyed the benefits that come with AD-integration, and web-publishing. So while our environment no longer precisely mirrors our client-environments (for a whole host of reasons), and I am a advocate of ISA – especially in mid-sized organizations, we’ve standardized on SnapGear for our SBS deployments.

Besides, Cougar is going to require something in front of SBS in the future. So we're either ahead of the curve, or just lucky.

Reloading Vista: Apps, tools, and utilities of interest

2007-07-08T01:22:00.000-05:00

After dozens of installs/uninstalls, playing with beta apps, and in general just thoroughly abusing Vista on my laptop for the past 6 months, it’s come time to reload the machine. By and large the issues are of my own doing, so by no means is this a “Vista problem”.

So why am I telling you this?

I’ve spent the past few days finding all of the apps that aren’t part of my base-image, and thought it would be something light to post. So without further delay, listed below is my list of apps and tools (with comments when relevant) that I had to track down for this load. You’ll notice that many of these are open source, though some obviously are not. I’m sure I’ve missed a few things – if you see anything that should be here, let me know.

ThinkVantage System Update - Beats tracking down every driver individually. Though you’ll need to grab the appropriate driver for the wireless chip set (preferably first), if you’ve got a T60.
Visual Studio 2005, IIS 7, SQL Server 2005
Symantec Antivirus 10.2
Office 2007 Professional, Visio 2007.
Quickbooks 2007
Camtasia Studio – Great tool for creating webcasts and training materials.
Virtual PC 2007, Windows XP, Windows 2003, SBS 2003 guest machines
Knoppix – Not actually installed. Just haven’t grabbed a recent ISO.
Netstumbler – Doesn't hurt to have on hand.
Sysinternals Tools – Microsoft bought these guys somewhat recently. I use ProcessExplorer mostly, but a great suite a command line tools.
MBSA – For update scanning.
del.icio.us web-browser extensions for managing del.icio.us booksmarks and tags.
Deamon Tools – for mounting ISO images. I know Microsoft released an unsupported tool that does the same, but I’ve been using this for a couple of years and like it. Just make certain to uncheck the Search tools on install to avoid adware.
7Zip – Unzip tool with a GUI. It’s free, it works - and is similar to WinZip.
Adobe Acrobat Reader - Read PDFs.
KeePass Password Safe - Open Source tool for managing account information and passwords to web-sites and other resources.
GreatNews RSS reader – I used to use RSS Bandit, but Vista compatibility was a bit slow in coming so I switched. As I have more feeds that I can read daily, I’ve started using the NewsWatch feature almost exclusively for finding content of interest.
VMRCPlus – Great console GUI tool for managing Virtual Server 2005 R2 machines without having to bounce through the web-based interface. Which, as an aside, who thinks it was a good idea to release Virtual Server 2005 and have the only management tools be the web-console? I mean, maybe, just maybe if it was AJAX-based, but even still… anyway, VMRCPlus solves that problem, and has apparently been floating around internally at Microsoft for some time.
AngryIP Scanner – quickly probe subnets for hosts. I use it frequently – note that SAV 10.2 detects it has a security threat.
ISO Recorder – Burn ISO images.
2007 Microsoft Office Add-in: Microsoft Save as PDF or XPS – Save As PDF from Office 2007 apps. No need for
PDF Creator – In case you don’t have Office 2007 and want to create PDF’s without Acrobat Professional.
Google Earth, or Microsoft Virtual Earth – Either, or, or both.
AD-COIT – My inventory script for scanning networks.
Citrix ICA Client – ICA client.
FileZilla – FTP client of choice.
JRE - Java runtime environment
TightVNC – One of many VNC clients
WinPcap – I don’t always install this on my main machine – but , it’s a packet capture library, and a requirement if you’re going to be using Wireshark.
WireShark – Previously known as Etheral - packet sniffing tool.
Paint.NET – You need some tools for manipulating graphics. I used to use The GIMP, but have been following PAINT.NET since the first beta a couple of years back. I like it, it works for me.
PowerShell – Think BASH for Windows kinda. If you haven’t heard of it yet, get familiar with it. Its how were managing Exchange 2007.
FireFox - An after thought.

IT Pro Interview Process - Overview and FAQ

2007-06-20T18:24:00.000-05:00

What started out as a couple of posts on interviewing IT candidates in the SMB sector, turned into a mini-series/FAQ on the topic. So, if you work in the SMB sector, or you're a small-to-midsized business that doesn't have a very formalized interview process, or even if this is the first time you've ever had to interview job candidates, check out some of these posts.

Getting Started

Where do I find candidates to interview?

What does a good resume look like?

How do I efficiently screen candidates?

What kind of screening questions should be asked?

Introduction to the in-person interview

What types of questions should I ask during the in-person interview?

How do I make an offer to a candidate?

Feedback is welcome, so if you disagree or can offer additional input leave a comment or shoot me an email.

SMB Nation 2007

2007-06-20T18:01:00.000-05:00

Got a call reminding me to attend SMB Nation 2007 this fall in Redmond. Is it already that time again? Wow. I posted a couple of notes last year after the conference. Special Alumni pricing of $399 until June 30th. Check it out.

Interviewing: Making an Offer

2007-06-20T06:04:00.000-05:00

I’ve covered just about everything that I wanted to touch base on with my series of interviewing posts, with the exception of making an offer to a candidate. Since there are plenty of books written on negotiation, I’ll consider that out of scope for this series of posts, and just leave you with these few recommendations…

Consider broaching the compensation topic early in your discussions – if possible do it before the in-person and establish some type of range so that you’re not wasting anyone’s time.
Stick to the plan of getting “X” number of candidates in for the in-person in as short of period of time as possible.
If you find a good candidate or two, and have already casually introduced them to your team, schedule another in-person with your entire team as soon as possible so that your team is included in the process and to make sure that there’s a good fit.
Make an offer. I typically give candidates 24-hours to make a decision – certainly if they need more time, I can accommodate them. But whatever you do, don’t lose your momentum. If they’re dragging their feet, don’t let so much time pass that you can’t make an offer to the other candidates that you’ve invested time in.

Every organization that employs people has a process for interviewing – even if it's not documented. So if you have any ideas to share, please let me know!

Utilities: ISO burner for Vista

2007-06-19T18:38:00.000-05:00

Apparantly I don't burn ISO images very often from my Vista machine... so when I needed a copy of Suse on DVD this afternoon, I had to go out and find ISO Recorder (again)... downloaded it, burned my disc, and it worked - free too.

Office: Office 2007 Save As PDF

2007-06-18T18:23:00.000-05:00

Save as PDF in Office 2007... I installed this add-on a while back and have been using it constantly. So now, instead of using only PDFCreator, Microsoft Office 2007 has an Add-In that will let you save directly to either PDF or XPS. Nice.

The Interview Process - Questions for the In-person interview

2007-06-12T22:32:00.000-05:00

So what type of questions should you ask? Well, the first thing to keep in mind is the role that this person is going to fill. This is going dictate a certain minimum level of technical competency, and is something that your screening questions should have targeted already. After that you should have goals or areas-of-interest that you’re trying to satisfy. These should be designed to help you determine the “fit” of a candidate to your need. Technical competency questions are more measurable and objective than the fit/areas-of-interest questions, but you’ll weave these together to identify a candidate to hire.

Since we’ve been talking mostly about a “Server Analyst” or “Sysadmin” type of position in this series of posts, I’ll focus on that in my example.

Ok… but, what to ask?

“Tell me about yourself”… This one is a good (if obvious) first question because it marks the transition from making the candidate comfortable, to getting to know them as a potential employee. Some candidates will ask for some clarification, others will start telling you about their current job, and still others will tell you about something in no way relevant to the task at hand. So it’s actually an interesting tell right off the bat.

But only let that last one go so far… make sure you get them on track quickly with… “Tell me about your current employer, and your role in the organization.” That’s really what I wanted when I asked the first question, so you might consider stringing them into one. The first part of this is finding out what their employer does. If it’s a tech-company, or something tech-like, then you’ll get some context. If it’s a large corporation, then you’ll know to illicit some feedback on other areas that will determine the breadth of their experience. Finally, if they work in a small organization you’ll know that you need to focus on the day-to-day technical aspects of what the job will entail –so you have some idea if they are technically capable of the position. The second part of that question is about their role.

What’s their role again? Are you sure?

Server Analyst, Systems Engineer, Network Engineer, Network Administrator, IT Manager… and so on are used so interchangeably in this profession that I never really know what someone does until I meet them and talk to them about their role. Make sure if you want a “server analyst”, you’re getting the type of server analyst that you’d expect. So figure out the context…

For context, I start asking for some numbers… “How many servers are you directly responsible for?”, “How many users?”, “how many customers/clients”… numbers don’t necessarily tell you a whole lot, but it’s enough to figure-out if they’ve been forced to rely on some type of automation, or if they’re just dabbling as a server analyst. Let me explain… if someone tells me they’re responsible for a 200 user environment, with 4 servers, I know I’m going to have to illicit some more information to figure out if the their role is really that of a “server analyst”, or if they’re a “desktop support” person who does some server stuff when necessary. On the other hand, if they tell me they’re a Citrix Metaframe admin, with a 30-server farm, then I’m going to ask an entirely different set of questions. In either case, I’ll proceed to figure out if they have they experience in the areas-of-interest that I’m looking for. Personally, I usually need someone with good customer relationship skills, someone capable of juggling multiple priorities (often technical), while maintaining an excellent attitude, and always being customer-focused and driven. In the 200-user environment example, this might drive a whole other line of questioning… “So you’re responsible for 4 servers? What do they run?” Oh, you run Exchange? What version, and at what service pack? How many Exchange databases – if multiple, what drove you to use more than 1? What tool(s) would you run to troubleshoot a problem with your priv.mdb file?”… “So you’ve used eseutil before – tell me what you did with it”? I’m not looking for someone who knows the command-line flags of a random tool, I'm interested in their approach. I don’t want someone whose only answer is that they look stuff up in newsgroups, or in a KB article either - but it's okay to use resrouces to find information.

So in the above, I was trying to get a picture for what their job looks like. To generalize – are they Enterprise, or SMB? And beyond that, I tried to illicit some technical details about their environment. I was able to validate that they ran Exchange, and were up-to-date on the SP level, and if they’ve ever had to troubleshoot an Exchange server that was down. Now, depending on your need, you might want to get some more detail. Maybe ask about what other services are being provided by the Exchange server – find out if the placement of the Exchange databases makes sense in terms of the storage configuration and server utilization. Are they using a SAN to host the Exchange databases? If so, what challenges did they run into with making this work reliably. And so on… if you’re asking technical questions, you probably want to avoid getting too deep in an area that you have no experience in - as any technical person knows, it’s pretty easy to spot someone trying to fake knowledge or experience. So with that in mind, you’re going to want to ask a series of questions that are designed to give the candidate an opportunity to explain something to you as if you were a novice. There are a couple of schools of thought here – either pick something that you know a lot about so that you can coach the candidate and illicit the information you’re looking for, or pick something that you have no background on. I usually do both, but focus on the later. This will let you can focus on watching the candidate explain something to you, and to determine if their explanation makes sense. Ask them to explain the details, and why things are they way they are. It’s an excellent opportunity for you to A) learn something new, and B) figure out if the candidate can explain something to a novice. This will help you learn about their attitude, and their approach to working with clients.

Why is the sky blue? (Or, how to use open-ended questions)

This can be a really good tool for figuring out if a candidate is doing root cause analysis, or just treating symptoms, as well as putting them under pressure and letting a scenario play out that you might have come across in the real world. Be careful with this though, because if you haven’t carefully thought out the branches that this question can take, you might be setting a candidate up for failure based on the bias that you introduce. Questions like… “Tell me how you would troubleshoot a complaint of slow internet access” are good because they can tell you a lot about a candidate. Now, I’m not going to look at the branches this particular question might take here, but expect the candidate to talk about name resolution, bandwidth, user counts, IDS/IPS, HIDS, antivirus, networking infrastructure, and so on. Keep in mind that you’re not necessarily evaluating a candidate’s ability to figure out what’s going on at the packet-level (though you might be), what you’re really interested in is how the candidate responds to the pressure of an open-ended question. Do they freeze-up, or get noticeably stressed out? Do they get frustrated at not being able to get to the root-cause? Are they comfortable with telling you that they don’t know at some point? And do they offer a reasonable path-forward (i.e. get the Network Engineering tem involved; call Microsoft PSS if relevant, etc.)? Get them to tell you about why the sky is blue, and you’ll learn a lot about them.

Managing Expectations

This helps you learn about how the candidate interfaces with client, and if they can juggle multiple priorities, while maintaining a positive attitude. When it comes to clients/customers, everything is a priority because they’re the ones that pay the bills. So it’s important that they can demonstrate the ability to manage client-expectations while still balancing other commitments and responsibilities. The way I usually do this is by giving them a scenario... something like this… “Client A needs an inventory of IT assets for an auditor by tomorrow”… while “Client B’s CRM application is down”, and you don’t have any other staffing resources to help you manage this. Tell me how you would handle this scenario? Now, admittedly scenarios like this are only going to tell you so much about how they handle real-life situations… but it’s better than nothing, and gives them an idea of the type of issue they’ll be up against. The candidate should start by asking you questions something like this... “What’s the SLA for those items?” “Do we have a knowledge base on the CRM app, or a vendor relationship that we can leverage on the CRM app?” “Do we have an existing asset inventory that I can send, or is it something we can generate?”. Coach candidate, and get him/her direction as they need. Then have them explain why they’re doing what they’re doing. It doesn’t really matter which one they provide service to first, or if they have a plan to get both issues resolved – just that they had a plan that had been reasoned out

The Road Ahead

I always ask about tomorrow – industry trends, changes in technology, changes in perceptions... It gives the candidate an opportunity to show a passion for the field, and for the future. And it gives you a window into how they see the world. Ask them where they see the IT business in 5 years. Or better yet, how they see the role of the IT service provider changing – assuming they already have some exposure in this area. This flows nicely into questions about where they see themselves from a technical standpoint 5-years down the line… which flows into questions about like… “Technology constantly changes – how do you keep up”?

Summary

I hope this post proves helpful, and that it demonstrates that the interview process should be a conversation – there’s an ebb and flow to it. It’s not a list of 10 questions that you can check off of a list. And it’s not just softball questions about what the candidate thinks about certain things. Please don’t consider this to be a be-all-end all list of questions, rather see it as a list of ideas for managing the conversation, and getting useful information from the candidate. In the end, it’s important to keep in mind that you’re really looking for a “good fit”. Assuming the candidate meets a base-level of technical competency, focus on their attitude, pay attention to how the talk - if they’re able to have a conversation, and if you think they’ll be able to interface well with your clients, and will represent your organization well.

The Interview Process - Bringing in the Candidates

2007-06-05T06:05:00.000-05:00

After a brief hiatus I’m back to begin wrapping up my series on the interview process. By now, you should have posted an ad, received some resumes, screened your candidates, and scheduled your first round of in-person interviews. Now, the more candidates you can meet, the better. But if you’re a small to mid-sized business, then you’re probably wearing many hats – so it’s going to be difficult to meet with dozens of candidates. Depending on your time and resources, set a goal to interview at least 5 candidates during the first seven business days of in-person interviews. As best you can, clear your schedule to make this happen. If you don’t, then this process will drag on forever, and you’ll end up forgetting about people, and never being satisfied with the results.

Why 5? It’s an arbitrary number – and an HR person might tell you that 5 isn’t nearly enough. But having worked for a medium-sized organization for a while, and watched how hiring tends to happen, having a goal of doing 5 in the first round is a reasonable, and achievable goal. So get to it.

Conducting the interview…

There are a lot of opinions on this, but here’s what I do, and I’ve found it to work well for my organization.

Your first job here is to get the candidate as comfortable as possible. Why? Because you want to learn about your candidate, and the only way to do that is to get them talking. Hint – brining them in front of your entire team right now, first thing, will not make them comfortable. If you do, you’ll be wasting everyone’s time. Yeah, I know… you already screened them. But until you know who’s worth interviewing, don’t bother brining your team in. Often I'll start an interview as a one-on-one, and then if the candidate seems like a reasonable fit, I'll bring in team members who happen to be in the office, or I'll bring the candidate by the break-room after the interview to talk with the team.

What’s with this whole “getting the candidate comfortable thing” first thing? Shouldn’t we be putting him/her on the spot to see how they react?

Would you want to be treated that way? There will be a chance to push the candidate, and gauge their reaction to not knowing an answer. But it’s important to get a good read on the candidate – so make them comfortable up front.

Maybe this is obvious, but I’ll say it anyway… your job here is to get the person talking. If you’re the only one talking, you don’t learn anything. And if you don’t learn anything, how can you reasonably evaluate the candidate? So after the pleasantries… you don't launch right into a barrage of questions do you? Oh you do? Well, let me define pleasantries then.

By pleasantries, I mean things like – “any trouble finding the place?”, “nice weather we’re having…”, "did you notice "X" about last month's patch-tuesday"... and so on. One thinks this should be obvious… but I’m defining this because I’ve seen interviewers launch right into the question component of the interview, and this throws some people off and makes them even more nervous than they would be otherwise.

So… as I was saying, after the pleasantries, give your 30,00ft overview/elevator-speech on who you are as an organization , and what you do. This shouldn’t be news to the candidate, but there will be time for details later… just don’t get too verbose here, because a big part of the interview is you keeping your mouth shut. I can’t tell you how many times I’ve seen interviewers use the interview to make themselves… feel smart, or important, or… whatever. Don’t be tempted to do this – if you do, you’re shooting yourself in the foot because a smart interviewee just might pick up on this, and realize he/she can score the job just with just a few well-timed comments.

So to review… make the candidate comfortable, give them the organization overview speech, get them talking, and keep your mouth shut.

Ok… but, what to ask? Well deal with that in the next segment.

AD-COIT v2.546 Released - Adds basic command line functionality

2007-05-30T18:52:00.000-05:00

This release adds basic command line functionality to the script, which includes options to enable/disable main inventory logic, FSMO role detection, and select output to CSV as an option. Also added to the main inventory logic is SQL server detection/status.

The command line functionality should make the script easier to use, and reduce some confusion associated with having to change the LDAP path, and path to the CSV output. You still need to make sure your LDAP path reflects reality, and that the path to your CSV output file actually exists (i.e. c:\scripts\output.csv), but it's more prominently displayed in the help.

As always, you can find the latest release on Sourceforge.

AD-COIT: Adding Command Line Options

2007-05-23T06:48:00.000-05:00

Since adding the CSV output to AD-COIT in v2.5 I’ve been working on few other updates, focused primarily on building basic command line functionality. So instead of having the script automatically echo FSMO roles to the screen, output to the CSV, and execute the main logic, you’ll be able to specify these options on the command line. At this point, I’m not ready to drill down and add logic and command line parameters to handle each collection (it’s still an all or nothing type of thing), but I think that the above will add a bit more control for everyone.

As always, feedback and suggestions are appreciated! I’ll also post to this blog when the release is updated on SourceForge.

The Interview Process - What type of screening questions to ask

2007-05-21T23:28:00.000-05:00

Picking up where we left off, you should be at the point where you've gotten some resumes in, reviewed them, and have engaged a (hopefully) non-technical person to screen the candidates with a short phone call. My recommendation is to keep the list of questions short, make sure the screener has the answers and that you've sat down with him/her and explained the criteria and a process for collecting and recording information.

For example…

1) Name as many FSMO roles as you can.
2) How many layers are in the OSI model, name as many as you can.
3) What is the difference between RAID1 and RAID5?
4) What ports do the following services run on? SMTP, HTTP, HTTPS, Remote Desktop…
5) How do you determine the IP configuration on a server or workstation?
6) In what order are group policies applied in?
7) Name some patch-management solutions you've worked with.

Alright, I can already hear it… FSMO roles aren’t changed that often in the SMB-space. Or, the OSI model is [insert one of a dozen different complaints] , or… whatever. You see, with these questions I’m just trying to get the screener to gauge the background of the candidates. If someone can’t remember 1 of the FSMO roles on the spot, well maybe that’s one thing. But if they completely miss questions 1, 2, and 6, and can't name any of 7... well, you get the idea.

Remember what you’re looking for – reasonable answers to as many questions as you can get, without overwhelming your candidate or the screener. Keep in mind that these questions should screen out, as well as screen in the type of candidates that you're looking for.

Finally, having a screener should make your life easier - if it doesn't, then don't do it.

The Interview Process - Step 2, Screening Candidates

2007-05-20T18:11:00.000-05:00

Step 2 – Screening candidates…

This is where having a receptionist, office manager, HR person, or basically anyone non-technical can come in handy during the interview process. Why non-technical? Because if you can hand a list of screening questions to someone who doesn’t have a frame-of-reference, then you can just have the screener ask the questions and record answers. Or if you’d prefer, hand them questions and answers. Having a phone system with a few bells and whistles can improve this a step further – get the screener to forward copies of the phone calls to you so that you can review the responses on your own schedule (say for instance, at 2am on a weekend – like when I’m writing this post).

Couldn’t having a non-technical screener be unfair to the candidate?

I tend to think it’s more fair for everyone. Why? Well, primarily because your screener is likely to have less bias. Having no frame of reference, all they know is what to ask and maybe what the right answer is. You might also help the candidate by having the screener explain who they are and what the purpose behind the screening call is. It might help put your candidate at ease knowing that A) it’s a low-risk interface and B) we’re being as objective and as measurable as possible during this first round.

What if the candidate asks probing technical questions to get perspective on the questions?

Well, if you’ve put together good questions they should be the type of questions that have real yes or no answers – questions where you only have 1 possible “right answer”. If the candidate is asking probing questions, just have the screener reiterate that they are simply recording your responses for the hiring manager.

What kinds of questions should I be asking?

I think I'll save that for tomorrow.

The Interview Process – What does a good resume look like?

2007-05-19T02:17:00.000-05:00

So, you’ve placed your ads, and now you’ve got a stack of resumes to wade through. Where do you begin?

The cover letter.

Resumes are fine for communicating history. But a cover letter tells the candidate’s story. It’s what they should be using to grab your attention, engage you, and differentiate themselves. I always, always ask for a cover letter. If they don’t send one, I usually don’t end up looking at the resume. Maybe that sounds harsh, or unfair, but if I specifically ask for a cover letter in an ad, and I don’t get one – what does it say about the candidate? That they didn’t read the posting? Maybe they’re spamming their resume to every employer in the area. I can forgive a lot when it comes to a candidate – ugly resumes, gaps in the employment history, a technical background that’s not an exact match with the need … but I need to have a cover letter. And why not? It’s a candidate's opportunity to differentiate him/herself from the dozens of other resumes that hit my desk that morning.

Incidentally, while I might skim through resumes, I read every cover letter that I get.

Always send a cover letter. And spending 5 minutes to make sure that it’s a good fit and just a little bit customized for the position that you’re applying for can make all of the difference.

Resume tips?

There are plenty of books, and plenty of sites that cover this in detail. Specifically worth mentioning is the Jobsyntax blog – definitely worth a read. As far as what I like? Short, 1-2 page resumes. I like an “objective” statement – but if your's says anything about “finding a job”, or is “passive” in anyway, then it’s best to leave it off. I’m not in the business of giving out jobs – I’m in the business of making a profit. Help me make a profit. Otherwise, the highlights should all be on the first page, including at a minimum – current position, major accomplishments that you are comfortable discussing intelligently during an interview, and education. Education is becoming increasingly important for IT Professionals. I'm getting tired of the certification mills churning out job-seekers.

The Interview Process - Getting Resumes

2007-05-18T06:33:00.000-05:00

As I was saying yesterday… the framework… we’ll start with the beginning.

1) Get resumes

Well, I suppose getting approval for the position wouldn’t hurt. I understand that it’s an up battle in some companies - but when you're a profit center, it's usually easier.

Alright – obviously, there’s lots of options for getting resumes in the door… Jobburner, CareerBuilder, Yahoo Jobs, Monster, Dice, and so on. But just doing something is the first step to getting people in the door – so don’t procrastinate under the guise of trying to find the best engine – they’re all adequate. Personally though, I really like Craigslist. I know some people have mixed results from them, and certainly I’d imagine that a lot depends on your local labor market – but hey, in most markets it’s free to post. So if you’re running something though one of the big names, why not double (or triple) up and use Craigslist? I think your results will depend more on your local market, but while the volume you get out of Craigslist might be less than the other boards, I’ve found the overall quality of candidates to be very good.

The Interview Process - Getting Started

2007-05-17T06:52:00.000-05:00

In the past couple of posts, I’ve talked about just a few of the key-takeaways from the interview process – mostly from the perspective of an interviewer. While I think there are more things to consider and that would be worth talking about, I want to move on for now and talk about what our interview process looks like, and why it looks that way.

I know that some companies – like Microsoft, P&G, and Google - have really involved interview processes consisting of multiple meetings, phone calls, and so on stretched out over weeks, or sometimes months. As I’ve said before, we’re a small to midsized company and we don’t have the burden – or luxury of doing that. In fact, until very recently we didn’t have much of a process at all – very informal, and certainly not measurable. That said, I like things that are as objective and as measurable as possible – and as we’ve grown more responsibly has been pushed out into the organization, so having a standard process is important. Most would agree that there is a certain amount of subjectivity to the interview process, and that making is measurable is hard. But I don’t think that it being “hard” means throwing up your hands and saying “it can’t be done”. And while I believe that it’s important to follow-up your gut, and use your instincts, you need to check those instincts against something that is measureable.

In short, I try to balance subjectivity, and objectivity, and try to include as many members of my team in the interview process as possible.

But what does that mean?

It all starts with having something in place. Some type of framework, and some type of process. It doesn’t have to be perfect, and it shouldn’t be the first, last, and only time that you consider the process. It’s just that most organizations either: A) Don’t hire frequently enough to put a process around it – so they reinvent the wheel each time. Or B) Hire so frequently that they have HR department to manage it. Since we fit in the middle, we needed a process. So I started talking to contacts that I had in different sized organizations – of all sizes - and came up with something that looked pretty typical of every interview I’ve been on.

Get resumes
Screen candidates with a phone-interview
Bring candidates in for a 1-on-1 interview, followed by an informal team meeting
Second in-person interview with team
Offer letter

The framework probably looks similar to every other interview process on the planet – and with good reason, it was our starting point.

In the next post, I’ll drill down into the detail on the framework, to address how we get resumes, screen candidates, and so on.

The Interview Process – A few more key-takeaways

2007-05-16T06:24:00.000-05:00

Let’s jump right in today…

Third takeaway – There’s no such thing as the perfect candidate.

If you can get beyond that, then it quickly becomes about finding a good fit. I can make a list of technical requirements for a position, and someone can show me a list of certifications that they have to meet my list, but at the end of the day, it’s about finding someone who is a good fit. Put a different way – you can train a good Engineer – or good Technical Person - to do almost anything technical. But having the right attitude makes all the different in the world. Find that good mix of technical talent, and attitude and you’ve met that “good fit” criteria.

Expanding on that point even further for a second, I would much rather hire someone who might be lacking a in a few technical areas, but has a great attitude, than someone who projects themselves as knowing everything about everything. In fact, a candidate with less technical background – or maybe even a different technical background than what I need right at this second, might be – in fact has been in the past – a more preferential candidate. For instance, when I put out a job add I don't list 10 years of experience as a requirement for anything ... in fact, I'm very general with my experience requirement because I want to see resumes, I want to talk to people, and I want to find a good fit.

Fourth takeaway – Don’t make people feel stupid (and don’t be arrogant).

I think these two go hand-in-hand, and I admit there’s a balancing act here. You want to push a candidate to get a feel for their technical depth, as well as to see how they respond when they don’t know the answer and are under pressure. That said, a “good fit” candidate shouldn’t have all of the answers. No one knows everything about everything. So if you’re interviewing candidates for a Network Administrator position, don’t expect a deep background in something unrelated – or only marginally related.

I remember going on an interview a while back, where the interviewer just slammed me for not having the answer to a very specific – and obscure problem. One learning that came out of that for me was that sometimes “I don’t know” is a good answer. If someone doesn’t know the answer, but explains how they’d go about finding the answer – proceed. Or let it go. Consider your objective met in learning that they don’t have the answer to question “X”. But pay attention to how they handled question X – and handled not knowing the answer to question X. If they get it wrong, press them on it, get them to ask you questions. But you shouldn’t be making a candidate feel stupid.

More to come...

The Interview Process: 2-key takeways from our search

2007-05-15T18:51:00.000-05:00

Our metrics have been supporting the case for adding an additional Network Administrator position for a while now… staff utilization metrics, billable percentages, and our pipeline are all in agreement. So after posting an ad, getting a stack of resumes, and interviewing some candidates I thought I’d post some of my thoughts on the topic. Maybe even a series of posts… we’ll see how it goes.

First takeaway – Nobody really likes interviews.

That goes for all sides of the table. If you’re a job candidate, keep that in mind because it just may give you a bit of an edge. If you’re an interviewer, come prepared with discussion points, and facilitate the conversation. Obviously, you should have reviewed the candidate’s resume more than once, and should have some measurable criteria for comparing candidates. And if you’re a resource (not the lead on the interview), have some questions prepared. Have an idea of what you want in a fellow employee, and be prepared to insert yourself into the discussion if you see things getting off track.

Second takeaway – Make the most of what you have.

We’re not Microsoft… or Google… or any one of the big west coast tech employers.
We have a great team, a diverse talent pool, and a good mix of backgrounds… from Software Developers, to IT Professionals, to other Engineering types. But as a small-to-midsized technology company in the Midwest, we have limited time and limited resources. In practical terms, that means no day-long interviews with a dozen different people. We’re pretty much limited to three interviews… 1 phone interview, 1 one-on-one interview, and 1 team interview. Make the most of your time.

That’s about it for today. I’ll plan to follow-up with some more ideas, and add some interview questions that we've used - as there doesn't seem to be much in the way of intervew questions for netadmins floating around on the internet.

AD-COIT v2.52 Released - Adds CSV output and more inventory options

2007-05-14T19:35:00.000-05:00

I posted an update today to my AD-COIT script over on SourceForge.

With the latest release, version 2.52 adds CSV output and local admin group enumeration. CSV output, together with improving readability, makes it easier to manipulate your data using a spreadsheet app. You may notice a few bugs in the output, but all-in-all I think it was worth the time to update the release.

The most recent changes were driven by internal needs – as well as your emails and comments – so keep them coming! Mainly we needed to find and fix local admin groups, as well as just make it easier to work with our data.

As always, your input is encouraged. Let me know if you have anything you’d like to see added!

Netadmin: Copy very large files faster

2007-05-11T16:30:00.000-05:00

So ESEutil isn't just for Exchange Admins...

In a timely post by the Ask the Performance Team, ESEUTIL came in handy today for copying a large (well, 40GB anyway) SQL database. Was it up to 20% faster? I don’t know – but faster than an xcopy or the like.

Check it out…

Do you store PST files on file servers?

2007-04-18T06:35:00.000-05:00

You probably shouldn’t – you’ll eventually see I/O problems (hang’s and general slowness) on the file servers. I see this occasionally with new clients that we bring on, and not surprisingly it’s the IT organizations (or HR) that often institutesthe policy of having users store their .PST files on the file server. It’s hard to argue with the logic – PST files stored on a file server can get backed-up. Further, on smaller networks you can often get by with doing this for quite a while – until growth and higher I/O utilization cause the issue to manifest itself.

KB article 297019 hits the highlights, and there’s an excellent post on TechNet as well.

So you can either store the PST files locally and risk them being lost or destroyed - or, put them on files servers and risk having the I/O problems. If you’re looking for a compromise, check out the Outlook Add-In Personal Folders Backup tool. There are also some other third-party tools like Genie Outlook Backup, and Mobiliti Outlook Backup. The downside of course is that these are all compromise solutions in that they don’t’ just work. In each case, it’s another layer of complexity – deployment, management, and user training to consider.

SBS: Are you redirecting the location of newly created computer objects?

2007-04-17T06:25:00.000-05:00

Note: This isn’t specific to SBS, but larger organizations tend to already have processes in-place to handle this.

Short answer – use “redircmp.exe” for all of your SBS installs.
Need reasons? Read on…

So, by default when new computers get added to the domain, they get created in the Computers container. And it might be okay that they get dumped there because it forces someone to do something with it. Assuming you’re the only one managing it, you won’t forget, right? Oh, you might? What about you’re other netadmins, will they forget? Maybe so.

Simplify and automate…

That’s why we have Active Directory anyway, right? Well, that and to scale nicely – but doing stuff is a big part of it. So if you have computers piling up in that computer container (by now you should have opened out ADUC), then you know for a fact that they don’t get any GPO’s applied. And if dozens of boxes – for that matter, if even a few boxes – have been added without following the correct process, then at best you have some confusion. Worst-case, you have boxes that aren’t getting updates distributed via WSUS (or some similar fate).

Fortunately, there’s a tool for this called “redircmp.exe”. What it is? How do you use it? Is it safe for SBS? Don’t want to read the KB article? Well, it’s just what it sounds like – a tool for redirecting the default location of newly created computer objects (there’s a “redirusr.exe” too, which does the same for users). The first step is to probably to consider building onto the OU design of SBS. No, I’m not talking about changes to the SBS-ized stuff… we tend to build-out beneath the default OU structure for customization. Why? Well, it reduces risk - it helps us to enable our clients to do a bit of self-management sometimes – and it keeps team members from making big mistakes. But the main reason is that you probably want something that makes sense for your circumstances and your client. The hierarchy should fit the business-need.

As far as how to use it, there’s not much to it… from the SBS server just run it and it gives you the usage. Otherwise, here’s something that might make sense for you… obviously this is a sample based loosely on the SBS hierarchy.

“redircmp ou=WSUSMasterOU,ou=SBSComputers,ou=Computers,ou=MyBusiness,dc=domain,dc=local”
It should respond with “Redirection was successful.” If it said something else, check this KB article. Now go ahead and test it. Fire up Virtual PC with a base-image, add it to the domain, and refresh the OU in ADUC. It should show up down in the WSUSMasterOU (or whatever is appropriate for you). Depending on how much automation you want, this might be enough. At the very least, you're a step in the right direction – and if someone is forgetting to move it down further into the right OU, or add it to the right group, then at least you’ve got a base level of GPO’s being applied.

Mobile: Exchange Mobile Messaging

2007-04-10T06:54:00.000-05:00

I started writing a post about how to enable and manage Exchange Mobile Messaging – also known as DirectPush – when I found a really good series of articles written by Henrik Walther. It’s too bad they weren’t available when we were putting together our SBS client deployment process last year as they’re great time savers. So, instead of reinventing the wheel, I’ll just give the high-level overview with some SBS tips, and then refer you to his articles for deployment details.

What is Exchange Mobile Messaging?

Commonly referred to as DirectPush (or always-up-to-date; AUTD v2), Exchange 2003 Mobile Messaging enables your Windows Mobile clients (i.e. smartphones) to synchronize their mailboxes (specifically - Calendar, Contacts, Tasks, and Inbox) over-the-air (OTA).

What do I need to know to make this happen?

Exchange 2003 SP2 must be installed (DirectPush is enabled by default),
You need to configure a device security policy – open ESM>Global Settings>Mobile Services, Device Security. At a minimum enable “Enforce a Password on the device” so that if/when a phone is lost, you’ll be able to provide a degree of data protection. Keep in mind that when you enable this setting, when devices subsequently sync they will prompt users to create an unlock pin (We recommend 4-digit pins – and don’t get too much push-back from clients).
Messaging and Security Feature Pack (MSFP) needs to be on the phones (this is already on most newer phones).
Microsoft Exchange Server Active Sync Administrator tool (MobileAdmin) installed on the Exchange server. After installed, this is a web-based tool available at http://servername /mobileadmin – it will prompt for login credentials. You’ll be able to remotely wipe devices if they are lost.
SBSers, the only problem I’ve seen after installing the MobileAdmin tool is that sometimes you’ll find that you’re unable to use the web-based interface to search mailbox partnerships under “Remote Device Wipe” (with an error saying “failed to access user’s Mailbox…”). In this case, you may need to uncheck “Require Secure channel (SSL)” option on the “Exadmin” virtual directory in IIS.
If you use the MobileAdmin tool to remotely wipe a device, all data is deleted from the device. After doing so (and the device has subsequently been found or replaced )- remember to cancel the wipe – because subsequent partnerships on new/found devices will continue to wipe.

Isn’t this difficult to accomplish on SBS? I’ve heard there are certificate problems.

Assuming you have Exchange SP2 installed - It’s not very difficult. If you’re using self-signed certificates, you might run into a few snags. Obviously, a certificate from a trusted certificate authority will make this easier - some phones don’t like the self-signed certificates. However, we’ve been able to get self-signed certificates working on Samsing Blackjack (Cingular), and Treo 700 (Verizon) phones without issue.

Linux: Compiz and Beryl are merging!

2007-04-05T06:11:00.000-05:00

Check it out - Compiz and Beryl and merging! While not my typical blog-fare, it's exciting news. If you have no idea what I'm talking about (and why should you - this isn't much of a Linux blog) they're compositing window managers that put 3D OpenGL acceleration into your X Windows System GUI (like KDE and Gnome).

In other words, it lets you do some neat stuff... like spin the desktop cube - among other things (like sliding window effects, snow, and other neat 3D effects.). Check out some video's that demonstrate what I'm referring to. It's kind of like the Vista slide-deck multiplied by 100.

What if you're new to Linux? Just choose a distribution and go - it's all so much easier than it was 10 years ago - it shouldn't take long to get up and running.

SBS: Do you forward E-Mail though SmartHosts, or use DNS for routing?

2007-04-04T17:41:00.000-05:00

Specifically, I’m referring to the SMTP Connector in SBS 2003 (Exchange 2003). You’ll find this option in the CEICW wizard – or the SMTP connector (ESM>Connectors>SmallBusiness SMTP Connector Properties).

I prefer to use DNS, but I’ll explain more below. I think the key take away is that if you’re deploying SBS servers in client-environments, then you should really have a process in-place to ensure quality and uniformity across the environments that you support. Certainly, there are a few specific circumstances where you probably need deviate from the “standard”, but these should be the exception and not the rule.

So why use DNS? I actually think the case for why you should not use the ISP/SmartHosts is a better argument. For instance, if you’re forwarding though the ISP email originating from your organization will show that it was forwarded though the ISP in the header. Secondly, since UCE/spam also uses this method, it increases the likelihood of the mail not being delivered, and some domains refuse to accept mail that has been passed though a mail forwarder. There are more reasons too… maybe your ISP gets added to a RBL – and suddenly you’re blocked by extension.

In any case – I prefer to use DNS. What’s more, our SBS deployment process is to specify DNS. What’s your process look like?

Group Policy: Stop creating islands of customization – using Restricted Groups to Control Local User Manager

2007-03-30T06:10:00.000-05:00

How are you managing local groups on end-user workstations? If you answer is “I’m not… “, have you let islands of customization create a security – and configuration mess? Or worse, if you have customers that you provide service to, have you extended your internal mess across your entire client-base?

First of all, you should be making every effort to avoid giving users local admin rights. But you already know that. And you’ve probably already read the whitepapers, called the software vendors, and used Process Monitor to watch for what applications are making what changes and where. But keep in mind that this isn’t limited to how you manage the local admin group – for instance, maybe “Domain Users” isn’t the appropriate group to be capable of logging into the Account Department computers. Whatever the case might be – how should you manage your local users and groups? Group policy.

I’m always surprised by how often I hear it said that you can’t manage lusrmgr.msc via Group Policy. Because you can! And you really should be doing so. Take a look at restricted groups. Now, I know, the KB article isn’t all that great. Indeed, the fact that you use restricted groups to manage local users and groups is conspicuously missing. So look here for more information. Keep in mind that “Members of this group” lets you add groups or individual users, which define the local groups that you identify.

Now go and test it out with Virtual PC or something, before you try to implement it. Because it can be confusing – and Group Policy (thankfully) overrides existing local settings. So go create new OU in AD, make sure your test workstation lives below that OU, and scope a GPO that applies to the computer policy, at this location (GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\). Tweak it and get it right. Then you can go back and do an audit of who is already a member of what local groups (making sure it appropriate) and build a policy that reflects that reality.

Business: The new client on-boarding process

2007-03-20T18:37:00.000-05:00

To follow-up on my last post, one of the learning opportunities that came out of the DST effort was in our client on-boarding process. For the uninitiated, client on-boarding is just what it sounds like… the process that we follow when we add a new client. So how is this connected to daylight saving time?

Competing priorities.

For us the two most common ways that we engage a new client is through project work, or in some type business-down situation. As much as I wish that new clients all came on with clean, working systems, fully patched, using our supported application-stack… we all know that's just not how it works. What we did have though just prior to the DST change, was a CPA firm that brought us on to handle support issues and get them though tax season, as well as to do a network assessment and make recommendations to better prepare them for next year.

At the point that we brought this client on, we were running at about 125% utilization. Utilization is one of the metrics that we use to help measure our staffing/loading, and 125% is pretty high. As individuals maybe you and I can each do 150% for weeks on end, but as an organization, you can't expect to max out all of your people for an extended period of time without developing quality issues.

Getting back to the process – the client came on-board just days prior to the DST change. As a result, there wasn't enough time to schedule a proper network assessment. The on-site Engineer did a spot-check of their system to hit the highlights and... they were way out of date. The servers were all running 2003 (no SP), Exchange 2003 (no SP), no patch-management tools, out-of-date antivirus software... the list goes on. With DST approaching, we met with the client and highlighted the DST risks, and the considerable effort that would need to take place prior to the change. We then started working though the punch-list to get them covered for the DST change. Complicating this was the fact that the this is their busy season as April 15^th approaches, so treading lightly while still accomplishing everything was a key deliverable.

End result?

We were successful. Everything was patched, and functioning prior to the deadline. However, this success came a cost. From an internal perspective we were busy re-prioritizing tasks, shuffling resources, and generally making life difficult for ourselves. As a result, it has became apparent that we need a more effective client-on-boarding process. Not only should this process better address some obvious deficiencies – the hand-off from sales, technical account ownership, and network assessment projects, but also incorporate our metrics into the process. For instance, does our utilization rate, effectiveness rating, pipeline, and profitability in existing verticals support adding this client? Does this vertical present any business-specific risks? Or In other words, does this client fit our business model, and if so, can we effectively bring them on without risking current clients?

DST: A Rollout in Review

2007-03-14T18:18:00.000-05:00

The DST change came and went this past weekend largely without incident. While our testing suggested that this would be the case –as with all things, hindsight is 20/20. So with the benefit of hindsight, I wanted to take a minute here and highlight a few items, as well as hit on some opportunities for improvement.

Successes:

The DST Rollout was completed for all managed clients on schedule
100% of servers processed the time change without incident
Less than 2% of end-user systems failed to receive respective DST updates (primarily laptops)

Despite the fact that this was largely painless for our clients, there were a number of opportunities for improvement, and in unexpected areas at that. Most notable items… the client on-boarding process. There will be more to follow on that topic. There were also some notable vendor misses that our testing either caught, or highlighted, but for which no solution was available.

IT Security in an imperfect world

2007-02-22T07:01:00.000-05:00

Andy has a good article on basic IT security.

He hits on some of the pain-points of being an IT professional with a security focus – especially for those of us dealing with small to mid-sized clients/organizations. So he talks about things like… Management reverting to a “let’s make this easy” approach, as well as some other common items like… Open Access Points, firewall holes, local administrator access on end-user systems… you get the point.

Andy sounds like he is the security admin for a mid-sized organization, so his approach will be rightfully different than mind. But I thought it was interesting nonetheless.

Let me first say that I understand where Andy’s coming from. A few years ago, I worked for a larger organization. And I, much like Andy, was/am very security minded. Since then though I’ve had had the opportunity to work with many organizations of varying sizes and mind-sets, and over time, I’ve refined my approach for the clients that I serve.

Instead of just looking at problems and finding solutions (tactical approach), I took couple of steps back and started approaching things a differently. What I’ve come to see is that there is no ideal situation from an IT and/or security standpoint, and there are a lot of reasons (or excuses, your choice) for the way things are… maybe it’s management’s approach, maybe it’s the technical staff, maybe it’s the budget… it may be a lot of different things. But instead of hammering on everyone to clean-up islands of problems, I started to take a different approach.

Find the answers to these four questions and it will improve your life, and career.

Is there a corporate IT vision, and/or strategy?
Where’s the plan?
Are we measuring against expectations set in the plan?
Is anyone accountable for anything?

If you can find the answers to these questions, you can probably get to the root cause pretty quickly. Take the emphasis off of tactics and figure out the direction of the ship. In my experience, the ship has often has no direction, so it might be your job it to set it on course. Or, if there is a direction and your job isn’t to set the course, then you have a few options… either execute against the existing vision/strategy, move into a position where you can set the strategy, or get out of Dodge.

Stop worrying about the legion of developers running as local admins with Visual Studio 2005 installed (hey, they all pretty-much need to be local admins anyway under XP, just ask Microsoft). Or maybe you’ve got a client who has cash-flow issues, and just simply wants to get though today. Or maybe you’re dealing with an old, large, slow-moving organization that has so much bureaucracy that it takes 30-days for a server-build to get approved.

In short, figure-out what the situation is, and get a plan together. Then either get moving, or move-on.

Vista: T60 Video Drivers

2007-01-27T12:48:00.000-05:00

Just to follow-up quickly on my last post; I've installed all of the new Lenovo T60 Vista driver updates. The video drivers were certainly worth the effort - being able to rotate the external 21" display is a nice touch. As is the 3D and video tuning center. Otherwise though, still no upates for Bluethooth, or the fingerprint scanner (wondering if anyone actually uses this).

Vista: Lenovo T60 Driver Updates

2007-01-25T06:18:00.000-05:00

I looks like Lenovo just released some Vista driver updates for their ThinkPad T60, and T60P laptops. I've had Vista on my main machine now for about a month - most stuff seems to be working, minus little things like Bluetooth and the fingerprint scanner. I don't see an update for those yet - but I'll let you know if I see any other notable improvements from the new driver set.

AD-COIT: Reader question about the installed application list

2007-01-16T22:40:00.000-05:00

I received a good question today about the application report in AD-COIT - the reader asks...

"In the list of installed applications that I am seeing it looks like a few applications that are installed are missing from the output. Specifically, we have a line-of-business application that's not showing up on the list... why?"

First, thanks for trying out the script, and for sending in the question! To answer you, you're correct. AD-COIT only returns information about applications that were installed by the Windows installer. Let me step you though the code to give you an idea of what I'm doing...

If you have the script opened, go down and look at the "ListInstalledApplications" function, and you'll see the the following line...

"Set colItemsProduct = objWMIService.ExecQuery("Select * from Win32_Product")".

What I'm doing there is connecting to Win32_Product class, and returning the description and version information. So... you're next question might be... "how did you know that Win32_Product class only returns apps installed by the Windows installer?". I checked the MSDN site... which says, "The Win32_Product WMI class represents products as they are installed by Windows Installer."

By now, you might be thinking... "Great, you told me it's not comprehensive, you showed me why it's not comprehensive, but you didn't tell me how to make it comprehensive"!" ;)

As to getting the rest of the information... I know there's a registry key that houses uninstall information, you can use regedit to browse here... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

As to getting it out of the registry... that's a good question. Take a look at the "SavDate" function... it uses the "reg" command to pull stuff out of the registry. You could probably take some of the code in the SavDate, and work on it until you pull what you want out of the appropriate keys. Which will probably be a bit of a challenge. That said, I was just browsing though Microsoft's scriptcenter and found a code snippet that looks like it does exactly what you're looking for... Look at the "List all Installed Software" linked here. You can try taking that code, and playing with it to get an idea of how it works. Then try adding it to the script, and let me know how it goes.

AD-COIT v2.52, Inventory Tool Released on Sourceforge

2007-01-15T18:33:00.000-05:00

Last updated: 5/14/2007

AD-COIT (Active Directory – Computer Object Inventory Tool) is a script that I’ve put together to automate the hardware/software information gathering and inventory process, with a focus on simplicity and portability. While the target audience for AD-COIT is small-to-midsized Active Directory environments – specifically for the SBS community - you can leverage it in much larger environments for information gathering and asset tracking. The highlights of what gets logged include: workstation hardware information, operating system and configuration information, installed software, enumeration of local admin groups, and more (see below).

Useful Links:

Download it now from Sourceforge.net.
View the sample output (go here for screenshots)
Usage Information and How-To article
Frequently Asked Questions (FAQ)
Look at the source (older post)

When you go to run the script ("cscript scriptname.vbs"), the output is both echoed to the screen and written to the .CSV file. During the previous release (2.3), I had a few people ask how to tell if the script was working. Basically, if you see text being written to your command-prompt window, and you’ve configured a valid path for the CSV output (c:\scripts by default), then just let it run. You can always open a read-only copy of the output while it’s working. When it’s finished, use Excel (or something similar) to view/sort the output.

What if I need something specific, will you customize the script for me?
Sure thing. For instance, if you want the results output to a ~~spreadsheet~~ (as of 2.52), or have a different antivirus package you want to check – or… whatever the case may be, just let me know and we can discuss your objectives, and hopefully work out a solution.

Does it do “X”, “Y”, and/or “Z”?
Maybe… if it doesn’t yet, send me an email or post a comment and I’ll consider adding the functionality in a future release.

Does it output to .CSV?
Yes… as of v2.52. Thanks to everyone who emailed me with this suggestion! If you havn't updated recently, go grab the latest copy!

What gets included in the inventory?
The full list includes: Individual system information organized by computer name, including… operating system, service pack level, installation date, manufacturer name, BIOS name, service tag, processor information, domain role, current user, model, RAM, daylight savings status, time zone, Symantec Antivirus definition date, free space on the local drives, list of installed applications, enumeration of the local admin group, as well as a summary of the FSMO-role holders, non-responsive systems, and systems which logged errors.

Why did you write the script?
It started out to help me troubleshoot some daylight savings time problems for a new client, and then just evolved from there… adding functionality where appropriate.

Did you know something - fill-in-the-blank - doesn’t work right?
I probably am not aware of it. If you find something doesn’t work the way you expect, or is simply broken, please let me know, and I’ll take a look (yes, I do know that FSMO roles aren't written to the CSV file).

AD-COIT: AD-COIT Frequently Asked Questions (FAQ)

2007-01-15T18:10:00.000-05:00

AD-COIT Frequently Asked Questions (FAQ):

Where can I download the tool?
The project is hosted over on Sourceforge. You can grab a copy here.

How long will it take to run the script?
It depends on the size of your AD-environment, the number of computer objects in it, how many are online, and your network architecture.

How long will it take assuming 30 computers, with most of them being on-line, and very little AD-clutter in terms of retired computer accounts that remain in AD.
Maybe 5-10 minutes.

Who is the script designed for?
Small-to-Midsized environments.

Will this script work in enterprise environments?
Probably. I've tested it in smaller environments - say, a few hundred clients or less. If you've used it in a medium-to-large environment, email me and let me know about your experience.

When I run the script, it doesn’t report the FSMO role holders. Why?
FSMO role detection uses "DSQUERY" to grab the role-holders. You'll need the "Windows 2003 Admin Pack" installed on the computer that you're executing the script from.

Where can I get DSQUERY/Admin-Pack from?
I't s available for download from the Microsoft download center... http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en

I can't get any of my computer's to respond, what's going on?
AD-COIT needs to be able to talk to client computers on port 135. If you have a firewall enabled on your clients, you'd need an exception for unsolicited DCOM requests on port 135.

How do I create an exception for this (and other) scripts to run, using Group Policy?
If you're using the Windows Firewall, this can get configured via a Group Policy setting called "Allow Remote Administration Exception" (Open up Group Policy Manager, and go here under your Computer objects OU - Computer Configuration\Administrative Template\Network\Windows Firewall\Domain Profile).

AD-COIT: AD-COIT Usage and How-To

2007-01-15T18:01:00.000-05:00

Usage: "cscript ad.inventory.v2.3.vbs >inventoryreport.txt"

How-To:

Download the latest version of AD-COIT.
Uncompress and extract the files to a folder on the local computer ("c:\scripts\AD-COIT")
Edit the script using a text editor
Edit the following line to reflect your organization's LDAP path: StrLdapPath = "'LDAP://DC=domain,DC=local' - In most cases you simply need to update the domain.
Save the file and exit.
Open a command prompt (start>run>"cmd"), and run the script: "cscript ad.inventory.v2.3.vbs >inventoryreport.txt"
Keep in mind that when redirecting the output, you wont see the command-prompt window update until the script finishes. If you want to see the output, just use the following commend: "cscript ad.inventory.v2.3.vbs"