Monday, November 9, 2009

Happy 5th birthday Mr. Fox

Firefox came to our world 5 years ago and how big of a difference did it make!

For me it wasn't easy but I was able to convert more then 75% of my users off IE and onto Firefox.
I was never able to make the Firefox adm work in my Active Directory environment so I had to find another way.
Chris Ilias wrote a Locking Mozilla Firefox Settings manual in his blog. The concept is changing the preferences to the template you need and then locking it into a new Mozilla configuration file.
While I wouldn't recommend this for a large environment, This is an easy to implement way that provide!

Tuesday, November 3, 2009

Speed Test

I wanted to test my Internet speed at the office. I asked Verizon to provide the data but since they have time and more then 3 month later I'm still waiting, I started playing with some online tools.
I picked speakeasy's speed test as my testing tool and found some puzzling results...

I used my PC to test different browsers (FireFox 3.5.4 & IE6) using different path (firewall as default gateway & ISA 2006 proxy server with GFI WebMonitor 2009).
I have 2 T1s coming from Verizon on a multilink router. I'm not going to start calculate what I should expect, why and how. If you're into this data use a Bandwidth calculator.

First let's see how IE6 did with Proxy enabled

This is theoretically the slowest path since it's not only routed through another server before hitting the firewall but it is also processed by WebMonitor.

Disabling the proxy settings and running the same test on IE6 resulted in the following

While the upload speed was significantly faster I was surprised by the download result. Just can't be!

I had to test FireFox and compare the results

And once more just to make sure I'm getting valid numbers

At this point I realized that this test is worthless. Other then the local factors like other users and services that download & upload, the measurement is flexible and depend on so many factors that I just can't trust it.

Monday, November 2, 2009

netsh save the day

During the weekend I was working with my development team on a new Oracle based app installation.
The part that interested me was a problem they had getting connections work with our remote backup location. This location has a 2nd Oracle server which we sync to the main production machine in our NY office.
The problem seem to be DNS related and not being able to resolve names from that machine we got stuck with the installation. The fact that it was a weekend installation made our frustration even deeper...

I had to find a way to use different DNS settings per interface, an easy task to do via windows explorer BUT I had to get the application to switch settings per request, only when required.
The requirement: The server should use the default domain DNS settings at all time and change it only while processing this one task (and then switch back).
The affected interface is my NIC2Oracle gigabyte card.
Obviously you can't do it manually out of the test\install environment.
I had to find a way to automate it and this is where netsh came to the rescue.
Using the following command you can set the DNS using cmd:
netsh interface ip set dns "NIC2Oracle" static xx.xx.xx.xx

The problem is that this command is still short because it doesn't set a primary and secondary DNS servers.
To achieve this you have to know that if you want to set a primary and secondary DNS address, add index=1 and index=2 respectively to the lines of netsh command.
Adding index=1 and index=2 at the end of the command above will set it as primary or secondary and allow the change I need using a simple batch. When the specific process is done, another batch with the reverse order can switch it back.
How simple...

Tuesday, October 27, 2009

ApplicationXtender and Active Directory


I manage an ApplicationXtender server which is used to manage documents for compliance and accounting purposes. We used to work with a local user database but few years back we switched to the AD synced mode which uses the local logged user. This way I win twice: The password is more secure since it is changed by the domain policy AND the user is not prompt with login screen for ApplicationXtender. A rare win win.

My password policy require the users to change their domain password every 3 month. 14 days before due date they start getting these daily reminders.
When a user forget to change it (or just ignore it on purpose) and the 14 days pass all connectivity to any network resources is lost. When the password is changed work is not interrupted and is not affected. Well, this morning I found this to have one exception...

When you change the password for the user while he is logged in ApplicationXtender will not connect. Testing the Data Source connectivity is successful and yet the client hang. Logging off and then logging back with the new password fixes the problem. I agree that it's weird but hey, I didn't write the program...

Monday, October 26, 2009

Cisco security


I was at a new site for a consulting job and found so many security holes that I had the need to write down few basics for those who didn't know or already forgotten.

When you configure a new router you should decide on a security method that will keep it as secured as possible. Keep in mind that doing nothing is NOT a method.
Working for a small to mid-size shop you're the only one handling the routers, maybe 2-3 more people need access for specific tasks. You have to make sure no one else - internal or external get on the device and make any changes.

One of the most important actions these days is removing all Telnet access and switch to SSH. It is not always possible with old equipment but if you have any of the supported boxes please use it. It is a major security improvement.

Next thing to think about is your local user list. Passwords are kept on the router and show in Show Running-config. Most admins think that using type 7 encryption is good enough. Check this online tool and think again. It is able to decrypt Cisco's encrypted "type 7" passwords!
Now you think this is impressive, check this in the router IOS decryption option...

Another instant easy to implement option is AAA. Use another server for authentication to keep passwords off the router. RADIUS servers can sync with Microsoft's Active Directory and use the same password policy you apply for users on the domain, to the router. That will also make your password management an easier task. Windows 2003 & 2008 can use as RADIUS server using Internet Authentication Service.

These are basic easy tools that cost nothing and require few minutes. You should think of them as a MUST and go implement them yesterday. You do not have to know too much, these do not require being an expert so what are you waiting for?

Friday, October 23, 2009

Phones get static and drop calls


We're using an AVAYA S8400 server going out to 3 lines:
2 PRIs for local and long distance calls
T1 for International calls

2 weeks ago users started to complain about static on the line on local and long distance calls. At first when it was one or two users I thought it might be the phone though you expect a failed hardware to fail at all times and the static was random.
Then more and more users complained and some even added a new complain about drop calls.

In order to isolate the problem I have routed 2 heavily used area codes to the T1. Since no one reported problems on International calls it was a great way to find if the problem is local, equipment or infrastructure on my end or is it PRI\Verizon related issue.

Verizon which run both PRIs tested them after hours and reported back that both lines are clear.
At the same time no one complained about static at the 2 isolated area codes.

As the weekend passed we came back Monday morning to a clean line. No static. No drop calls. I changed nothing and yet the problem seem to be resolved...

Before I close this case I had to switch the 2 area codes back to the PRIs and make sure they are still clear. 4 days later the lines are clean.
To be on the safe side I asked Verizon to test the local equipment (that would be the demarc in my server room). Last night when the technician finished testing he confirmed it is clear.

While no one can explain it there is one last possible option, something we'll never know but can always blame: The building lobby is under renovations.
We used to have our office downtown where the infrastructure is old and fail whenever it's raining. Whenever we saw a Verizon truck within few blocks we anticipated phone or Internet problems. Unfortunately we where right most of the time. Taking this experience under consideration it is more then reasonable to think this option is possible. But as I said, we will never have an real answer.

Monday, October 19, 2009

Lotus Notes Expired ID file


Security is the reason Domino Server require all ID files to recertify once every 2 years (that is the default, can be changed manually).
When the expiration date get close Domino is kind enough to notify the user and there is your problem...
Typically there are 3 groups of users:
Some users will actually read the message that ask them to forward it to an administrator (a one click action).
Most of them will call you and ask why they received the message.
The problem is with the other group, those who ignore it. This group cause problems since they will show up one morning (as one of my dearest users did this morning) and will be locked out of Notes with this error on screen
Server Error: Your certificate has expired
When you have such a user you have to use the Administrator console using this procedure: How to manually recertify an expired ID.
Now don't get me wrong. It is not that complicated and I'm not complaining but it does involve an extra step: Physically access the users client to import the new recertified ID file. While in a small shop it is not that bad, in a larger environment it is a huge pain.
How to avoid it? Educate your users, explain about this certification and hope they'll remember next time and hope they leave before the renewal date because most chances are they will not remember.

Friday, October 16, 2009

HP Printers backorder - closer


A while back I told my HP Printers backorder story. In short, I've been waiting for my HP 2035 since August because it was back ordered.
The good news is that I received a notification email that the printer has been shipped and will be here Monday.
Hooray

Wednesday, October 14, 2009

BGP router down


We have a Global Crossing line. It is a dual router BGP setup with HSRP between the local routers in my office and BGP fall back on the Global Crossing infrastructure.
This morning, few minutes before the opening bell the primary circuit died. As a result the connection failed over to the backup line, which is what you'd expect. The problem started when the primary line started to bounce. Whenever it came back the connections bounced for a second and the users had to reconnect. Then it failed again and they started to get irritated. They are totally right.
As I called the Global Crossing support I found a very efficient service that was listening to my problem and had the will to help (sound obvious but usually this is not the case with big vendors). They started by checking the logs and found that it is bouncing every few minutes. I asked if they can change the HSRP priority to be higher then the primary router, they had no problem doing the configuration change. Problem resolved!
Now this is how HSRP priority work: the primary router get a higher priority and both get the preempt command which allow change of active state if there is a higher priority router online. By changing the priority on the backup router and changing the preempt to manual we ensured that even when the circuit is fixed and stable online it will not become the primary active line unless we manually change it back. This ensure that users will not get kicked off when the line is fixed or when the telco work on the circuit and bounce it constantly.
The circuit was fixed few hours later and after hours we switched back. It is nice to work with good cooperative service for a change!

Lotus Notes send on behalf of

Today, just as I got ready to leave for the day my CEO popped from nowhere and said "I need your help". Thank you very much!
He walked into his office and asked me to look at his Lotus Notes. One of our sale guys sent an invite to few clients where the CEO was Cc'd but the attachment only showed a pdf icon but had no real file attached to the mail.
Since it was late afternoon in the US and the sales guy leave in London he asked for a solution right here right now and did not want to wait for the next day. My task was simple: Resend those emails from the sales guy's mailbox as if he sent them. Make sure the attachment is there for real.
The reason it the attachment was missing to begin with was the mobile he used to forward it didn't support attachments. Go figure...
Problem with Notes is that you can send on behalf directly from your inbox but to make it look as if the other guy sent it himself, you must have a client configured for him, using his ID file. Since this guy never work in my office I have no such PC.
One way to do it was reconfiguring my own PC to use his ID. I can do it but do not like this path since there is always something with Notes when switching IDs.
Instead, I used the Web Access (I was lucky to have his password). Using Copy\Paste I got the text and addresses to the browser and attached the file too. One important thing to remember is sending with the Send and Save option which save a copy of that mail to his mailbox

Monday, October 12, 2009

DR when it matters


Check this Oct 9th 1:36pm scary message from Omgeo, a financial data service provider:
Due to a fire in a transformer in Boston, our Boston Data Center has been shut down. Additionally, the switch which enables us to migrate direct connect customers from the primary to backup connections has been damaged in the fire.

All leased line client connections via Thomson Reuters Network are currently down. They are invoking disaster recovery procedures but according to early reports it does not appear that they will be back up and running today. Therefore trades cannot currently be processed through Omgeo services. Please plan accordingly and process these transactions outside of Omgeo.

Our technical teams are working diligently to resolve the matter as soon as possible. We sincerely apologize for any inconvenience this may cause. We will continue to keep you informed as more information becomes available.

This follow up came at 9:54pm:
As communicated earlier, we wanted to provide an update on our progress in restoring network access to leased line connections via the Thomson Reuters' network. We have made progress in connecting clients to our back-up data center. In addition, power has been fully restored to our Boston Campus by our local utility provider. We now anticipate that all leased line network connectivity will be re-established during the course of the evening, Eastern Standard Time (EST).
Other then my sympathy to the Omgeo guys who worked hard Friday and over the weekend and even more for their sales department that will have to deal with some angry customers I wonder how can it be that one fire shutdown such a service for so many hours?
As a small shop we try to cover any aspect and make sure we're functional at any scenario. So how come these much bigger shops get themselves to a position that a full site is down and all services are shutdown? How can a switch that direct traffic to a backup location be damaged by the same fire???
My lesson is trust no one and think even harder. You always think you covered all aspects but there is always a new angel to DR. I'm sure those Omgeo guys will rebuild their DR plan...
I know I'm going to spend to coming week looking over my DR plan. Again.

Thursday, October 8, 2009

Yahoo! Mail screen resolution

A user called in with a problem: she can't open her Yahoo! Mail account. She does log in and see the main template, it show "3 unread messages" at the screen title but the messages are not loading.
When I stepped to her desk I noticed that her iexplorer.exe process uses 99% of the CPU. I killed it and asked her to try again. Same problem, same solution. I tried a different approach and used my test account on Yahoo! (I never use it but this is why I keep it). Unlike her, I was able to get a message error (is it because my mailbox is empty?) which provided me with the solution as you can see in the picture.
When I changed her screen settings to 1024 x 768 she had no problems loading her mail. Now it is up to her to decide if she want her 15" monitor to show large fonts with the existing 800 x 600 which she like with no personal mail or change it to the smaller font with Yahoo! Mail working...

Wednesday, October 7, 2009

Cisco IOS 15.0 - released


Cisco released IOS 15.0. This is the next major release after 12.4. It’s been over 4 years since Cisco has delivered a major release of IOS code - 12.4 was released in May of 2005.
Looking at the list of new features there are few interesting items but none of them appeal to the average SMB.
the one feature we might find useful at the SMB level is Cisco DHCP FORCERENEW which enhances security by providing entity authentication and message authentication.
Before you can consider this new software you have to verify that your hardware is compatible and go over the new features to make sure you really need it.
I guess we won't see this new version anywhere near SMB shops because the cost (both for software and training) doesn't make sense (specially these days) while the added value is limited. But it is still good to be aware and as time pass more and more knowledge will spread around the Internet. Use this knowledge to get familiar with the new IOS because at some point it will find it's way to SMB and you want to be ready for that day.

Just Traceroute

Yesterday, just after 3pm our Internet connection had some major problems.
While browsing and most IM clients died, inbound mail still flowed and MSN Messenger was live at all times.
Testing the network I started with the immediate suspect for any Internet failure - the Proxy server. Seconds later, when I realized that Proxy was up and even when I bypass it I can't browse, I started testing my firewall and DMZ environment.
The way we're configured for Internet is a primary dual T1 connection going to Verizon's MFR router and a secondary T1 connection, both connecting to a DMZ switch which is also where my firewall hook in.
Using the trace command I was able to get all the way to the Verizon router beyond the locally installed MFR router. That indicated a Verizon side problem which is good on one side - My part of the network is working, but really frustrating on the other side - the side that need Verizon's help which is always a long process.
While on the phone with Verizon's support I was told it's a general outage and as we all know by now, it was impossible to get an explanation and\or a time frame. Luckily the problem was solved in 30 minutes and we didn't suffer significant damage.
While troubleshooting this situation I came across a cool useful website Just-traceroute that provide a platform to trace an IP from 4 different locations (USA, France, Singapore & Netherlands). This is handy to isolate many of the possible options. It also provide a built-in "send" button which you can use to email the output to yourself or any admin you're working with.

Friday, October 2, 2009

Group Policy Preferences in Windows 2008

Today I want to go over the new Group Policy Preferences that come with 2008 server.
I recently added a 2008 server in my shop and the new options are exciting!
I think it is a major improvement that worth the upgrade. The fact that you only need one server to use it make it even more appealing.
Check this great video to get a first look.
The management screen is split to Policies - where most of the old options stay and Preferences with the new options.
The next option level is sorted to 2:
Windows Settings - contain everything that required scripting in the past
Control Panel Settings - contain everything that was changeable via... Control Panel

I find the most exciting feature to be Scheduled Tasks. Yes, it is not fancy or new but it is something useful that wasn't there and actually change my life as an administrator. I can configure tasks for PCs or Servers anywhere, anytime without physically getting there. That is a major time saver.
Other features that got better and I find useful include:
Devices - allow you to enable\disable devices
Folder Options - changing the settings of a specific folder
Power Options - much better control on the power options, this make green look greener
Services - allow you to change Service configuration

Another major change is Item-level targeting, a concept that apply changes only under specified set of conditions. With Item-level targeting you can compare Registry keys, use a range of IP addresses, rely on the local PC language or domain name and few other targeting options.

Requirements:
As I said before, you do not have to upgrade all your servers, 1 2008 server would be enough.
To manage from Windows 2003 server or Vista (and Windows 7) Remote Server Administration Tools (RSAT) is required
Client side require Group Policy preferences client-side extension (CSE)

This is another step to make our life easier and make tasks easier. The domain environment is much more manageable under this new set of tools.
I just wonder if it is becoming so easy to manage the domain what would happen to us, does our expertise still count?

Thursday, October 1, 2009

Free version of GFI WebMonito for ISA Server


Using ISA Server as a firewall years back and as my Proxy server for the last few years I learned to appreciate GFI's WebMonitor application.
Now it has a FREE version!
If you never tried it before because you did not have the budget or just because you never heard of it, this is the perfect opportunity.
The monitoring provide data that most small shops do not have about WHO and HOW MUCH. If you do not have any bandwidth usage data it will upgrade your capabilities and since it's free it's a win-win.
I'm using the paid version with all 3 scan engines and few rules that block downloads and specified file types. When I've installed the trial on my ISA server 2000 (yeah, many years ago) I had no budget and had to fight for the money. I wish they had this version back then...

Tuesday, September 29, 2009

552 552 Message exceeds fixed maximum message size



A client sent a 6MB email to one of my users and got the following message:
This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

Username@MyDomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 552 552 Message exceeds fixed maximum message size (state 18).

Checking my Trend Micro IMSS log I couldn't find any reference to this email.
Now I know IMSS will not send a notification anyway even if the size limit exceeds my 10MB limit per message and it should log it. 2 points that sent me off track with this.
I asked the client to contact her email provider (she is using an Exchange based hosting solution) and they sent me the following response:
Title: NDR: Message rejected; too large
Created: 09/29/2009 12:03:36
Summary of issue(s): Receiving a NDR that states that the recipient is rejecting the message because of its size.

Steps taken: Had her send the message to our test account. It works. The email is about 6 MB. The limit of outgoing on our servers it around 52 MB's. It is an issue on the recipients end. She will get in contact with them.

At this point I asked her to forward the original email to a test GMAIL account I hold. From there I forwarded the email to my user and got a similar failure message.
Calling Trend Micro was the next step. I had a technician on the line in no time and he Webex'd my IMSS server to find no logs and tell me that it must be something before IMSS, maybe my firewall. The only way to prove him wrong was bypassing IMSS and forwarding all SMTP directly at my Domino server. yeah, exactly what I need...

Googling gave me nothing. It was all around Exchange 2007.
So I was thinking again about IMSS settings and started playing with the settings. When I doubled the message size limit from 10MB to 20MB I was able to receive the email and see it in the log.
I guess that is a bug in the IMSS software. Great product but it is the 2nd bug I found in it this year...
following Gmail's problems of last week I must share this comic from Rosscott.

Friday, September 25, 2009

HP Printers backorder


This is one of those unbelievable recession stories.
One of my users called in with a broken printer. His HP 2015P stopped rolling paper and since new printers cost just like a technician's visit (the printer is over a year old and its warranty already expired) we have a no fix policy for this type of printers.
I buy most of my equipment via CDW and when I placed the order for a new HP 2035 (HP2015 is not at the make any more) I was struck to see a shipping date for the end of September. That was late August.
Stunned by the obvious mistake I called my CDW sales rep and he told me that there is a national shortage of HP printers. They shutdown a line last summer because they expected reduced demand. Well, I would check their analysts...
CDW had a waiting list, a back order for this specific item for over 1500 pieces!!!

Thursday, September 24, 2009

Google fail. Again...


Google is aware that some people are experiencing an e-mail outage. This is becoming a quarterly or even bi-monthly event...

at 10:29AM this message was posted:
We're aware of a problem with Google Mail affecting a small subset of users. The affected users are unable to access Google Mail, but we've provided a workaround below. We will provide an update by September 24, 2009 11:29:00 AM UTC-4 detailing when we expect to resolve the problem. Please note that this resolution time is an estimate and may change.
You can access Gmail via IMAP


at 12:58PM, after few additional messages they posted the following message:
The problem with Google Mail should be resolved. We apologize for the inconvenience and thank you for your patience and continued support.


My users had problem with both Gmail contacts and Gtalk (or Gmail chat). At few points they couldn't log in or refresh their Gmail mailbox.
I had users both in NY & London complaining and I doudt it was just a "small subset of users" as Google claim.

Wednesday, September 23, 2009

Recovering a file from Backup


Earlier today I've received a call from one of my users asking to recover a file from backup. He explained that last week's power shutdown caused some files mess up in his home directory.
Blame it on the network, that's the way to go!

I wrote down the file name and exact path and loaded Backup Exec's Restore wizard. Looking at all my weekly full backups I found the Friday prior to the power shutdown and restored the file he was looking for. He wasn't happy.

The explanation I received was that "the system" saved a second copy of that file under a different name!
I had to insist it is not possible since systems do not save files or rename them and no other user has access to the home folder of that user.
More to the fire he claimed that the recovered file is older then the one he was looking for. At this point I had to ask him how does it relate to the power shutdown if whatever happened more then a week earlier???

Went back to Backup Exec and located the file from previous week where the creation date and modified date where exactly identical, similar to the date he created the file. That file also was "wrong".

At this point I innocently suggested that he might have saved it in a different location. 10 minutes and a long lecture on his methodical file organization system later he called again: He found the file under a different folder.

One technical tip I want to share from my experience this morning relate to the recovered file.
I did not want to recover the file to the original location (and by now you understand why). I usually recover files to the local disk at c:\BE_Recovery
When the recovered file come from a home folder the NTFS permissions are still in affect and you can't access it.
In order to see the files at \\Home\DomainName\Username, copy them to any other location or delete the folder and files when you're done, you have to do 2 things:
Add the domain admin with modify permissions
Allow permission inheritance to sub folders

Tuesday, September 22, 2009

Advanced Group Policy Management 4.0

Advanced Group Policy Management (AGPM) is coming out next month and it is time to take a first look at this new exciting tool.
It will be released as part of Microsoft Desktop Optimization Pack (MDOP) 2009 R2.
The new release include 3 main features you should know about:
Multi Forest/Multi Domain Support
AGPM 3.0 does not support multi-forest/multi-domain environments and requires to use import/export which essentially breaks the change management workflow. AGPM 4.0 allow moving GPOs from one environment to another. Even in my shop I have 2 forests and few domains.
Check mark for the SMB environment usability!

Windows 7/Windows Server 2008 R2 Support
The new version will add support for Windows 7 & Windows Server 2008 R2 settings reporting and editing.
Microsoft recommend that if you edit policy with Windows 7, make sure you run Windows Server 2008 R2 on the back end.
Another check mark for the SMB environment usability!

Search and Filtering
Well, don't get too excited. You still can't search for settings.
The search feature allow you to locate a policy by it's name or partial name.
While it is a nice improvement it is not really useful for the average SMB.

You can download the Microsoft guide for AGPM 4.0 here.

Wednesday, September 16, 2009

It’s 3 a.m. Who Do You Want Answering the Phone?


Last night, just before 3AM most of our floor lost power.
The first to take the hit where PCs as they do not have any power backups.
My servers and routers kept going for additional 90-110 minutes based on the UPS they connected to.
I have a bunch of APC UPS systems both from the 2200 & 3000 series.

An hour and a half later, just few minutes after most UPS died, the power came back. For most servers it was too late...

When I received that phone call I had to connect to my ASA and I was happy when it worked. Poking around I verified all the critical routers and switches are up and the Domain Controllers for all 3 domains are running.
One server didn't want to be cooperative, it did reply to ping but wouldn't allow and RPC based connection to the Windows environment. I had to reboot it but I was home in my pajamas and 45 precious minutes away.
iLO saved me! lucky me, this one server had a working, connected & configured iLO.
In few minutes I had this server restart itself and this time it did. what a relief!


In less then an hour I was able to start all the services, run all the programs and test all the network components. 1 hour - that is the time it would take me get dressed and commute to the office...

The aftermath:
Coming to the office I found that some PCs and few server where up all night. The meaning is that it was not some general building outage but a more specific one. I called the building electrician and he found out that the meter box, which is as old as our building got too hot and caused this power outage. We're going to replace all 3 meter boxes tonight after hours.

Preparing to such a major shutdown is very important. Few things to remember:
This is the time to check all your procedures and backups.
This is when you use the contact list you've collected all those years, calling all your vendors so they know your network will be down.
Make sure the users are aware of the shutdown.
Call your phone system support and make sure they know about it, you might need them.

Tuesday, September 15, 2009

Diskpart Command-Line Utility

I had to make some partitioning changes on few machines. The thought of doing it manually, one by one was depressing. So I spent some time reading and playing with DiskPart and saved myself precious time.

DiskPart is a text-mode command that enables you to manage objects (disks, partitions, or volumes) by using scripts or direct input at a command prompt.

DiskPart is present in XP, Vista and Windows 7. The XP version is more limited because it does not offer advanced features for resizing partitions.

It is a powerful tool that can be used in many ways. I'll go over some basics.
Before you can use DiskPart commands on a disk, partition, or volume, you must first list and then select the object to give it focus. When an object has focus, any DiskPart commands that you type act on that object.

To start the tool, all you have to do is type DiskPart in command line. You'll get a new prompt with the DISKPART> sign replacing c:\

The tool uses two types of commands:
1. Commands which specify the target of action: List, Help, Rem, Select, Exit
2. Commands that apply directly to the element: Active, Assign, Create, Extend, Shrink

You can resize partitions, add or remove them and generally speaking do most of the FDISK or Disk Partition utility functions

One big advantage for DiskPart is it's scripting power. You can use it in script for a range of tasks.
To initiate a Diskpart script, use the diskpart /s script.txt command. By default, Diskpart can quit command processing and return an error code if there is a problem in the script. To continue to run a script in this scenario, include the noerr parameter on the command.

Check the Microsoft Command-line page for DiskPart

DiskPart is a powerful tool. Make sure you're familiar with it and use it carefully

Monday, September 14, 2009

Wi-Fi 802.11n approved - do I care?


The technical blogosphere is buzzing. BBC, CNET, neowin and everyone else cover the approval of the 802.11n high-throughput wireless LAN standard by the IEEE.
It took almost 7 and we have a 6 time faster wireless connection. Most vendors already use it or require a firmware upgrade for the existing hardware.

As always, I try to look at the news in the OneManITShop eyes:
How would it change MY life?
Will it make a difference to MY Shop?

Networks that already use wireless will be better off upgrading to the new standard if hardware permit. But under the current economy I wouldn't invest in new hardware unless you work with huge files or video (but then, why are you on wireless?).
If you're just on the verge of installing a new wireless network or expand the current infrastructure you have to make sure 802.11n is supported. The problem is you 'll have hard time any piece of hardware that does not support it so it is a non issue.

The big difference would be for those who try to make a case for wireless. If you're one of those your case got 6 times stronger. Since most PCs come with a Gig NIC I see the network as the bottleneck and this is where you can make your case: Using 802.11n get you closer to the Gig NIC but with the flexibility of a laptop. You do not compromise that much on bandwidth as you had to with previous standards and you get to keep the wireless environment.
I see it as a big plus. With the right rap your management will too.

Friday, September 11, 2009

Domain Trust – part III

Part I covered the basic concept of Domain Trust.
Part II covered the different Trust types.
Now it’s time to go over Trust related troubleshooting skills

The first step is determining the type of Trust. There are few ways to complete this task:
Active Directory Domains and Trusts console - The Domain ‘Properties’ box has a Trusts tab with all available Trusts for the Domain

Active Directory Users and Computers console – For the Domain, the View menu has an ‘Advanced Features’ option. The ‘System’ container has a list of objects; we’re looking here at the ‘Trusted Domain’ type.

NLTEST - Resource kit tool that can display Trusts (among other data). The following command will show all trusted domain:
NLTEST /server:server name /trusted_domains

ADSI Edit – Another Resource kit tool that can do the job. Expanding the domain in question and browsing to the System class properties will give you the list of Trusted domains.

Each of these provides significant data on the Trusts and related problems. Make sure you’re familiar with each one of them and capable of using them if required.

WinNT presented a great tool that survived till this day: NLTEST
NLTEST test secure channels between domain controllers that trust other domains.
Though it is a WinNT document, this tool work great on every domain level and like the previous list, it is a very important tool that should be available and used by any domain admin.

“Restricted Groups” in Group Policy


Ever had to add users to a local admin group but had no access to the computer? Add a special user account in the Administrator group of every computer on the network for remote administrative functions?
Group Policy Restricted Groups enables you - as the administrator - to configure group memberships on the client computers or member servers. Cool. Useful!!!

The “Restricted Groups” option allow 2 types of settings:
Members
Members Of

Members– This setting allows you to control the members of the group that you specify for the policy. The members can include both user and group accounts. When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

Member Of – This setting allows you to control which other groups the specified group has membership in. All groups that you configure in this interface must meet the approved group nesting rules. Therefore, you can’t configure a local group to have membership in another group, since local groups can’t be placed in Active Directory groups, nor placed in other local groups. If the list of groups in this section is left blank, it will not remove the specified group from any existing groups, it will just not place it in additional groups.

Simple yet an efficient time saver.

Derek Melber wrote a good security piece on restricted groups

Thursday, September 10, 2009

Well, this is embarrassing

After a long weekend and first day of school I walked in today and started my Firefox browser. After few seconds it crashed. up to this point, nothing much to tell about, happen every once in a while.
The story is the recovery process. When Firefox crashes it is coming up again and recovering all web pages so other then the irritating process, you do not have a real damage (though it is annoying). But this time I got a new message...

Thursday, September 3, 2009

Netsh.exe - DHCP backup and more



Early this morning I had a problem on one of my DHCP servers. One scope got messy and I wanted to get it fixed fast enough so ealy birds coming in will not notice the problem.
Lucky me i had a recent backup of my DHCP so all I had to do was restoring it to the server.

Netsh.exe utility is a functional tool that can be used for many tasks around your domain. my particular task here was importing the backup file I created as part of my DR plan.

Running the tool on the actual DHCP server those are the required commands:
netsh
dhcp server \\servername

EXPORT
export c:\backup\dhcpdb all (all=>backup ALL scopes)
or
export c:\temp\dhcpdb 192.168.20.0

IMPORT
import c:\backup\dhcpdb all (all=>import full config)
or
import c:\temp\dhcpdb 192.168.20.0

This is a very simple procedure that can save you time when DHCP fail.
You can use this tool for many more tasks, monitoring your system from command line.

Tuesday, September 1, 2009

How to change Drive Letter display

A simple request from a user made me work a bit before I found this neat solution:
Mapped drives at Windows Explorer are display by default as:
- (OneManITShop Data on FileServer\ShopData M:)
A much easier way to see it, and this users requrested just that is the other way around:
(M: OneManITShop Data on FileServer\ShopData)




An easy solution (I do not use 'the solution' since some other solution available out there) is a simple Registry change:
In regedit (type regedit in command line)look for the following key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
edit or create the DWORD value "ShowDriveLettersFirst" and set it to the desired value:

* 0 = Default display (drive letters after description)
* 1 = Network drive letters first, Local drive letters after
* 2 = Descriptions only, no drive letters displayed
* 4 = Drive letters before description

My user's request required option 4. Happy user at the end of the day :)

Monday, August 31, 2009

Laptop support



I always struggle with this subject: a user come back from vacation and instead of chocolate, she bring her laptop and want you to fix it. Why? Because she used the hotel WiFi and her unsecured private laptop is now a bag full of viruses.
As the cheap (well, more FREE then cheap) available technician I'm the obvious choice for the user but should I provide this service?
This is one of the major dilemmas of the OneManITShop administrator at a small firm. You can't say no, definitely not to partners or managers but due to the delicate politics in a small place, not even to the last employee in the food chain.

So I get this laptop and meet some familiar friend: Personal Antivirus. a nasty maleware that I've seen in the past. I was lucky to remember the solution I used last time so it didn't take that long and using Malewarebyte's software I was able to get it off the laptop without a sweat.



This is a great tool that never failed me. It gets the latest update and start working, scanning the hard drive. Within the hour I got the list of the rogue files to be deleted and the laptop was cleaned.

Keep in mind that in a small shop users expect you to be available for their personal computer support and as long as they keep it reasonable, try to keep them happy and safe. Educate them - on the long run you'll get something back, either they'll learn something and prevent future problems or you'll need something back and they'll be more then happy to pay back a favor.

Friday, August 28, 2009

Domain Trust – part II

Part I covered the basic concept of Domain Trust. Now it’s time to go over the different Trust types.

Two-way trust is the most common type and the easiest to understand.
In a Windows forest any 2 domains trust each other both ways and they are transitive trusts. That said, any new child domain you create within the forest is automatically trusted and trusting.
The result of a Two-way trust is that any authentication requests can be passed between the two domains, users from one domain can access resources in domain B if they have the permissions to do so without any additional login (based on the local domain authentication they have already done in their own domain).
Two-way trust within a forest root or domain tree is always transitive. (‘ll get there in a minute)

One-way trust uses the same authentication concept but unlike the Two-way trust, here one domain access the other domain’s resources but do not allow that other domain to use its own resources. One-way trust relationships are always nontransitive.
One-way trust can be established with another forest (Win2000\2003\2008), WinNT domain or Kerberos Realms (aka non-Windows environments)

Transitive trusts exist between 2 domains in the same forest. In Transitive trust the trust can be extended outside of the two domains. That means that if domain A trust domain B and domain B trust domain C, domain A will also trust domain C. simple.

There is however a way to go around and create other types of transitive trusts:
Shortcut trust - used to shorten the trust path in a large and complex environment, connect two domains in the same domain tree or forest. Like the name indicate, it doesn’t create anything new but shorten the way the user has to go through getting to the destination domain.
Forest trust – transitive trust between two forest root domains.
Realm trust - transitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

Nontransitive trust is a trust restricted only to the two participating domains. This trust cannot flow beyond these two domains boarders. A nontransitive trust is always One-way but it can be tweaked by creating 2 One-way trusts that make it an actual two-way trust.
Nontransitive trust is used when connecting WinNT domains and for a forest trust to one out-of-the-forest domain when you do not want the entire 2nd forest to be trusted.

There are 2 types of nontransitive trust:
External trust - created between a Windows 2000\2003\2008 domain and a Windows NT domain or a Windows domain in another forest.
Realm trust - nontransitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

In part III I’ll show some Trust related troubleshooting skills that every admin should have

Thursday, August 27, 2009

Microsoft Office License


I have a single user working from his home in London. Sharing our services is easy and I hardly ever hear from him. This morning I got a call from this guy and he told me that he will need Microsoft Publisher license for his soon to be expired 60 day trial.

Sound like an easy task, right? Wrong!
My first thought was going to Amazon and buy a new box, since he already got the software he does not need the CD and I can just give him the key. Make sense and easy to do BUT there is one catch – different countries have different licensing policies. Yes, the same Microsoft has different policies and prices for different countries where EU is even more complicated because of the antitrust case with Microsoft.

Calling Microsoft here in the US resulted with a simple answer – you have to buy the license in the UK. Can you blame them for preferring € or £ over $US?
(tip: the €\£ signs come up when holding ALT and typing 0128\0163)

Calling my Microsoft sales rep (which is not a Microsoft employee but work for one of the biggest retailers) the answer was different, he said that for Office licenses the license is per language and if I need an English version I can buy it in the US.

I Googled and Binged but wherever you go, including Microsoft.com you get different answers or interpretations of the rules.
I’m still waiting for few answers but one cannot stop wondering why can’t Microsoft make licensing easier?

Wednesday, August 26, 2009

Cable box extender (Hide your Cable box)



This is one of those cases where everything works fine but the end result is failure. Each piece for it self is good but when combined it just doesn’t provide.

Our trading floor has 4 flat screen TVs, one per wall. This setup allows everyone to have good view at one screen or more.
When we setup this layout we had instructions to hide the cable boxes, both for the space and the clean line of the walls. That was a bit of a challenge.
We’re using the standard Time Warner cable boxes and like any other cable box, it require an eye contact with the remote in order to function.
After a long search we found a nice neat solution: Hot Link Pro.
It is a 3 piece device:
• Emitter Extension Kit
• Coax Eye Extension Cable - eye reader that connects to the cable box (or any other device). It has a sticker on each reader and you just glue it to the box. There are 6 ‘eyes’ which you can plug on
• Infrared receiver – It is more than 4 times more sensitive than standard receiver. That is the one cable you hang off the ceiling or out of the closet, it will read the remote signal and forward it via the box to the cable box.

So on top of each TV I’ve located the cable box, just above the ceiling tiles. There is a power outlet for each box (actually 2 –the cable box and the Emitter) and the Infrared receiver hang to the floor side of the ceiling. The cable box remote work as if the box was right in front of it and everyone is happy.

Few days ago the receiver stopped working and users called me. I had to climb up there and found that if the remote is used with the cable box it is working. I tried different eye extensions but they all failed to flip channels. Next step was taking this kit to another cable box where it worked fine and testing a different kit on this box which failed again.
So we called Time Warner. The technician came this morning with a replacement box. She plugged it in and told me that rebooting it will take about 15 minutes. 45 minutes later she said the box have a problem (yes, the new box she just brought in) and left the building to get another box. This time the box did load and 15 minutes later the TV worked again. When I glued the eye extension the receiver started working right away.

Hurray!

Tuesday, August 25, 2009

SubInACL - Security Information Tool


I had to give some users access to specific service on one of my servers but didn’t want them to have full domain admin permissions. Changing a service is not something Microsoft built a solution for so I had to be creative. As always, I checked for available 3rd party tools but ended up using this magical hidden native tool: SubInACL.exe

SubInACL is one of those shy command-line tool that not too many guys know about. It is part of the Windows Resource Kit Tools and it’s about time you too will get familiar with it.

SubInACL enables you to obtain security information about different types of files, services and registry keys.
The info you obtain with SubInACL can be transferred in few ways: from user to user, from local or global group to group, and from domain to domain. The average OneManITShop will find the first and second options handy though the domain to domain transfer option can also be useful.

Microsoft describes 4 uses for this tool:
• Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
• Change the owner of an object.
• Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
• Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.

back to my problem, let's say my user is "Dave" and I need Dave to be able to stop and start the Print Spooler service. This is the command to make it work (TO=start+stop -> see full list below):
subinacl /service Spooler /GRANT=MyDomain\Dave=TO

The full list (Look under method 3):
• F : Full Control
• R : Generic Read
• W : Generic Write
• X : Generic eXecute
• L : Read controL
• Q : Query Service Configuration
• S : Query Service Status
• E : Enumerate Dependent Services
• C : Service Change Configuration
• T : Start Service
• O : Stop Service
• P : Pause/Continue Service
• I : Interrogate Service
• U : Service User-Defined Control Commands

So this is one in many options for this great tool. You should also download and play with the options. You never know when it will become handy!

Monday, August 24, 2009

bug report: Firefox 3.x & eBlaster 6.x



I had this problem on few different XP machines: Firefox crash over and over. When you select the 'restart' option at the crashed message screen it will reopen only to crash again.
All the PCs are Windows XP SP2 and they all have a copy of eBlaster 6.0.3084.
Surprisingly an upgrade fixes the problem...
Installing eBlaster 6.0.3102 (and the required boot) make the problem go away...
Nothing on eBlaster's site indicate they did anything to fix the problem but hey, if it's fixing it who am I to complain!

Friday, August 21, 2009

Domain Trust – part I


Aladdin asked princess Jasmine for her trust and she, by the look of his eyes opened her heart to him and trusts him. Unfortunately real life doesn’t work like tales and we can’t trust anyone we don’t know just because they ask for it, even if they look good…
I noticed (on my favorite forums) that this is a repeated subject, not always easy to understand for new administrators and I will try to simplify the subject while keeping the important techie details.

Domain Trust is a sharing concept that aims to ease the management of trust in the Active Directory world (aka the real world). It allows 2 separate groups that trust each other to share resources. It makes life easier for administrators 2 times: first at the point where they can share resources with other groups and second as they reduce the number of logins a user has to deal with (and as a result, reduce the number of helpdesk calls).

Scenario (or, what does it good for):
Companies A & B merged but want to keep the network as is. You have to allow users from both companies to share files and printers. Establishing a trust between the 2 domains (actually forests) will simplify the process from a long tedious permission setup to a 5 minutes trust build up.

How does it work?
In this post I’ll go over some of the basic concepts and later will go over different type of trusts (One-way, Two-way, Transitive, Nontransitive)
A trust relationship is defined by a secret key that is shared by both forests and domains and that gets updated on a regular basis. That said, when you configure a trust all you have to do is have the same password on both ends and let the system do the rest. The rest is based on the NTLM and Kerberos authentication protocols and on Windows-based authorization and access control mechanisms.
Active Directory domain controllers authenticate users and applications by using one of two protocols: either the Kerberos version 5 authentication protocol or the NTLM authentication protocol. When two Active Directory domains or forests are connected by a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests.
Every trust has a secure channel through which trust participants communicate. They use the trust password to secure their communication. If the secure channel between them is broken, you need to reset it/reset the trust password.
Trusts have a user account in Active Directory which can be seen via ADSIEdit. The user account for the Trust is stored in the BuiltIn ”Users” container under the domain root. The most useful and powerful tool to test trusts is Nltest.exe, one of the oldest guys in the area but still kicking!

In part II I'll go over different Trust types
In part III I'll go over some troubleshooting options

Thursday, August 20, 2009

TechNet Unleashed NYC event report


I was at one of those Microsoft TechNet NYC events
It wasn’t too fancy (like the launch they plan in Oct) or too crowded. I see it as a big plus because it indicates only people who come to listen are there. Yes, they had few giveaways but unlike those fancy events it was not about or around it.
Primarily focusing on live demo and real life scenarios Dan Stolts used a laptop to show Win7 migration from XP, both for home users and enterprise level, demonstrate the very impressive DirectAccess on Windows 2008 R2 and close with Remote Desktop Services.
Dan is a funny guy, a fast talker but loud and clear. Though he had few technical problems and it was his first round on this event (which always serve as case study where instructors find the right balance in their timing) you see the guy knows his job, use it in real life and understand what we, System managers out there want to hear about.
I was mostly impressed with 2 unexpected things:
First and foremost, how powerful his laptop is. Using a Lenove he loaded an 4 machines virtual environment (and stated to work with up to 8 in reasonable performance). How strong it is! (8GB RAM does part of the job here). I do not virtualize anything in my current environment (and didn’t since my days in school when I just started and had to build a study test environment) but I know to say WOW when I see it.
Second WOW was the DirectAccess. This is a great tool for any environment with traveling users, small or large. Getting VPN clients in\out of my network over the years didn’t change too much. This is a huge leap forward and can make working from home a delight.
Don’t get me wrong, I came in for the Win7 part which was okay but I already knew most of Dan’s curriculum. The RDS part was interesting but hey, we’re not going there any time soon (ever). But DirectAccess, though we’re not going there any time soon is a big heat which more people should know about. Thanks Dan. This is why I try to attend these events!

Dan prommised to have all the videos and data on his blog before the Oct 22nd launch

Wednesday, August 19, 2009

IM– do we have a choice? - update


follow up an old post, Pidgin released an exciting new version.
among many changes there is one huge addition:
voice support with GTalk and voice and video support with the GMail web client

one more reason to switch!

Tuesday, August 18, 2009

Guidelines for a good Backup plan


I had to restore a file this morning using my B2D job. While I had no problems and everyone is happy I found it to be the perfect opportunity to go over my backup plan. It can’t hurt.

I backup 3 data types:
Email (Domino Server)
User data (aka files)
Active Directory

I’m using Backup Exec for all my backup jobs and most of the time I’m happy with the performance.

Domino backup is done using the Domino agent. Using this article as a reference I backup the Lotus\Domino\Data folder. Weekly cycle to tape with daily full backup to disk provide a strong backup. One important note that helps me keeping the backup in reasonable size is old users nsf files. When a user leave the company we still need to keep the mailbox (compliance, compliance, compliance) but it is not changing and there is no point in backing the same file every day. I have this folder with old nsf files that I backup once a quarter or after an employee left and the file was moved (that require shutting down the server so waiting for few mailboxes to pile up is a smart move).

User data files like emails change on a daily basis but unlike a mailbox that is one file that changes daily, there are thousands of different file that only few of them get changed daily or even weekly. I personally do not like the differential backup schema so I keep a full backup over the weekend and daily incremental backup on top of it. I also keep a full daily backup for important directories, those with critical data and frequent changes. Just in case. That is one of the big advantages of a small shop.

Active Directory is in IT perspective the most critical backup. Using this as a reference guideline it is important to understand the core idea: System State backup is the heart of AD backup and MUST be properly backed up.
Active Directory MUST be backed up in FULL BACKUP mode.
A good backup includes at least the system state and the contents of the system disk. Backing up the system disk ensures that all the required system files and folders are present so you can successfully restore the data.

One last aspect of a good backup plan is testing. You should recover random files on a regular basis. You do not want to be in the position where someone deleted an important file and you can’t restore it!

Monday, August 17, 2009

Account Expiration Date


We have a Group Policy that enforces password changes every 90 days.
When I implemented it, everyone where synced (more or less) to change passwords at the same time frame. Over time it got more complicated to follow the password changes, mostly because some users change it as they get the 14 day warning and some wait to the last minute.

Why do I need to know when users are set to expire?
This is a good question. The best answer I have for it is I don’t.
BUT (there is always a but) once in a while (and usually the same users) someone will ignore the password expiration notification and will lose access to domain resources. It can happen mid-day and they suddenly can't print, network shares won't open and the desktop (which we redirect to the network) will disapear. When I know that this is the time frame for expired passwords I’ll be able to figure it out much faster and prevent it by reminding those users.

How to find the data?
Joe’s ADFind is THE tool for this task.
You can adjust the command for users or computers. It’s working for an OU and you can filter many parameters.
Recently Joe posted an additional piece on this subject. It is worth reading