Monday, August 31, 2009

Laptop support

I always struggle with this subject: a user come back from vacation and instead of chocolate, she bring her laptop and want you to fix it. Why? Because she used the hotel WiFi and her unsecured private laptop is now a bag full of viruses.
As the cheap (well, more FREE then cheap) available technician I'm the obvious choice for the user but should I provide this service?
This is one of the major dilemmas of the OneManITShop administrator at a small firm. You can't say no, definitely not to partners or managers but due to the delicate politics in a small place, not even to the last employee in the food chain.

So I get this laptop and meet some familiar friend: Personal Antivirus. a nasty maleware that I've seen in the past. I was lucky to remember the solution I used last time so it didn't take that long and using Malewarebyte's software I was able to get it off the laptop without a sweat.

This is a great tool that never failed me. It gets the latest update and start working, scanning the hard drive. Within the hour I got the list of the rogue files to be deleted and the laptop was cleaned.

Keep in mind that in a small shop users expect you to be available for their personal computer support and as long as they keep it reasonable, try to keep them happy and safe. Educate them - on the long run you'll get something back, either they'll learn something and prevent future problems or you'll need something back and they'll be more then happy to pay back a favor.

Friday, August 28, 2009

Domain Trust – part II

Part I covered the basic concept of Domain Trust. Now it’s time to go over the different Trust types.

Two-way trust is the most common type and the easiest to understand.
In a Windows forest any 2 domains trust each other both ways and they are transitive trusts. That said, any new child domain you create within the forest is automatically trusted and trusting.
The result of a Two-way trust is that any authentication requests can be passed between the two domains, users from one domain can access resources in domain B if they have the permissions to do so without any additional login (based on the local domain authentication they have already done in their own domain).
Two-way trust within a forest root or domain tree is always transitive. (‘ll get there in a minute)

One-way trust uses the same authentication concept but unlike the Two-way trust, here one domain access the other domain’s resources but do not allow that other domain to use its own resources. One-way trust relationships are always nontransitive.
One-way trust can be established with another forest (Win2000\2003\2008), WinNT domain or Kerberos Realms (aka non-Windows environments)

Transitive trusts exist between 2 domains in the same forest. In Transitive trust the trust can be extended outside of the two domains. That means that if domain A trust domain B and domain B trust domain C, domain A will also trust domain C. simple.

There is however a way to go around and create other types of transitive trusts:
Shortcut trust - used to shorten the trust path in a large and complex environment, connect two domains in the same domain tree or forest. Like the name indicate, it doesn’t create anything new but shorten the way the user has to go through getting to the destination domain.
Forest trust – transitive trust between two forest root domains.
Realm trust - transitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

Nontransitive trust is a trust restricted only to the two participating domains. This trust cannot flow beyond these two domains boarders. A nontransitive trust is always One-way but it can be tweaked by creating 2 One-way trusts that make it an actual two-way trust.
Nontransitive trust is used when connecting WinNT domains and for a forest trust to one out-of-the-forest domain when you do not want the entire 2nd forest to be trusted.

There are 2 types of nontransitive trust:
External trust - created between a Windows 2000\2003\2008 domain and a Windows NT domain or a Windows domain in another forest.
Realm trust - nontransitive trust between an AD domain and a non-windows environment using Kerberos V5 realms

In part III I’ll show some Trust related troubleshooting skills that every admin should have

Thursday, August 27, 2009

Microsoft Office License

I have a single user working from his home in London. Sharing our services is easy and I hardly ever hear from him. This morning I got a call from this guy and he told me that he will need Microsoft Publisher license for his soon to be expired 60 day trial.

Sound like an easy task, right? Wrong!
My first thought was going to Amazon and buy a new box, since he already got the software he does not need the CD and I can just give him the key. Make sense and easy to do BUT there is one catch – different countries have different licensing policies. Yes, the same Microsoft has different policies and prices for different countries where EU is even more complicated because of the antitrust case with Microsoft.

Calling Microsoft here in the US resulted with a simple answer – you have to buy the license in the UK. Can you blame them for preferring € or £ over $US?
(tip: the €\£ signs come up when holding ALT and typing 0128\0163)

Calling my Microsoft sales rep (which is not a Microsoft employee but work for one of the biggest retailers) the answer was different, he said that for Office licenses the license is per language and if I need an English version I can buy it in the US.

I Googled and Binged but wherever you go, including you get different answers or interpretations of the rules.
I’m still waiting for few answers but one cannot stop wondering why can’t Microsoft make licensing easier?

Wednesday, August 26, 2009

Cable box extender (Hide your Cable box)

This is one of those cases where everything works fine but the end result is failure. Each piece for it self is good but when combined it just doesn’t provide.

Our trading floor has 4 flat screen TVs, one per wall. This setup allows everyone to have good view at one screen or more.
When we setup this layout we had instructions to hide the cable boxes, both for the space and the clean line of the walls. That was a bit of a challenge.
We’re using the standard Time Warner cable boxes and like any other cable box, it require an eye contact with the remote in order to function.
After a long search we found a nice neat solution: Hot Link Pro.
It is a 3 piece device:
• Emitter Extension Kit
• Coax Eye Extension Cable - eye reader that connects to the cable box (or any other device). It has a sticker on each reader and you just glue it to the box. There are 6 ‘eyes’ which you can plug on
• Infrared receiver – It is more than 4 times more sensitive than standard receiver. That is the one cable you hang off the ceiling or out of the closet, it will read the remote signal and forward it via the box to the cable box.

So on top of each TV I’ve located the cable box, just above the ceiling tiles. There is a power outlet for each box (actually 2 –the cable box and the Emitter) and the Infrared receiver hang to the floor side of the ceiling. The cable box remote work as if the box was right in front of it and everyone is happy.

Few days ago the receiver stopped working and users called me. I had to climb up there and found that if the remote is used with the cable box it is working. I tried different eye extensions but they all failed to flip channels. Next step was taking this kit to another cable box where it worked fine and testing a different kit on this box which failed again.
So we called Time Warner. The technician came this morning with a replacement box. She plugged it in and told me that rebooting it will take about 15 minutes. 45 minutes later she said the box have a problem (yes, the new box she just brought in) and left the building to get another box. This time the box did load and 15 minutes later the TV worked again. When I glued the eye extension the receiver started working right away.


Tuesday, August 25, 2009

SubInACL - Security Information Tool

I had to give some users access to specific service on one of my servers but didn’t want them to have full domain admin permissions. Changing a service is not something Microsoft built a solution for so I had to be creative. As always, I checked for available 3rd party tools but ended up using this magical hidden native tool: SubInACL.exe

SubInACL is one of those shy command-line tool that not too many guys know about. It is part of the Windows Resource Kit Tools and it’s about time you too will get familiar with it.

SubInACL enables you to obtain security information about different types of files, services and registry keys.
The info you obtain with SubInACL can be transferred in few ways: from user to user, from local or global group to group, and from domain to domain. The average OneManITShop will find the first and second options handy though the domain to domain transfer option can also be useful.

Microsoft describes 4 uses for this tool:
• Display security information associated with files, registry keys, or services. This information includes owner, group, permission access control list (ACL), discretionary ACL (DACL), and system ACL (SACL).
• Change the owner of an object.
• Replace the security information for one identifier (account, group, well-known security identifier (SID)) with that of another identifier.
• Migrate security information about objects. This is useful if you have reorganized a network's domains and need to migrate the security information for files from one domain to another.

back to my problem, let's say my user is "Dave" and I need Dave to be able to stop and start the Print Spooler service. This is the command to make it work (TO=start+stop -> see full list below):
subinacl /service Spooler /GRANT=MyDomain\Dave=TO

The full list (Look under method 3):
• F : Full Control
• R : Generic Read
• W : Generic Write
• X : Generic eXecute
• L : Read controL
• Q : Query Service Configuration
• S : Query Service Status
• E : Enumerate Dependent Services
• C : Service Change Configuration
• T : Start Service
• O : Stop Service
• P : Pause/Continue Service
• I : Interrogate Service
• U : Service User-Defined Control Commands

So this is one in many options for this great tool. You should also download and play with the options. You never know when it will become handy!

Monday, August 24, 2009

bug report: Firefox 3.x & eBlaster 6.x

I had this problem on few different XP machines: Firefox crash over and over. When you select the 'restart' option at the crashed message screen it will reopen only to crash again.
All the PCs are Windows XP SP2 and they all have a copy of eBlaster 6.0.3084.
Surprisingly an upgrade fixes the problem...
Installing eBlaster 6.0.3102 (and the required boot) make the problem go away...
Nothing on eBlaster's site indicate they did anything to fix the problem but hey, if it's fixing it who am I to complain!

Friday, August 21, 2009

Domain Trust – part I

Aladdin asked princess Jasmine for her trust and she, by the look of his eyes opened her heart to him and trusts him. Unfortunately real life doesn’t work like tales and we can’t trust anyone we don’t know just because they ask for it, even if they look good…
I noticed (on my favorite forums) that this is a repeated subject, not always easy to understand for new administrators and I will try to simplify the subject while keeping the important techie details.

Domain Trust is a sharing concept that aims to ease the management of trust in the Active Directory world (aka the real world). It allows 2 separate groups that trust each other to share resources. It makes life easier for administrators 2 times: first at the point where they can share resources with other groups and second as they reduce the number of logins a user has to deal with (and as a result, reduce the number of helpdesk calls).

Scenario (or, what does it good for):
Companies A & B merged but want to keep the network as is. You have to allow users from both companies to share files and printers. Establishing a trust between the 2 domains (actually forests) will simplify the process from a long tedious permission setup to a 5 minutes trust build up.

How does it work?
In this post I’ll go over some of the basic concepts and later will go over different type of trusts (One-way, Two-way, Transitive, Nontransitive)
A trust relationship is defined by a secret key that is shared by both forests and domains and that gets updated on a regular basis. That said, when you configure a trust all you have to do is have the same password on both ends and let the system do the rest. The rest is based on the NTLM and Kerberos authentication protocols and on Windows-based authorization and access control mechanisms.
Active Directory domain controllers authenticate users and applications by using one of two protocols: either the Kerberos version 5 authentication protocol or the NTLM authentication protocol. When two Active Directory domains or forests are connected by a trust, authentication requests made using these protocols can be routed to provide access to resources in both forests.
Every trust has a secure channel through which trust participants communicate. They use the trust password to secure their communication. If the secure channel between them is broken, you need to reset it/reset the trust password.
Trusts have a user account in Active Directory which can be seen via ADSIEdit. The user account for the Trust is stored in the BuiltIn ”Users” container under the domain root. The most useful and powerful tool to test trusts is Nltest.exe, one of the oldest guys in the area but still kicking!

In part II I'll go over different Trust types
In part III I'll go over some troubleshooting options

Thursday, August 20, 2009

TechNet Unleashed NYC event report

I was at one of those Microsoft TechNet NYC events
It wasn’t too fancy (like the launch they plan in Oct) or too crowded. I see it as a big plus because it indicates only people who come to listen are there. Yes, they had few giveaways but unlike those fancy events it was not about or around it.
Primarily focusing on live demo and real life scenarios Dan Stolts used a laptop to show Win7 migration from XP, both for home users and enterprise level, demonstrate the very impressive DirectAccess on Windows 2008 R2 and close with Remote Desktop Services.
Dan is a funny guy, a fast talker but loud and clear. Though he had few technical problems and it was his first round on this event (which always serve as case study where instructors find the right balance in their timing) you see the guy knows his job, use it in real life and understand what we, System managers out there want to hear about.
I was mostly impressed with 2 unexpected things:
First and foremost, how powerful his laptop is. Using a Lenove he loaded an 4 machines virtual environment (and stated to work with up to 8 in reasonable performance). How strong it is! (8GB RAM does part of the job here). I do not virtualize anything in my current environment (and didn’t since my days in school when I just started and had to build a study test environment) but I know to say WOW when I see it.
Second WOW was the DirectAccess. This is a great tool for any environment with traveling users, small or large. Getting VPN clients in\out of my network over the years didn’t change too much. This is a huge leap forward and can make working from home a delight.
Don’t get me wrong, I came in for the Win7 part which was okay but I already knew most of Dan’s curriculum. The RDS part was interesting but hey, we’re not going there any time soon (ever). But DirectAccess, though we’re not going there any time soon is a big heat which more people should know about. Thanks Dan. This is why I try to attend these events!

Dan prommised to have all the videos and data on his blog before the Oct 22nd launch

Wednesday, August 19, 2009

IM– do we have a choice? - update

follow up an old post, Pidgin released an exciting new version.
among many changes there is one huge addition:
voice support with GTalk and voice and video support with the GMail web client

one more reason to switch!

Tuesday, August 18, 2009

Guidelines for a good Backup plan

I had to restore a file this morning using my B2D job. While I had no problems and everyone is happy I found it to be the perfect opportunity to go over my backup plan. It can’t hurt.

I backup 3 data types:
Email (Domino Server)
User data (aka files)
Active Directory

I’m using Backup Exec for all my backup jobs and most of the time I’m happy with the performance.

Domino backup is done using the Domino agent. Using this article as a reference I backup the Lotus\Domino\Data folder. Weekly cycle to tape with daily full backup to disk provide a strong backup. One important note that helps me keeping the backup in reasonable size is old users nsf files. When a user leave the company we still need to keep the mailbox (compliance, compliance, compliance) but it is not changing and there is no point in backing the same file every day. I have this folder with old nsf files that I backup once a quarter or after an employee left and the file was moved (that require shutting down the server so waiting for few mailboxes to pile up is a smart move).

User data files like emails change on a daily basis but unlike a mailbox that is one file that changes daily, there are thousands of different file that only few of them get changed daily or even weekly. I personally do not like the differential backup schema so I keep a full backup over the weekend and daily incremental backup on top of it. I also keep a full daily backup for important directories, those with critical data and frequent changes. Just in case. That is one of the big advantages of a small shop.

Active Directory is in IT perspective the most critical backup. Using this as a reference guideline it is important to understand the core idea: System State backup is the heart of AD backup and MUST be properly backed up.
Active Directory MUST be backed up in FULL BACKUP mode.
A good backup includes at least the system state and the contents of the system disk. Backing up the system disk ensures that all the required system files and folders are present so you can successfully restore the data.

One last aspect of a good backup plan is testing. You should recover random files on a regular basis. You do not want to be in the position where someone deleted an important file and you can’t restore it!

Monday, August 17, 2009

Account Expiration Date

We have a Group Policy that enforces password changes every 90 days.
When I implemented it, everyone where synced (more or less) to change passwords at the same time frame. Over time it got more complicated to follow the password changes, mostly because some users change it as they get the 14 day warning and some wait to the last minute.

Why do I need to know when users are set to expire?
This is a good question. The best answer I have for it is I don’t.
BUT (there is always a but) once in a while (and usually the same users) someone will ignore the password expiration notification and will lose access to domain resources. It can happen mid-day and they suddenly can't print, network shares won't open and the desktop (which we redirect to the network) will disapear. When I know that this is the time frame for expired passwords I’ll be able to figure it out much faster and prevent it by reminding those users.

How to find the data?
Joe’s ADFind is THE tool for this task.
You can adjust the command for users or computers. It’s working for an OU and you can filter many parameters.
Recently Joe posted an additional piece on this subject. It is worth reading

Friday, August 14, 2009

Dial-up days

I'm on my vacation and for a week now had no 3G (edited - AT&T can say but the facts are different), hardly had phone reception and even the WiFi suck.
Upstate NY is much nicer and cooler then the city, the weather is great but it is a technology stone age. Dial up but a slow one!
We spent a day on Vermont where locals told me that only 2 cities get 3G and the rest of the state is totally off!!! Yes, Vermont does look as a European haven but even they get Internet everywhere. So AT&T, in case you missed it: Vermont is a state just like NY or California and up-state NY is part of NY state just like NYC (not that the 3G in the city is fast).
The only up side of this is the fact that my office couldn't contact me most of the week so it was a real Out of Office.
I also found ways to get a full evening without browsing :-)

Posted via SMS

Friday, August 7, 2009

Going on Vacation

I'm leaving tomorrow for a week.
In addition to the excitement of being out with my family and in a beautiful area, I have my concerns for my shop.
This is the dark side of the OneManITShop, when you leave there is no backup. No one will be there for you. You have to teach some people basic tasks and mostly pray (also for good weather).
I only hope my Firewall crisis covered all bad things for this month…
I’ll have my laptop and iPhone, we have WiFi (not sure about phone reception but that can only be a plus) and I really hope I do not have to use any of them

My Tractor Story (aka ASA)

This is my personal Tractor Story

Remember how my firewall died?
The next morning around 10am Fedex arrived with the new box.
I opened the box and wondered if it is the hardware or the power cable. It was the hardware. Not even 2 years old piece of hardware just lost it.
I copied the config (finally all those tedious Cisco backups pay back!) and it looked fine. Easy. Maybe too easy.
I wanted to use this opportunity to upgrade my software version from 7.2(3) to 8.2(1) and also upgrade the ASDM (which is the GUI console for PIX\ASA). I usually avoid major changes at these situations but how often you get your production firewall offline for such a job?
Reading all about the upgrade it looked like a straight forward upgrade where none of the configs will be affected. To make sure it is as easy as it looks I called TAC and they told me the same thing: copy the software, reload, good to go. So I did.
Reloading the software was easy, quick and worked just fine. Would it be a short happy afternoon?
Afterhours arrived and it’s time for switching. When I finished all adjustments on the network (remove the backup firewall, change back the D\G and cabling) I started testing with one of my out of network colleagues. She was happy about everything but the VPN.
I was looking and searching and found few missing lines. Copying those lines prompt errors. So WTF is wrong? Took me a while to figure it out (how could I not remember? Because I only did it once when I bought the ASA and never again): the Activation Key was missing hence all the Security Plus features didn’t work and the related config failed to load. Lost few hours for the reminder.
At that point I had to reload all the missing configuration that now loaded like a charm. Line by line I got everything back to work and finished this task successfully.
The only thing I still do not understand is the way Cisco handle this. You guys do it everyday with thousands of clients. When you send me a new box you know I’ll have to reload the Activation Key but even more important, you know that the key I received with the original box will not work. Why don’t you automatically create a new key and email it so when the box is here I’ll be able to use it???

Wednesday, August 5, 2009

Cisco ASA just died

My firewall lost power around 1:30PM, an out of the blue surprise...
Cisco already shipped a new firewall and lucky me, I have my ISA proxy in a working condition just in case. So the case is here!!!
15 minutes later and we're up again via ISA
Stop. Pray. Breathe.

Browser of choice

The world used to split between those who used Internet Explorer and the rest of us
Nowadays the browsers world is different and if you still insist we can split it to old fashion users (mostly on IE) and the rest of us

In my company the older users and those who fear the computer use IE6. Why IE6? Well, when I tried upgrading to IE7 we had to spend so much time adjusting both to the security features and the new menu structure that for most users going back to IE6 was the only step.
The adventurers use Firefox and they all love it. It is faster and easier to maintain. Since they are more flexible by nature they learn how to configure it with add-ons and make it even better.
Google Chrome, Opera and other browsers are not being used (I wouldn’t block them but no one ever asked for any of them)

Since all PCs come with IE any changes must go through me. I have to install it if the user want Firefox (or any other browser) or upgrade if they want IE7\8.
Whenever IE cause problems I use the opportunity to introduce Firefox to the user in question and usually they make it their new browser of choice.
Though I encourage users to move off IE (let’s face it – it is slower!) I do have one big problem: centralized browser management.
My environment uses a proxy server and with IE life is simple: Group Policy pushes all the settings and I can easily change or update parameters.
When it comes to other browsers or in my case Firefox Group Policy doesn’t work. Yes, there is an adm file out there. Been there, tried that. it is not working!
Even the basic task of pointing all Firefox browsers to the proxy server is a nightmare.
The way I handle it is creating a local fully configured Firefox on my desk and with Chris Ilias’ help I create a configuration file. Then all I have to do is distribute it to all clients (require firefox.exe to be off)
Though it is not too complicated it is a repeated tedious process that I go through with every proxy change.

Now in my shop where I control every aspect of the network it is doable but how does Mozilla (and Google, Opera & anyone else who build a browser) expect corporate to use their browsers? They should invest less in making it shiny and spend some time on adm files or other Active Directory based solutions

Tuesday, August 4, 2009

Backup. The Click then Think based industry

The other day one of my users went on a private vacation to Rome. While sitting in JFK he lost his thumb drive which contained an important report he was working on. The security was no problem in this case but there was something much more important – he already spent 5 working days on this report and he saved it all on his thumb drive. He never thought about keeping a copy on the network. He didn’t email it to anyone or to himself (one of the growing backup methods)
The only leftovers from the report where one paper copy and his thoughts. I ended up OCRing his paper report and was able to recover most of the text. It was few days old and he spent hours updating it. He also had to rebuild his diagrams as they also only existed in the original file.
The end of this story was relatively good but it emphasizes the need for a good backup system where technology covers people’s action.

My first day in the industry I’ve been told by an expert consultant: if you do not know what is going to happen after you click, do not click!
That would be a Think then Click
For some reason this fortune cookie simple piece of advice never reached the world of common users and they use the Click then Think attitude.
Today’s world has zero tolerance to data loss.
That is good because we spend hours working on a document, a piece of software or an important email and then with one click it is all lost
That is bad because our users know they can be reckless and get away with it. Just because the company spend money on backups

Backup is getting more and more attention and spending on equipment and software is growing. Some of my corporate colleagues have a Backup Specialist positions, yes – it is an administrator that does only backup related job.
So what exactly make this niche industry became so important?
Like many other cases it is the user’s fault…

Monday, August 3, 2009

Verizon – a mystery even they can’t solve

Did you ever work with Verizon? It is not an easy task as Verizon has many departments which are not synchronized with each other so you’re routed from one place to another.
Here is a story I deal with for more then 3 month and the twist from this morning (don’t worry, it is just the beginning)
One of my traders has clients in Europe. He is dialing different countries all over West Europe and its working fine. We also have clients in South America, no problems there. Meddle East is also good and occasionally Asia and no problems there too.
On my end all these call are leaving my AVAYA PBX via Verizon LD (that is Verizon Long Distance, a department within the huge Verizon)
3 month ago this user started complaining that his calls to one country in Europe can’t go through. We dial over 10 times each time before it’s connected and when it finally connect the quality of the line is low.
I opened a ticket with Verizon every other week for 3 month and finally got a call back from their repair department (yes, a different department that has nothing to do with the LD guys)
I was so excited receiving the call that I wasn’t prepared for the surprise that was waiting: the Verizon technician told me that he cannot make the call via the Verizon network too!
Now I’m supposed to be happy that the problem is not on my end, right? WRONG!
He said they couldn’t make the call via Verizon LD and when he switched to a different LD carrier it worked fine. Then he sent me to call Verizon LD and most likely switch my LD service to another vendor!!! Unbelievable

Now part 2 of this story started and if it ever get a closure I’ll be back with all the details

Sunday, August 2, 2009

Windows 7 – should we upgrade?

When Vista came we all heard the bad reviews and wanted to wait. With Windows 7 around the corner the reviews are mostly good and the question is in the air: should we upgrade?
Vista had many problems starting with PR but one of the main real set backs was it’s hardware requirements. For organizations who upgraded hardware during the previous 2 years it meant loosing the investment for a crappy OS. Not a deal management like.
Win7 is said to be an improved Vista (which to some extent I agree) but the same 2 disadvantages I mentioned before reversed: it has good PR and the hardware requirements are not so frightening anymore. Why? Well, it has been two and a half years since it came to the world and all those relatively shiny new PCs back then are now getting old and ready for retirement.
Big advantage. Huge!
During the first Vista days I bought one powerful machine with Vista Business Edition on top. It worked good as for hardware but every simple task took me too long, installations had to run few times before I managed to figure out all the security features that blocked them and it just didn’t appeal. The same box is now running Win7 RC, it does much better job installing software and managing the desktop and users who got to work on this box for few weeks had no complaints. This is the real test, isn’t it?
Now that our hardware is getting to the upgrade point being 4-5 years old and the new Operating System both supporting all our software and makes users as efficient as they are on XP we can start planning the upgrade
Our plan is for 3-4 new PCs in October, right as it comes out and distributes it to test users in different departments. After 3 month we’ll reassess and if everything is working as planned we’ll get the rest of the users upgraded, one department at a time