Friday, November 27, 2009

Me Talking About Wireless Security

This one is me talking about wireless security on a spot with the local TV news in Winnipeg.


http://winnipeg.ctv.ca/servlet/an/local/CTVNews/20080904/wpg_personal_info_080904/20080904/?hub=WinnipegHome

Thursday, November 26, 2009

Runas for Windows Explorer

We do a lot of our support for clients remotely. The offer remote assistance functionality in SBS is a real timesaver for us. Although, offering assistance based on username rather than computer would be a nice touch.

Today I was providing remote assistance to a desktop computer that was out of disk space. The user didn't have sufficient permissions to clean up the disk and I didn't want to work outside of the user's profile. So, I wanted to run Windows explorer a Administrator.

Here's the command line:
runas /user:domain\username "explorer /separate"

Saturday, November 7, 2009

Ballad of the Duplicate SPN

So, here's the scenario. We need to replace defective hardware with a new computer. We don't need to restore anything in particular, we're just going to put a new server in with the same name as an old one to save some reconfiguration issues.

Step 1: Dcpromo down the server
Step 2: rename Server1 to Oldserver so there is no conflict
Step 3: rename new server as Server1
Step 4: Join Server1 to domain

So far, so good. However, after joining the domain we get this error:
The security database on the server does not have a security account for this workstation trust relationship

Verify that the computer account is there and try several combinations of different rejoining and deleting the computer account. No resolve.

After a bunch of searching, it turns out that there is a property of a computer account that cannot be repeated in other computer accounts. The servicePrincipalName propery cannot have conflicting values with other computer accounts. Each computer account should have values that correspond only to its own computer name. However, sometime when you rename computers, not all entries in the attribute get updated.

You can view the entries for a single computer account by using ADSI Edit. However, that doesn't really help you find conflicts. Instead you can you this command to list the SPNs for all computer accounts and then look for duplicates associated with another computer.

Ldifde -f C:\spn.txt -t 3268 -d dc=domainname,dc=local -l serviceprincipalname
-r (serviceprincipalname=*) -p subtree

Looking in this text file we found that the computer account for Oldserver still had references to Server1. We didn't need Oldserver. So, we deleted the computer account for Oldserver and all was good. We could also have used ADSI Edit to change the entries.

Tuesday, November 3, 2009

Virtualization on Windows 7

Windows 7 has a nifty new feature called XP mode that uses Windows Virtual PC in the background. My first surprise is that I had to download the software for this from MS which was about 500GB. However, that was the least of my worries.



It turns out that Windows Virtual PC will only run with hardware assisted virtualization. On AMD processor systems this isn't an issue because almost all AMD processors have hardware assisted virtualization. Intel, on the other hand, has been using hardware assisted virtualization as a differentiator between upper and lower end chips for the last several years. Basically trying to get a premium out of it. Many computers with Intel processors do not have hardware assisted virtualization. Unfortunately, my laptop is one of these.



Fortunately, even though it is unsupported (like I'd be calling for support) Virtual PC does run on Windows 7. A blog documenting it is here: http://blogs.msdn.com/virtual_pc_guy/archive/2009/08/19/running-virtual-pc-2007-on-windows-7.aspx.



You can also get Virtual Server 2005 to install on Windows 7 if you really want to, but it is a pretty nasty process. Details are here: http://tfl09.blogspot.com/2009/08/windows-7-and-virtual-server.html.

UPDATE: Microsoft has released an update for XP Mode and Windows Virtual PC so that hardware visualization is not required. See http://support.microsoft.com/kb/977206

Thursday, October 15, 2009

The End of Novell (for me)

Last week I taught a Novell class for what I think is the last time. It was an eDirectory course for some guys in Vancouver. Overall fun class with good students. However, with limited market share and consequently limited training opportunities, I don't think it is worth my while to update my certs to teach the newer content.

I remember when......
  • about 70% of organizations used Novell NetWare
  • file and print services were all that were expected of a server
  • NetWare was more stable than Windows (by a lot)
  • GroupWise had reasonable market share
  • Microsoft was the underdog for server side computing
  • IPX/SPX meant I didn't really need to understand the network configuration

Goodbye NetWare, eDirectory, and GroupWise. It was fun while it lasted. SUSE I hardly knew you.

Tuesday, October 6, 2009

MTS BlackBerry in Vancouver

I'm in Vancouver teaching a course this week and have my BlackBerry along for the ride. In downtown Vancouver, data support for an MTS Blackberry is very spotty. What I mean is that it sucks.

Right now, my data synchronization for e-mail and even BlackBerry messenger is sporatic at best. Data connectivity is for brief periods of time every hour, two hours, or even four hours. Occasionally, disabling my connections and reenabling them will trigger the data to go on again. Removing and reinstalling the battery sometimes triggers it as well.

If I came here often, I'd need to look at a different provider....Or an iPhone.

Java Woes

One of our clients uses a Java-based financial app that loads from a web page. As part of resolving another issue, I removed and reinstalled Java from the workstation. It never occurred to me that I should test the financial app because it had not given me problems in the past when I applied updates. Also, I don't have a logon for that app because it would give me access to the data related to their customers.

Anyway, on Monday morning I get a polite call telling me that the app is not working. This app requires the user to accept a certificate from the vendor the first time it is run, and I assumed that the user accidentally said no to accepting it. So, I took remote control and it definitely did not work. The error, complained about security in a roundabout and cryptic way.

After some testing and tweaking, no fix. Later when doing some research (ok, Google searches) I found out that this is a bug in the last two releases of Java for apps with certain characteristics. I had installed Java 6 update 16. The last version without the bug was Java 6 update 14. Remove the new version, install the old and all was fine. Fortunately all the older versions of java are archived and easily available.

Monday, September 14, 2009

RDP on an Alternate Port

Sometimes we have multiple computers in location that we want direct RDP access to. The simplest solution is to change the port that RDP is listening on. This article has the necessary registry key: http://support.microsoft.com/kb/306759

Yesterday I did this on our new Windows 2008 e-mail server to allow outside access, but could not connect to the new port number or the old port number. It turns out that Windows Firewall was the culprit. I assumed that the Windows firewall rule would be hooked in to the service executable. However, there is a rule with a hard coded TCP port instead.

So, when you change the RDP port number, remember to create a new incoming rule that allows that port.

Friday, August 14, 2009

IE8 HTTPS warning

Over the last few days I've been using Outlook Web access to read e-mail. A lot of the bulk mail messages I get have graphics in them. OWA uses https, be the graphic are using http. So, IE8 gives you a warning asking:

Do you want to veiw only the webpage content that was delivered
securely?


My instinct is to hit the Yes button to show the graphics. However, you need to select No.

However, you can disable this warning. The steps are located here: http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

Friday, August 7, 2009

Links = File System Flexibility

I won't pretend to know the results of all the possible configuration options. However, I think that using links in the file system is a great way to expand space on an existing C: drive.

I have one workstation that I do 90% of my work on. This computer has a lot of apps and a ton of data (no lectures about the home server please). My 250GB drive is almost out of space and I'd like to increase performance of my VMs.

The MS courses use C:\Program Files\Microsoft Learning for the VMs. I don't have an option to move this. However, I can configure that path as a symbolic link to another location instead. So, my C:\Program Files\Microsoft Learning is now a link to V:\Microsoft Learning. This allows me to put all my VMs on a separate drive. If I get inspired later on, I may split the differencing drives from the base drives for even better disk performance.

The MKLink command creates the links.

Wednesday, August 5, 2009

For God Sakes, Plan for a Disaster

Two incidents recently drove home the importance of planning disaster recovery for me this week. One was a client. Sadly, the other was our server.

First the client. Like many clients, this one is using a USB drive for backup of a computer that does peer-to-peer sharing on the network. All of their accounting data is on this computer as well as other files. After a period of time they stopped doing the backup. You know the excuses, none are good, but all of us start to slack off over time.

So, the hard drive in this computer dies, no backup. We got lucky and after I moved the drive to a different computer, it was readable, and we got the data. But it was coming up as a hardware failure in diagnostics.

Now for our server. It is located in a basement. The water main in the basement broke and filled the basement with 6 feet of water. We did have a backup, but it was with the server. So, always do an offsite backup. Fortunately for us, all we lost was some configuration documentation and the billing info for the last month. We were able to recreate the billing info and we can figure out the documentation again.

We will not be caught like this again. We will be implenting a full offsite recovery plan. And it will be automated, so we can't get lazy about it.

Friday, July 31, 2009

Multiple instances of Excel

I do a lot of work with multiple spreadsheets, many of them open at the same time. It has always annoyed me that when you double-click a spreadsheet it opens in the same Excel window.

In the past I found that the work around was to open one spreadsheet. Then open Excel from the Start Menu and open the second spreadsheet from within the second instance of Excel. Another workaround on the web talked about disabling OLE in some way, but that one killed functionality I needed.

However today I found a better solution for me. I created a shortcut in the Send To menu that directs files to Excel. When I use this is opens in a second Excel instance.

Details on the Send To: http://www.howtogeek.com/howto/windows-vista/customize-the-windows-vista-send-to-menu/

Still not quite as good as just double-clicking, but much better than a manual open of Excel.

Tuesday, July 28, 2009

Office 2007 Trial as a Marketing Tool

We have a relatively new client, in which we are replacing another support provider. A number of the computers have Office 2007 Trial version installed that is just now expiring. I am sure the point was to demo the software and make the sale, but there was no communication with the staff.

End results of installing trial software without a formal evaluation process:
  • Staff are annoyed when trial software expires and ceases to work
  • Productivity is lost while staff figure out they can still open documents manually in Office 2003, but not by just double-clicking the doc
  • Client pays $$ for me to uninstall Office 2007
  • No sale is made because no actual evaluation is done
  • Waste of everyones time and $

Saturday, July 18, 2009

Stop SBS from Shutting Down

We are currently migrating a client from SBS 2003 to SBS 2008. We've joined the new computer to the the domain, and run DCpromo on the SBS 2003 computer to remove the DC status. However, after seven days, SBS 2003 will start giving an error stating that it needs to be a DC and will shut down every 60 minutes (http://support.microsoft.com/kb/555087)! We need another few days to work on the migration.

The Microsoft recommended solution for this is to insert disc 1, run setup, and remove the SBS 2003 component. This will leave a plain Win 2003 server without the shutdown issue. However, when I attempted to do this, setup errored out indicating that I was trying to upgrade to an older version which was not possible. Removing service packs may have worked, but here is a faster work around taken from a guy named Alan (http://social.microsoft.com/Forums/en-US/whssoftware/thread/af4fc3b4-bb50-4c5e-b09a-72ef2c3ac687)

I've found a slightly more elegant solution to this problem rather than just
aggressively killing the process until Windows gives up trying to start it
again, and I'd like to share it in the hope that Google will re-index and pick
it up for others to use. You may have noticed this service cannot be disabled
via the MMC snap-in.

My search term on google was: how to stop the SBCore
service. Anyway, down to business…

- Tools you'll need – Process Explorer from http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

As you probably know, you have a service called SBCore or "SBS Core Services",
which executes the following process: C:\WINDOWS\system32\sbscrexe.exe. If you
kill it, it just restarts – and if you try and stop it you are told Access Denied.

If you fire up Process Explorer, you can select the process and Suspend it, now we can start to disable the thing. Run regedit and expand the nodes until you reach the following hive /key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBCore Right click this, hit permissions and give the "Administrators" group on the local machine full access ( don't forget to replace permissions on child nodes ). F5 in regedit and you'll see all of the values and data under this key.

Select the "Start" DWORD and change it from 2 to 4 – this basically sets the service to the "Disabled" state as far as the MMC services snap-in (and windows for that matter) is concerned.

Next, adjust the permissions on the file C:\WINDOWS\system32\sbscrexe.exe so that EVERYONE account is denied any sort of access to this file. Then go back to process explorer, and kill the sbscrexe.exe process, if it doesn't restart – congratulations!

Load up the services MMC snap-in and you should find that "SBS Core Services" is stopped and marked as Disabled.

Enjoy,
Alan :)


Note: When you run Process Explorer through Terminal Services, you are unable to suspend the process. I had to go on site to perform this process.

Fault in Wininet.dll

Yesterday I had a Windows XP client computer that generated a fault in Wininet.dll each time Internet Explorer 7 was started. And since IE seems to have hooks into a whole bunch of applications, those applications would error out as well. These included, Help and Support and Simply Accounting (seems that the .NET Framework was affected).

  1. My first thought was to go back to an earlier restore point, but I couldn't because it would crash each time I opened Help and Support.
  2. Next I created a new user and logged on as that user. this new user didn't experience the same issue, so I knew is was related to user settings rather than system settings.
  3. Restored a restore point, but the original user issue was not resolved. However, now at least I could do some research by using IE and the new user account.
  4. During research, I found a few articles talking about clearing cache with this issue. They were for older versions of Windows and IE, but I figured I'd give it a shot.
  5. I was unable to clear the cache by using the Internet Options in Control Panel because it errored out. I was able to delete the files manually.
  6. After the cache was cleared, all was good.

Desktop Support for the Server Guy

For the last number of years, I've been mostly a server guy. Lately due to changes in workload at the office I've been doing more desktop support as well. Most server guys I know do not like working on desktops. It is not because we think the work is beneath us, or even dislike interacting with users (for most of us anyway). The main reason server guys don't like working on desktops is the variability.

A server is a controlled environment. Most servers run a limited number of applications and the applications installed are known. In addition, there is a limited range of settings that are commonly configured. On a desktop computer, all options are open, because there is no telling what a user has done with their computer. This can be challenging for sure, and sometimes even intimidating when a problem occurs. Not to mention that the solutions sometimes are just crazy.

Yesterday, I was working on a desktop computer with multiple applications erroring out. The solution ended up being to clear the cache in IE. That's just plain weird.

Thursday, July 9, 2009

When in Doubt, Reinstall

I think all of us with a technical orientation have a tendency to get too fancy on occassion instead of keeping it simple. This applies at a lot of levels, including design. Usually on each project I have at least one moment where I have to smack myself and get back to basics.

Yesterday I was troubleshooting a Java application that launches from a Web page, but is a stand-alone app when it runs. It was complaining that the server could not be contacted. Here was my process:
  1. Verify only one computer is affected
  2. Clear the java cache - no fix
  3. Install latest Java update - no fix
  4. Reboot computer just to be sure - no fix
  5. Start monkeying with java settings - no fix
  6. Try from a different user profile on the same computer - still broken
  7. Install a packet sniffer to monitor traffic - no obvious errors

What was the fix? Easy. Uninstall all Java components and then download and install the latest Java. Wish I had tried that a bit earlier.

Friday, July 3, 2009

BES Calendaring Weirdness

This has only happened with one client. So, I'm not sure how widespread it is. However, based on Googling the issue, it seems to be pretty frequent.

Some users were getting a red X when attempting to reply to meeting requests. Also, some meetings were not being synchronized properly.

To resolve this issue we had to update the cdo.dll file on the BES server. The version on the Exchange server was relatively recent. The version on the BES server was several years old. Apparently it is a best practice for BES to use the most recent cdo.dll file from any of your Exchange servers.

The steps to resolve were:
  1. Copy C:\program files\exchsrvr\bin\CDO.dll from Exchange server to BES server (same path.
  2. Reregister the dll (regsvr32 cdo.dll)
  3. Restart BES server (probably could just restart services, but why mess around)

Problem resolved.

Props to Shaw Cable for good service

My Internet service has been flakey for about the last week. So, yesterday I finally decided to try and get to the bottom of what was happening.
  1. 2pm...Try an Internet speed test - results showed same upload and download speed of about 1Mbps. Hmmm. I should have about 10 Mbps download.
  2. 2:05pm...Reboot router - No change.
  3. 2:10pm...E-mail Shaw - They request results from internal speedtest at speedtest.shaw.ca. Hmmm. Only 500Kbps now.
  4. 3:30pm...Restart cable modem - Ooops. Internet gone and not coming back.
  5. 3:35....Call Shaw tech support- they check signal strength and it's low. Appointment schedule for next day (not bad for consumer level stuff).
  6. 3:45....Start to panic about what to do with no Internet, but remember that e-mail still comes in on the Blackberry. Take a deep breath.
  7. 4:00pm...Take laptop to the second floor to search for unsecured wireless. Find about 8 networks, but all secured. Phooey.
  8. 4:30pm...Remember that I have splitter on the cable. Remove it and Internet comes back. Whoo Hooo.

When the Shaw guy got here today I explained about the splitter. He indicated that it was likely the cause, but wanted to test signals anyway.

After about an hour of him troubleshooting. It turns out that the line into the house from the street is bad. He's recommended replacing it, but they likely won't get to it for a few months. In the meantime, he put a booster on the Internet line and all it's good.

Total turn around 24hrs.

Wednesday, June 24, 2009

Common Blackberry and BES Issues

We have several clients using Blackberry devices and Blackberry Enterprise Servers (BES), which allow the Blackberry devices to integrate with Exchange mailboxes. I should also note that there is a version of BES called Professional edition (or something similar to that). The Professional edition is the same as BES, but is free and limited to 25 users. Where I live (Winnipeg, Canada) you get a free Professional licence with each Blackberry device.

The two most common issues we see:
  • Device suddenly unable to send or receive email. We are seeing this on newer devices and seems to be a weird hardware/OS issue in the device. The only fix we have found for it is removing and replacing the battery. This forces a full reboot (no data lost). We have not been able to determine any specific circumstances that cause the issue.
  • Device able to receive new messages, but not send. This occurs when the service account for the BES server does not have the correct permissions to the mailbox of the user. The fix for this one is to give the BES service account Send As permissions to the user. Again, this seems to be a somewhat random error. It happens to individual users sometimes and we've never found a source.

Tuesday, June 23, 2009

Windows Server 2008 Foundation

I thought I knew all the editions of Windows Server 2008. Apparently I missed the Foundation edition. I think it's relatively new. It is also available only through OEMs.

Here is the basic rundown of the Foundation edition features that make it different from Standard edition:
  • Does not include Hyper-V
  • Does not include server core
  • Limited to 15 simultaneous user connections
  • Separate licencing from CALs (may be cheaper)
  • Lower cost
  • Only available through OEMs

The Foundation edition can still be used for:

  • Domain Controller
  • Terminal Services (need the TS CALs, limited to 15 users still)
  • Remote access
  • Application server
  • File and Print server

Looks like an interesting option for smaller environments that need a basic server and don't want to kick out the $ for a full server or SBS. I can think of one client right now who could use this.

Free AV Software

There have always been a few free anti-virus products out there. They lure you in with a base product and then try to upsell you to a more configurable product. AVG antivirus is probably the best known.

Well, Microsoft is about to become one of the biggest AV software providers out there. Microsoft Security Essentials is now in beta. This replaces the One Care product that I don't think was overly successful in the market place. However, MS Security Essentials is free, and that's an important distiction.

Only 75,000 downloads of the beta are allowed here: http://www.microsoft.com/security_essentials/market.aspx.

I'm in Canada. So, I can't try it out. Only for the US, China, and Brazil.

Tuesday, June 9, 2009

Increase simultaneous downloads in IE

By default IE allows only 2 downloads at a time (IE7 and previous). To increase this, you need to modify a registry key. Everytime I get a new computer I end up modifying this.

So, this post is as much for me at anyone else. This like has the key to modify and even a nifty automated process for increasing the simultaneous downloads to 10.

http://support.microsoft.com/kb/282402

Monday, June 1, 2009

Create Your Own E-Learning

Microsoft has publicly released a tool for creating e-learning courses. This is the same tool we use when we create the official Microsoft E-learning courses. It is called the Learning Content Development System (LCDS).

Version 2.3 has just been released which includes a spell checker. In general it is a good tool for its defined task. You create a variety of Web pages including quizes and adventure activities through the included templates.

There are templates for providing demonstrations and animations. However, those must be created outside of LCDS using third-party tools such as Camtasia (from Techsmith).

Check out LCDS here: http://www.microsoft.com/learning/tools/lcds/default.mspx

Thursday, May 28, 2009

Free Remote Desktop through Firewall

I've been a fool for too long. There is a FREE (yes, FREEEEEEEEE!) tool for performing remote desktop through firewalls. LogMeIn.com has a free version of their tool for remote desktop access through firewalls.

This tool is excellent for users that want to remote control and office or home PC when they are in different locations. It is not as well suited for IT professionals that want to control PCs within the internal environment for repairs.

The biggest benefit of this software is that no firewall configuration is required. After the agent is installed on the PC, it initiates the connection out through the firewall on port 80. If your computer has web access without authentication, then game on.

If you need other tools like the ability to transfer files or print, then you can upgrade to another version with a monthly fee. The other main alternative product with a monthly fee is GoToMyPC.

Tuesday, May 26, 2009

Exchange 2007 Backup on Win2008 - Finally!

This may be not overly relevant to many environments, but Microsoft is finally releasing a solution for backing up Exchange 2007 when running on Windows Server 2008. When you install Exchange 2007 SP2 the functionality is added.

If you have SBS2008, this functionality is already there. If you are a large organization, you likely have third party backup software that performs Exchange 2007 backups. However, for mid-sized organizations trying to save a few $ on backup software, this is a life saver. I know of one client that will start using this immediately.

For more information see:

Saturday, May 23, 2009

Testing Exchange 2007 connectivity

When you configure Outlook Anywhere or RPC over HTTP, the error messages from the client side are basically useless. However, there is a new Web site that simplifies the troubleshooting process.
When I used it to test RPC over HTTP connectivity to our Exchange 2003 server, it came up with an error on our GoDaddy certificate. However, the certificate is legitimate and works fine for both Web stuff and RPC over HTTP. So, perhaps there's a reason it's still in beta.

For a more detailed description of the tool see this article from the MSExchangeTeam:

Friday, May 1, 2009

Windows 7 Backup

I was playing with Windows 7 today and I noticed that the backup utility is much improved over Vista. Two big things:
  • You can backup just specific files and folders. In Vista, it was done on a per volume (drive letter) basis.
  • The disk you back up to does not need to be dedicated to backup. So, you can just keep a folder for backups. Vista took a whole partition and then hid it from you so that you couldn't put other data on it.

Monday, April 27, 2009

Windows 2008 Failover Clustering

I just taught the Windows 2008 clustering course last week and figure I better get some notes related to it before I forget. It seems that every course I teach no matter how much I think I know, I have new info highlighted by students concerns or just plain old figure out something new. This course was no exception:
  • Clustering in Windows 2008 is much easier than previous versions of Windows. The wizardized process is very easy. You barely need to understand what clustering is to get this up and running.
  • Printer clusters now store their drivers as part of the printing cluster on shared disk. You no longer need to worry about synchronizing drivers on different cluster nodes.
  • File share clusters are accessible only by name and not IP address. It seems like they are using a technology similar to host headers on an IIS Web site.
  • iSCSI shared storage can be access two different ways. Both nodes in the cluster can share the same target (the way I've always done in the past) or two targets can be created that point to the same LUN on the SAN, one target for each cluster node. Both function fine. However, having two targets on two separate HBAs in the SAN can provide some redundacy and opportunity for higher performance.

Wednesday, March 18, 2009

Exchange 2007 Resource Mailboxes

One of the new features in Exchange 2007 is built-in support for managing resource mailboxes. The help docs for this, to me, seemed a bit difficult to understand. I've been meaning to go through an write a decent guide on how to use them, but never got around to it. Turns our the MS Exchange Team beat me to it. However, since this is way past release, none of us were particularly speedy on this. However, here's the link:

http://msexchangeteam.com/archive/2009/02/26/450776.aspx

Tuesday, February 17, 2009

Data Protection Manager for Hyper-V

I've been doing a lot of work with Hyper-V and System Center Virtual Machine Manager 2008 for a recent project. Backup needs to be addressed as part of this project. So, I started testing out Data Protection Manager (DPM) and found it to be quite nice. I'd been meaning to take a look at DPM, but never got around to it. Overall it looks like a good and reasonable priced solution for MS shops. There is no agent available for non-Windows servers.

The big thing with DPM is that it's disk-based backup with an option to go to tape. Your initial backup on a server is a full backup, but after that, it's all snapshots. Makes a daily backup go much faster. You can archive to tape on a schedule that you determine. So, cool from that perspective.

Now for backing Hyper-V and Virtual Server VMs you have two options. First, install an agent in the VM and backup the VM like a physical server. This option gives you the most flexibility because you can choose what data to back up and what data to restore. However, you also pay for an agent on each VM.

An alternative is host backups. Host backups are done only at the host level, rather than at the guest level. If the OS and applications in the guest are VSS aware (they have a VSS writer), then a backup can be peformed without taking the server down or pausing it. VSS is used to make all data consistent before a snapshot is taken and the vhd files are backed up.

The upside to host based-backups is lower licensing costs. A single DPM license is installed at the host level and all VMs are backed up with this single license. The downside is recovery flexibility. You can only restore an entire VM. However, if you did need specific files, you could restore the VM to an alternate location and then extract the files you need by mounting the vhd. A pain, but doable and may be worth it depending on the $ you are saving.

For more information about backing up VMs on Hyper-V and Virtual Server, check out this link: http://edge.technet.com/Media/DPM-2007-SP1-Protecting-Hyper-V/

Thursday, February 12, 2009

Delegating Management of Exchange 2003 Contacts

I had a client ask for this recently. So, I thought I'd post it up.


The steps are:

  1. Open Active Directory Users and Computers.
  2. Right-click the OU (or domain) you want to delegate Contact administration for and then click Delegate Control.
  3. Click Next.
  4. Add the users or groups that you want to delegate control to and click Next.
  5. Click Create a custom task to delegate and then click Next.
  6. Click Only the following objects in this folder and select the Contact objects checkbox from the list.
  7. Select the Create selected objects in this folder and Delete selected objects in this folder checkboxes and then click Next.
  8. In the permissions list, select the Full Control checkbox and then click Next.
  9. Click Finish.

That should give the user or group permissions to manage and create only contacts for the OU or domain that was selected. By default, these permissions will flow down and be inherited by lower OUs.

The user will then use AD Users and Computers to create the contact objects. If you want to get fancy, you can create a custom view for the user to limit what they actually see. The version of AD Users and Computers that is used by the user will need to be updated with the Exchange 2003 management bits by installing the Exchange 2003 admin tools otherwise, it can’t mail enable the contacts.

Tuesday, February 10, 2009

Finally a Use For IPv6

I finally have a good reason to use IPv6. In my test environments for creating classroom labs and activties, the computers are always using a different IPv4 address range than my internal network. However, with IPv6 automatically enabled in Windows Server 2008 and Windows Vista, I can still copy files directly to the virtual machines from my regular workstation.

IPv6 automatically creates a link-local address for each computer. This allows communication between computers on the same logical network without any manual configuration. This is similar to APIPA addresses in IPv4, except, link-local addresses are done in addition to any other addresses, not as a replacement.

In this setup, I can use regular UNC paths even though the computers are on different IPv4 networks. Sweet.

Also very useful for remote control.

Hyper-V Manager from a Non-Domain Computer

As part of a project I'm working on, I need to remote control a Hyper-V guest using Hyper-V Manager installed on a Vista computer that is not part of the domain. Basically, I don't want to put my regular workstation into my test domain. After a bit of pain, the simplest solution I found is this:
  1. Create an account in the domain running Hyper-V that has the exact same logon name and password as the account being used on the Vista computer.
  2. Configure COM on the Vista computer to allow anonymous remote connections.

Then BOOM! It works. And you can do your screen recordings remotely.

For click-by-click instructions on the configuring COM, see step 7 in this blog: http://blogs.technet.com/jhoward/archive/2008/03/28/part-2-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx

Monday, February 2, 2009

Groove for File Backup on a Laptop

When my laptop lost the hard drive last week, I was very lucky. Like most people I did not have a backup of anything on my laptop. Luckily there was only one file on there that I cared about and recreating it will take only about an hour. However, I've decided I do need a solution for syncing my laptop files.

I don't run a server in my house right now. So I thought I'd give Groove from MS Office 2007 a try. One of the features in Groove is file synchronization between hosts in a shared workspace.

A few things I've found out:
  • The 64-bit version of Groove 2007 does not support file sharing workspaces. You can still sync files, but all of the files are stored in the Groove database instead of just syncing part of the file system.
  • There is no easy way to save a file into a Groove workspace. You must copy a file into the workspace and then open it from the workspace. While you work on the open file a temp copy is placed on the hard drive. When you close the document, the changed version is placed back into the Groove database. I would have preferred browsing to Groove workspaces through Explorer (Although, there's 3rd party addon for the low low price of $60USD per seat).

In the short-term at least, this appears to be a workable solution for me. It will synchronize my basic Word documents and graphics. But the fact my apps can't save directly to a workspace without first opening the file from that workspace is definitely clunky.

Friday, January 30, 2009

Credit to Dell

I wasn't thinking happy thoughts about Dell yesterday when my laptop hard drive died. However, after about 15 minutes on the phone with tech support, a new hard drive was on the way and arrived just about 24 hours after I called. Pretty good turn around.

I've taken the opportunity to upgrade the laptop to 64-bit ultimate since I need to do a reinstall anyway. No sense having a laptop with 4GB of RAM on a 32-bit OS. A 32-bit OS only sees a little over 3GB.

100% Depreciation for Computers

As part of the new budget in Canada, it has been announced that computers purchased between Jan 27, 2009 and Feb 1, 2011 can be depreciated at 100% CCA. This means that computers are effectively treated as an expense and you can write them off in a single year instead of depreciating them over time. This would apply to both workstations and servers. Nice to see.

From a business perspective, it means that your taxes more closely match your cashflow. Or, if you finance, you get the tax writeoff before you are even done paying for them.

Thursday, January 29, 2009

Retail or Online Discounter?

I recently purchases some wireless headphones with a microphone. My intent was to use them for creating elearing courses. I thought the wireless option was cool. After shelling out about $130, I got them home and found that the microphone had way too much static for producing elearning. It might have been Ok for playing games, but not something that needs to be polished.

I was very happy that I picked them up at a major retailer and just returned them the next day. I might have been able to return them to an online discounter, but would have been out shipping at the very least.

Saturday, January 17, 2009

Ex2003 Public Folders and SSL Cert

When attempting to manage public folders on an Exchange 2003 server using System Manager, I received an error.

The token supplied to the function is invalid.
ID no: 80090308 Exchange System Manager
The problem is SSL being required on the Exadmin folder in the Default Web Site used for Exchange management. This is only a problem when a third party SSL cert is installed because the internal name does not match the external DNS name used on the cert. In addition to disabling SSL for the Exadmin folder, I also had to use ADSI edit to remove the secure port in the Exadmin object in Active Directory. Now life is all good.

Detailed steps are at the bottom of the page here: http://hellomate.typepad.com/exchange/2004/04/public_folder_e.html

Thursday, January 15, 2009

MOSS 2007 Audiences for List Items

So, today we found a huge error by omission in the 5061 MOSS course I was teaching. An activity has you active audiences for an announcement list and then assign audiences directly to items. For the first time I actually had a student test the functionality instead of just assuming it works like the book says. Turns out, it doesn't.

Most Web parts are not capable of reading and filtering items based on audiences. The Content Query web part does. So, you need to use a Content Query web part to filter the items in the annoucement list based on audience. Not as pretty, but functional.

Personally, I'd stick with using audiences at the Web Part level rather than item level. There are no special requirements for that to function.