Wednesday, January 28, 2009

Fun with Exchange mailboxes, part 2...

I'm in the middle of upgrading our organization to Exchange 2007 from 2003, and I'm currently "enjoying" the effects that adding a 2007 server to our Exchange organization's having. Not only does it screw our existing global address list, but helpfully, it's also "updated" it so that I can no longer administer it from the Exchange 2003 box. Marvellous.

I've also discovered that I've got a few shared mailboxes out there that have dissappeared, altogether, from any address list. So now, I can't even get my users to see them - which is lovely for our internal marketing, as we're rolling out a new desktop image. It's an issue I can really do without. Tonight I'm going to rebuild the Recipient Update Services on the 2003 box and hope like hell something shows up tomorrow.

On the image rollout, we've been ordered to put Office 2007 on the new image, which as you probably know, is more different to previous versions of Office than any release ever. One would expect some staff training - for our users - to be in order, then. But no. The person who's supposed to be doing THAT, had Office 2007 installed nearly a year before everyone else for precisely that reason, and who was one of the main drivers for putting Office on seems to have rinsed their hands of it. No guessing which department everyone's looking at to blame. IT and short memories seem to be natural bedfellows around here.

Thursday, January 22, 2009

Plate full of Password Problems

Every week or so something fun gets tossed onto my brimming plate, and today it's the turn of password management. It's a pain in the ass, full stop, and now I'm to look at smoothing troubled waters by implementing some kind of solution that'll enable our users to reset their own passwords: memorable question kind of thing. It's the kind of thing that even a year ago would have had me in a cold sweat, thinking of all the possible security horrors. I seem to have undergone some kind of transformation though - if it adds to the user experience, makes students and the helpdesk's lives easier, then I'm all for it, and I'll deal with the security horror if it appears. Quest's Password Manager looks like it might do the do. How easy it'll be to implement is, of course, entirely another matter.

So Microsoft's officially cutting jobs. And they can't even bring themselves to issue a revenue / profit forecast. Share price fell nigh on 10%. Not a good week for them.

Wednesday, January 21, 2009

Citrix finding a new raison d'etre?

I talked before about Citrix being a company in need of a new killer app. Virtualization, it seems, is where Citrix are putting their money on their new future being.

They paid out $500m for open-source virtualization company XenSource, and have been aggressive in pushing their new baby. They've also got an interesting take on the cloud / no cloud thing. They reckon companies need internal clouds first - hosted of course, on Citrix virtualization / application delivery boxes - to be ready to take advantage of the opportunities when the bridges to the real cloud fall into place. They've developed Citrix Cloud Center too, to push to the third-party cloud vendors, just so you're in no doubt they're serious.

Now they're collaborating with Intel, creating a bare-metal hypervisor based on the Xen one, probably aimed at delivering virtualized desktops, which will have the considerable bonus of being fully encryted.

Now all they need to do is get the Xen hypervisor integrated with HP's industry leading System Insight Manager. Fortunately, it's apparently "on the list."

Just when I thought they looked dead and buried, Citrix suddenly looks like it might not be takeover fodder after all.

Tuesday, January 20, 2009

Fun with Outlook Address books; Cisco looking for a fight.

I'm having fun with Outlook Address Books this morning. A couple of weeks ago I built and introduced an Exchange 2007 server, looking towards migrating our accounts over from Exchange 2003. I created connectors between the two servers, and they're seeing each other fine. I pulled over a test mailbox, which seemed to go smoothly although I haven't been able to fully check that out yet because I need to update the ACL's on our PIX firewalls to include the new server.

So far, so good, until it was pointed out to me that somehow, mysteriously, the behaviour of my users address books in Outlook has changed. One set of users defaulted to one address list, another to another - both stored below the Global Address list. Now, those lists aren't visible from outlook, even though they both still work as email distribution lists. Confused yet? I am.

So I've populated two address lists above the GAL and they work fine, only problem being I haven't yet sussed if I can push our users to these via Group Policy, which would be ideal. So for now, the helpdesk are going to have to sort it - if someone complains, which as yet, they haven't. I know they will though, and probably before I fix it.

On another note, it looks as though Cisco are wading into the Blade-Server market. Coming hot on the heels of news that they're planning on wading into the virtualization market too, and in the face of HP's switch/routing challenge in the shape of Procurve, it's beginning to look more than a little like the day when KFC peddled their first burger and Ronald McDonald deep-fried his first chicken bollock. Hopefully, like that happy day, this ends up as good news for the customer, but with no sickly aftertaste, clogged arteries, or lingering sense of guilt attached.

Monday, January 19, 2009

Opera slings mud at Microsoft, sticks.

So the antitrust thing's back. The EU says Microsoft's violated competition laws by continuing to include Internet Explorer with versions of Windows. Opera, the original re-complainant, is understandably delighted.

So where's Microsoft go from here, other than back into the courtroom? Given that the fine dished out by the EU last time was 899 million Euros, it's a fair bet that someone's going to be digging into their pockets, deeply.

And with Microsoft feeling the pinch - its share price this morning stood at $19.71, down from over $35; and with persistent murmurs of impending cutbacks - now represents perhaps the EU's best chance to get the software giant to sit up and listen, properly.

Yes, the last antitrust issue before the EU was different - that was to do with Microsoft getting in the way - as the commission saw it - of other vendor's attempts to get their software to work properly on Microsoft operating systems.

But the EU budget's not getting any smaller, and member countries are raising less tax revenue than six months ago, thanks to the recession. Milking the Redmond cash cow might, in the once-removed eyes of European ministers, go down an absolute storm.

Sunday, January 18, 2009

Active directory management permissions

Our user accounts aren't, inexplicably, created within the IT team. That's a fight for another day, but right now I'm securing our Active directory, specifically against the people whose jobs it is to create our users, non of whom is anything else other than an IT part-timer. Unbelievably, they've been given full admin rights up to now, but today that stops.

So what I've done instead is to:

  • save an .msc file of the AD users and computers MMC snap in.
  • Create a user group called Account Managers and add these staff to it. I've granted this group Read Access to the .msc file, and provided them with the file path to it.
  • Give the Account Managers the neccesary permissions - Read, Write and Modify - to the OU's in which our user accounts (not our System Accounts - they're somewhere else)
  • Delegated control of user accounts by right-clicking on the root domain in AD Users and Computers and - well, just walking through the wizard.
  • Remove our users from the Admin groups
I'm sure there's going to be some whingeing sometime soon, but that I can handle, by the old-school SysAdmin technique of hiding behind my manager. Hey, it's what he's there for. And I'll sleep just a little bit better tonight, although I know I'll wake up tomorrow and find something else that frightens me.

Downadup panic

I got to work, opened my email, checked the web for news and found that the Downadup worm's causing untold panic, such is the rate of spread. F-Secure estimate that the worm had infected nearly 9 million PC's by Friday, up from just over 2 million on Monday. The worm's hitting a long-standing vulnerability in XP, 2000 and Server 2003 which Microsoft patched - with plenty of publicity - 3 months ago.

Apart from demonstrating just how many systems out there haven't been patched, Downadup's also notable for the numerous ways in which it propogates, via flash and network drives, plus the usual array of social networking hooks.

It is though, easily removed. Tools are at F-Secure for free, and better directions at precisesecurity.

If nothing else, Downadup's showing again the best security practices of all - regular patching, up-to-dat AV and malware programs, and not opening spam. How easy does it have to be?

Saturday, January 17, 2009

Replacing Altiris with Configuration Manager

Altiris has been around for a while now. It hasn't changed much since I first used it, in terms of functionality at least. It's under the Symantec jackboot now, and it'll be mildly interesting to see what becomes of it. I've got to admit to not always being the world's biggest fan of Symantec: my experiences with Norton AV haven't ever left me with anything approaching joy, and on the few occasions I've had to use them, the Symantec product support mechanism has frequently left me at entirely the other end of the spectrum of joy, to the point where I've wanted to chew my own hand off.

But that's by-the-bye. My point is that Altiris is, for us at least, now approaching the point where we're looking round for a replacement. As an educational institute we get really good deals from Microsoft under our campus agreement, so I've been looking at Systems Center Configuration Manager. From reading the blurb, it looks like there's nothing that this won't do.

What it can tie in with and what it needs in order to run effectively are confusing me right now. I already know that it speaks to our WSUS server and imports some of the stuff from there. How the software packaging side of things works is a mystery to be solved.

The biggest mystery at the moment though, is how to get the client software to install. From within Configuration Manager there's about five different options for pushing it out. Configuration manager can see my clients - it imports them from AD - but I'm not getting any joy with any of the installations. There's just nothing happening, and the thin, dusty trail in the logs is proving to be fruitless.

I have no doubt I'll solve it eventually, but right now Altiris lives. And that's important because it's this time of year we re-image all our desktops and push out all our software for the upcoming academic year. So far, it's been totally trouble free.

And right there you see our difficulty. There's so much we can potentially do by becoming a one-stop, Microsoft shop. What we're seeing already though, is that the costs we save are going to be offset by an increase in the difficulty of replacing 3rd-party systems like Altiris, like VMWare, that became popular because they work.

That doesn't mean the challenge isn't a valid one. Once all those clients are out there for this year; once all our students are in and settled; I'll be bringing more and more of these projects forward from the back burner, looking towards the future.

Friday, January 16, 2009

More casualties

The downturn's hitting hardware makers too. AMD have just announced 1100 job cuts - 9% of its workforce. The pain's even reaching to the boardroom - AMD's CEO and executive chairman are each going to take a temporary 20% cut in their base salary, and other employees at the chip-maker will also have their wages cut by between 5 and 15%.

That comes hard on the back of job losses at the number one hard drive manufacturer Seagate looking at slashing 10% of its workforce. CEO Bill Watkins didn't survive that one to take a salary cut. Number two in the storge market, Western Digital, is ahead of the curve, having stated that it would slash 5% of its workforce way back in mid December. HDD head manufacturer TDK is letting 9000 go.

The mighty Intel can't be far behind. as yesterday it posted a 90% drop in profits and warned of even tougher times ahead.

With so little money going through the IT industry, it's a bad time for Microsoft to have the EU taking yet another look at it over the seemingly never-ending saga of bundling Internet Explorer with Windows. Maybe this time Microsoft won't simply be able to pay, stall the EU with a flotilla of expensive lawyers, carry on like before. Stranger things are happening in the world right now.

Thursday, January 15, 2009

Times like this can make a man nervous.

So, the seemingly impregnable Google's laying off workers. The guys and girls for the axe are 100 recruitment workers, so don't be hankering for that job at Mountain View any time soon. And the old company of new Yahoo! CEO Carol Bartz (already labelled in some areas of the press as "foul mouthed", although personally, "friggin'" doesn't register on my radar unless it's uttered by a cheeky matelot with a glint in his eye), Autodesk, has also put the knife in today.

And now Microsoft's wielding the axe, according to some sources. Or not. Either way, it's a fair bet there'll be few requests for a pay rise at the software giant anytime soon.

Sign of the times? I did some crystal ball gazing for work this afternoon, trying to come up with a three-year plan. Practically an impossible task, given the pace in change of the world around us right now.

What did I come up with? Well, if we're going to upgrade from Server 2003 we'll be facing some pretty substantial hardware costs as 2008 R2 is 64 bit only. I'm sure there''ll be a few issues on the back of that one, given the number of legacy apps we're running. Virtualization will be something we'll make more of, although I suspect we'll be looking closely at other offerings beside VMWare.

The other thing that I feel I have a duty to look at is exactly what parts of our server estate could be candidates for moving into the Cloud. Now, my knowledge of the possibilites that Azure, Google and whatever it is that Amazon eventually comes up with is tiny. Nothing at all, in fact, beyond knowing that they're going to be there. But it seems a funny time, to be sure, to be leading the charge in a direction which could very well put me out of a job.

Expanding a Point

I thought I'd expand on one of yesterday's postings; that which alluded to Citrix's killer app status slipping as the competition have caught up.

I've always been a fan of the possibilities of thin-client computing. The picture that Citrix paint - and deliver, to be fair, in many places - of an IT infrastructure with a smaller TCO, a smaller carbon footprint and centralized administration: who isn't waiting to be converted?

So when I came here and found a legacy Citrix environment - Metaframe XP FR3, two years out of support but still happily chugging along, supporting a couple of hundred users quite happily - one of the first things I looked at was updating this and asking the questions: What else can I do with this? Can we expand our thin-client useage, save money on our clients and our power bill, reduce our carbon footprint and be responsible global citizens? And unfortunately, to all of those questions, the answers were not enough and no.

Citrix do quite a good job of pointing out the cost / benefits of a thin-client network. But who, I ask, can afford to chuck their existing fat clients in the bin, and start again? Who can afford to run two networks side-by-side - because that's what we found we would almost need to do. Yes, we could look to savings three years down the track, when our current desktop refresh cycle reached it's end. But for a public sector organisation, especially one in up to its neck in the financial mire - three years is forever.

The real killers though, are Microsoft and Procurve. Microsoft because their new Windows Server 2008 does everything XP FR3 did (albeit without the crap that no-one used, like application billing). Procurve have finally been unleashed by HP and allowed to compete with Cisco, who have started making grumbling noises sounding like Cisco are going to kcick off their own range of Blade Servers, but that's bye-the-bye. Net result: when our network infrastructure reached the end of its lease, we were able to deliver gigabit to the desktop at two-thirds the cost of the Cisco offering - which offered less.

So the extra bandwidth that Terminal Services - or whatever Microsoft are calling it now - is going to consume doesn't matter any more. Citrix is looking pretty dead.

The final nail in the coffin is the ability of the machines now reaching the end of their lives, ones which we traditionally stuck a Citrix client on and punted to the backroom staff, so they could still have a reasonable user experience on old hardware. With 2ghz P4's now coming into retirement - where's the need?

Wednesday, January 14, 2009

Linux speak...

Linux, the Operating System of choice if you're the kind of person who'd get a kick out of building your own television set. It seems that every year there'll always be someone trotting out the "This is the year when Linux takes it to Windows" line. It seems that this year, or this week at least, it's the turns of the good folk over at

First up is their education guy, and I've got to admit he's the one that had my jaw on the floor. So, it's "far easier to justify installations in an educational setting than it was even a year ago", is it? Microsoft do a Campus program for educational institutions. We have site licenses for everything, often free upgrade rights. By any commercial standards, our Microsoft costs here are absolutely tiny. Try less than a hundred bucks a year for Systems Centre Configuration Manager. A hundred New Zealand bucks.

Now look at what it is that we use our computers to teach, what it is we want our students going out into the world able to use. Microsoft Office. Tick. On Linux? Fail. Adobe Creative Suite? Tick. On Linux? Fail. Autodesk. The list goes on. Fail all the way down.

And don't make me laugh by telling me it's free. Most of the costs over an operating system's life are going to come in supporting it. If it's easy to justify sending your entire IT staff away on a two-month training course while they get as competent on Linux as they are with Microsoft, I apologise.

And, of course, there's a guy with a beard, telling us Linux will survive. Of course it will. Netbooks are a comin'. But here? On the desktop? No case to answer.

Where next for Apple?

Steve Jobs is taking time out, as you probably know. I wonder where that leaves Apple? Even more so than Microsoft when Bill Gates was in charge, Apple is Steve Jobs. Apple's shortcomings and strengths are also, therefore, tied up in him. So what might be on the cards for Apple if the new hand on the tiller keeps their own lookout and doesn't simply use Steve's binoculars?

I said yesterday that Apple's server offerings are awful, and I meant it. Microsoft's building all sorts of fun stuff into the Windows Server family these days - virtualization, remote application delivery with Terminal Server 2008, CRM; loads of good stuff. Plus of course, all the tried and tested backoffice stuff that we've been using for years.

Someone else is getting into virtualization now - Citrix are finally looking serious about gettnig into the game, and about time too, given that Terminal Server 2008 does everything that the Presentation Server releases of only a couple of years ago did. Whether it does enough to distinguish itslef from either the ubiquitous VMWare or Microsoft's own offerings is another matter. Citrix is looking like a company in need of a space.

Have Apple got that? They've got the iPhone, and the iPod, and the Mac, and Citrix is all about accessing the same applications across different platforms. If the downturn goes on and domestic customers find themselves unable to justify that new Mac, Apple's going to need business customers. For that, it needs something to put on its servers...

A Dusty Cupboard

Fun and the command line aren't natural bedfellows, especially if like me you've spent most of the last few years doing those most important of Sysadmin functions: idle web surfing and scatter-gun character assassination. However, a change is as good as a rest and all that jazz, so just for a while I've foregone Wikipedia (the last internet refuge for the terminally bored) and plumped for a spot of work instead of passing my time alternately cogitating, digesting and forgetting about Lysander's role in the Battle of Thrace.

So today I'm continuing migrating stuff across from our old SAN. Fortunately for me, I'm employed at an educational establishment, and our students are currently somewhere else. Some would debate the point that they're seldom anywhere else other than somewhere else even when they're here, but either way, their absence from the campus at the moment is making my life a little easier. I mentioned a couple of days ago I was pulling profiles across: that seems to have gone well, and now I'm digging into migrating a few different groups home directories over. It's a little more involved than the profiles, because not only am I dealing with pulling the data and permissions across but in this case the folders also need to be shared, the users made folder owners, and then then pointed to the new location through Group Policy.

None of it's rocket science though. In fact, none of it's beyond the average twelve-year old. Which makes it slightly galling just how much I've been struggling to remember how to use these most basic of command line utilities. I even forgot how to share a folder from the command line, and had to look it up on Google. That's just plain embarrassing.

I've never used Group Policy Modelling before, but now I'm addicted. It's a left-field comparison I know, but in its functionality it reminds me of the old Query Analyser in SQL 2000 in that it's a great get-out-of-jail tool for people whose job demands they use it but who can't be arsed to find out how to do it properly. Or as in my case with the old SQL Query Analyser; those who have met a DBA or two who understands SQL properly. If it's not too late already, heed my sage words: run to the hills, just in case it's catching. You don't ever want to be like that.

Tuesday, January 13, 2009

The Windows 7 Conundrum

Windows 7 seems to be all over the news this week, with the release of the first and probably final public beta before it goes RTM, probably somewhere around the end of this year. The uptake of Vista in the Enterprise has been woefully low for Microsoft. The jump in hardware requirements needed to run the new operating system, the plentitude of applications which either worked poorly or just plain didn't on Vista, and the presence of a predecessor which did everything required of it plenty well enough all conspired to stick one of those old-fashioned hairpins firmly though Vista's spine. A mid-life ad-campaign quite unlike anything else I can ever recall - both in terms of it's timing and how quickly it dissappeared off the radar - failed to breathe new life into the twitching corpse. Vista, is to all intents and purposes, dead.

But it isn't really, is it? Windows 7 has already had accusations of plagiarism chucked at it - the similarity of the new taskbar to Apple's Dock has been duly noted, and probably encouraged by Microsoft, eager to for once, earn a more flattering comparison to the anvil upon which Vista has been smacked, at least in the domestic market. The real plagiarism, however, lies in the breadth of the new release.

Apple's "new" Operating Systems are seldom that, not when seen from a Microsoft point of view. Do you think, say, that the difference between Mac OS 10.4 and 10.5 is anything like the difference between say, Windows XP SP1 and SP2? Something like 2/3rds of the code for XP was changed in SP2, and it still didn't merit being touted by Microsoft as a new product. They could have jazzed up the GUI, ran another Mojave Experiment, made hay. That they didn't tells you something about the corporate mindset at Redmond when releasing a new OS. Each successive new version of Windows was always a big jump from what went before, because that's the way Uncle Bill liked it.

Now though, Uncle Bill's off doing good stuff for one-armed lesbian Malawians, and Windows 7 is a new operating system, even though it only takes the smallest of glances under the hood to see that it's not. It's Vista, SP3. And I for one will be a happy man if Microsoft find that stealing the Emperor's New Clothes idea from Apple turns out to be a good fit. The pain we've all experienced with Vista has been good for us: Applications now have to be written properly. Vista is, contrary to the public perception, a damn sight more secure than XP. With SP2 and on the right hardware it's now something approaching acceptable, but we all know it's too late.

But Windows 7 - I mean Vista 2 - couldn't have come at a better time. Microsoft have been losing market share in the home market hand-over-fist to Apple. Now, as a recession looms - who out there really has the money to spunk on a 24" iMac, not when a similarly 'specced PC might save you a thousand bucks? Corporate networks running XP - like us - are looking around now, knowing that sooner or later we're going to have to do something. Macs don't, for all their slickness in a standalone environment, do the networked thing. Apple's pathetic server offerings are, as far as I'm concerned, more or less a tacit admission of this. Besides, we all have legacy apps. We need Windows.

Dell have this week announced they're shutting their plant in Ireland with the loss of 1300 jobs. Their stock's down by what - a third? HP are similarly strapped. And the IT service sector - the big outsourcers like EDS et al? Life Support. What all of those companies need is Windows 7 to be released pronto, and for the big boys that stayed with XP to take advantage of the service provider's predicaments to go over to 7 sooner rather than later.

There's already talk of major Government IT projects scaling back. In this recession, Windows 7 and its success - or not - might be the only thing between the IT gravy train and the buffers.

Monday, January 12, 2009

Welcome...let's begin

Welcome to my first venture into the blogosphere. People write for lots of different reasons, but I suppose one overarching reason is that most human of instincts: the desire to leave our mark on this earth.

Fulfillment of this instinct, of course, presupposes two things. Firstly, of course, that the contents of the author's mind are in some small way worth anything (and I'm not saying that mine are - read on) and secondly, that the author isn't a Sysadmin, in which case he or she has already chosen a path in life leading 180 degrees away from the Golden Mountain of Deep Meaningfulness, towards the valley of Pointless Futility and the permanent campsite of A Wasted Life. This is where I pitch my yurt, and I invite you in for a daily(ish) glass of the soured yak's milk that flows from the udders of the System I'm paid to manage.

So today, I'm moving user profiles from an old SAN to a new one. As this is a public institution we're not allowed to delete anything until the Prime Minister himself signs the release sheet, using a pen carved from the twisted thigh-bone of one of Snow White's short-arsed friends, dipped in the blood of a sacrificially slaughtered Dodo. There's more chance of this happening than any request for him to do so being passed up more than two levels of management without vanishing, or more likely sent back with some lame query aimed at proving nothing more than the intellectual disability of the sender. But I digress.

So I'm moving user profiles. I'm doing this on a by-OU basis in Active Directory Users and Computers. I'm navigating to the OU which I want to migrate, right-clicking and going to View, Add/Remove Columns and making sure I can see the pre-windows 2000 logon name. I'm then Right-Clicking again, going to Export List, and saving it as a CSV file. Open this file in Excel and delete everything else except the login name. I make sure this is in the second column, then I fill in the first one with md \\servername\profilesharename\ - for the destination folders for the migrated profiles. Then the file's saved as a .cmd file. Run that, and you've made your destination folders. Easy.

It's a bit more fiddly - but the same principles, to then make another command file in the same way, this time using your usernames thus:

xcopy \\originalservername\sharename\username \\destinationservername\sharename\username /E /V /C /O /H /K /Y

The /O is the most important one here, as his copies across all the ACL information. Used to be a time long ago when xcopy wouldn't do this and you had to bugger about in the resource kit. The other switches are to do with ignoring errors, recreating folder structures etc and verifying files.

So your data's across - all this assumes you're running this when no-ones on the network - I love working at two in the morning - and all you need to do now is point your users to their profiles. Select everyone in your target OU, Right-Click and hit the profile tab. Stick in \\Servername\Sharename\%username%, and you're done. Now all you have to do is wait for the morning and see what else you've broken.