Into the certification saddle again. Soothing cream at the ready...

Finally, I've made time and found energy to concentrate on updating my IT certification.  I'm in sore need of it - my MCSE is in NT4, My CCNA has been out of date for god only knows how long, and the Citrix was Metaframe XP2.  Ye-es, I'm out of date.  And what I have been conscious of is that the tech knowledge that I have on tap is not perhaps all it should be, and because of that I enjoyed my last job less.  (I'm currently "resting", by the way.  More on this later.)


So I'm hitting the books again.  I'm working towards updating my MCSE to 2003 level rather than 2008 (I've barely touched 2008 so far), figuring I can take the upgrade exam later if I really want to.  I also had a set of books for the core four exams, so that helped too.  I'm also using practice exams from www.transcenders.com, who have never failed me in the past.  In my experience, the transcenders are bloody hard - if you're passing all the practice exams well, the real thing is a relative cakewalk.

So that's the core of what I do dealt with.  How about the nice-to-haves?

Cisco stuff?  It's been good knowledge to have, and occasionally it's useful.  I wouldn't say I've ever used it regularly, and the 2003 networking side seems to have been expanded enough to include enough of the additional TCP/IP stuff I got out of taking it last time around.

I've done quite a bit of VMWare stuff in my last job, so thought that maybe the VCP program would be useful.  But you have to attend the course, or you can't even take the exam.  This boils my piss for several reasons.

VMWare say - Oh, you have to do the coursework too.  It's a pre-requisite, you know. 

I say - Balls. Absolute, unalloyed, bollocks. 

This is about money, pure and simple.  This is about nice cosy tie-ins with training providers, where employers with money to spare (and how many of them are there these days?) cheerfully hand over three thousand bucks so that one of their employees can spend five days having the manual read to them.

I've been managing VM farms for yonks, and left most of them in a better state than when I arrived.  There's not a lot they haven't chucked at me.  What am I going to learn in the four days that it takes the new boy in the corner whose organization might be going virtual next year to get up to speed?  (No offence to the new boy - I've been him before)

Who's to say too, that I don't learn best self-studying?  And haven't VMWare figured anything from Microsoft, Cisco's approach?  Have they not figured that one of the reasons organizations stick with Microsoft and Cisco is because it's easy to get support?   That having a good, accessible certification program that's not treated as just another cash cow is in fact, actually an insurance for tomorrow? 

Like this tomorrow, for example, where Microsoft and Citrix offer virtualization products too.  Hyper-V is covered in the MCITP certification, there's a separate CCA for XenServer. 

And unlike VMWare, and the father-and son sack race at Mr Burn's house, attendance is not mandatory.

I wonder what virtualization solution I'll be implementing next?

Adding a VMWare node, and my big one for the year...

So I got the go-ahead to add another VMWare node to our infrastructure. This makes sense in lots of ways - I've only got two nodes at the moment and they're oversubscribed really - I couldn't run all my VM's on one box if the other fell over. I've also got another reasonably powerful, new box sitting around from our stalled Email project, so my only cost right now is in licences.

So I went to the reseller, and said simply - I want to add a new node. I'll add right now, I'm no VMWare guru. I can do what I need to with ours, I've built a fair few virtual machines on both ESX and VmWare free - we have a touching aquiantance, let's say. Our existing infrastructure is ESX 3 nodes, Virtual Center / Server 2.

Which they don't sell anymore - we're onto ver 4 - VSphere. Which doesn't work quite as wholeheartedly as the reseller led me to believe. My own silly fault for not going religiously through the upgrade section on the VMWare website, which would have pointed this out to me. This is, of course, an omission on my part of which my boss is going to remain blissfully ignorant.

The next fly in the ointment is that our existing estate is out of support. So I went back to our reseller and got a quote to renew it (without which I can't upgrade our existing nodes to VSphere and restore harmony to the universe.) Then, I thought, I'll cover my arse properly this time. So I raised a support ticket with VMWare themselves to confirm that this support contract covered everything I needed. Not too difficult, but that was a month ago, and I'm still waiting for an answer.

Anyway, licensing fun and my biggie aside, the installation's been incredibly easy. I created another VM datastore on our HP SAN, pointed the new and both old nodes towards it. The new node's picked everything up, the older ones won't pick up the new storage until they're rebooted. So now I have three datastores on the same SAN. I know I could have added extents to my existing datastores, but given the expansion in our VMWare holding that's likely over the next couple of years, I don't see that as a problem. I've got two Citrix XenApp VM's purring away on my new VSphere node, I can import VM's from the other two if required - I just can't use VMotion or HA, and I'm having to administer it for now through the VSphere client.

Which is all well and dandy, but if that's what I wanted then I could have got Citrix XenServer for nothing. Come on, VMWare, get your arse in gear.

Yeah, do stuff...

The latest dictat from up high is that we, the IT department, are to start selling laptops to students. This is because that another institution, revered by our CEO, does so.

Well, not quite. They actually provide a room for their hardware supplier to knock out stuff to students. That's it. Us being small, provincial, and in a different county from their supplier, our CEO reasons we can do the same thing ourselves, being as they've probably pissed themselves laughing down the phone when he mentioned it. (Likely sales, I'd guess, might amount to ten laptops a year.)

Quite apart from it not saying - not once, I've checked - on my resume that I am, ever have been, or have any desire to be a shopkeeper - I have a few objections, here.

Firstly, we're an HP shop. And as anyone who's ever had the desire to dig through the HP website can find out, becoming an HP reseller ain't a piece of cake. It requires things of their partners like certified hardware techs, which in turn would require the institute to bother investing in its people. I can understand why they don't, because confronted with a continual stream of half-baked ideas like this one (to which our corporate culture is that it's not OK to raise obstacles, as they interfere with the deep, deep, blue-sky thinking going on upstairs), most of the IT staff, when confronted with the prospect of being actually certified would either:

a) apply for another job straightaway
b) refuse to take the course as they'd have to repay the money in two months when the job they've just applied for is due to start
c) go sick from shock

So being an HP reseller is probably out, then. But he's adamant that we've got to have it, so at some point we'll have to find a way of doing it. Selling ten laptops a year from someone else, jeopardizing our relationship with HP - one which saved us a third of the cost of replacing our network infrastructure with (lower-spec) Cisco gear eight months ago. And I don't even want to know what sort of a deal they gave us on the couple hundred new PC's we ordered at the same time.

I will bet, however, it was worth more than the profit margin on ten laptops. And I haven't even discussed the prospective joy I feel at students coming into my office to make a warranty claim on whatever half-assed arrangement we ultimately inherit. I could go on and say something else, but you get the picture.

It's been a while...

A long time since I posted last. It's been a long time too, since I last built a Citrix farm, but even though the name's changed and we're three versions on from the last time I built one, the good bits about the install are still good and the bad bits are still crap. Although I think we can add the main GUI for the install list to the bad pile: it looks like Mr Citrix's three year old got hold of the crayons.

One of the other niggles I've always had with Citrix has been building the new farm directly onto SQL during the install process, and I can report that hasn't changed. It doesn't seem to matter how careful I am setting up and testing ODBC connections, even whether or not I set the ODBC connection up using the SA account (not recommended, just out of experimental curiosity to see if it was a rights issue) - I'll always get an error.

And when you get that error, you'll get it again if you try and confirm the farm membership using CHFARM, at least if you go straight from a failed SQL install to another attempted SQL install. The solution here's to run CHFARM, set up a local Access based farm, then run the CHFARM operation again, having first taken care to flatten your SQL database. I don't know why it should be that way - it just always has been...

Will the madness stop?

I haven't blogged for a while, mostly because it's just been utter chaos here : all the fun associated with the start of a new academic year and some fairly major moves and changes. I'm still having fun with my accounting application via citrix, and I'm now just about ready to give up on it and install a VPN solution instead for the affected users, rather than carrying on with NFuse. This of course, means more digging around the uncharted depths of our ancient PIX firewall, where hundreds of obsolete, uncommented entries do their level best to confuse me into tears every time I look at it.

I've started looking seriously now at the problems, threats and opportunities that implementing Exchange 2007 is going to pose, and I'm quietly confident. It looks like there's some good bolt-on functionality with Outlook Anywhere and Sharepoint, and that could - I repeat could - let me get the goal of some kind of Portal off the ground without as much pain as I was thinking it might be.

Our mail scanning server then, has chosen something of an inopportune time to start pissing me off. We're running a standalone server in the DMZ which runs IMSS 7, and today it's decided it doesn't want to do anything much unless I restart the IMSS SMTP service every five minutes and bugger around with hold queues. I'll bounce it again tonight, and hope the fairies fix it, because I haven't got a clue.

Weirdness solved; A dumb request.

Solved the networking weirdness that had befallen some of our servers since upgrading our networking infrastructure. We'd implemented HP's LACP solution,understanding that it would work with the HP server NIC teaming thing to give us a really high-speed, fully teamed solution. Apparently not, for some reason. The 802.whatever that the NICs would have been picking up automatically - the team type being set to auto - just doesn't seem to work reliably.

So I broke the teams on the problem boxes, then set the trunk type on the switch to "trunk" instead of LACP - you can trunk two different ports on two different cards within the chassis, giving you redundancy - then recreated the teams to NLB with Fault Tolerance, then unchecked the TCP onloading box, which seems, from reading around, to be giving loads of people shit. It's apparently corrected in the latest NIC drivers, but just to be sure, you know. Problem gone, performance not quite as good, theoretically, but there's so many other throttles right now I can't tell. So that's good.

What's not good, however, is a reputable database provider asking us to add an entire class B network to our firewall ACL, then another class C network. That's right. Dear gullible fool, please open 65000+ addresses to your ACL list. The reply was neccesarily short and to the point, as you'd expect...

Fun and games, Google and Novell's different Wednesdays.

Trying to sort the routing this morning for the new exchange server, with the help of our friendly local firewall guy. I've never learned any PIX, and on the evidence of this morning I think I probably got the good end of the deal there. It's a bit of fun, eh? Anyway, the upshot is it's sorted now, and I've learned a valuable lesson: When you make a change to your firewall - TAKE OUT THE REDUNDANT ENTRIES. This will then save the time and sanity of your replacement as he tries to reverse engineer the inner machinations of your DMZ (tell me you have one of those) via IP addresses which may or may not either be: a) still be in use b) assigned to a different machine or best of all and my personal favourite; c) assigned to a machine of the same name which has since been rebuilt and now has a completely different function. And you can add comments on PIX entries too, so take a second and put 'em in. The lifespan of networking equipment is considerably longer than the tenure of the average IT worker, so I'm sure karma will come into this somewhere down the track.

Google, I see, are writing off $768 million, due to the decline, fall, and plummet from space of AOL. They want out completely, and I think the only thing they can be blamed for there is taking too long to bite the bullet. The sooner the excresence that was America Online gets wiped from the face of the earth, the better.

Novell would probably like to be able to afford to write off something else other than another tranche of workers, but they can't. Be nice if the job losses could stop now, please.

A weird one...

I've got one of those weird ones today. We've installed a new network infrastructure - all shiny new HP Procurve stuff. Yesterday morning, one of our servers didn't back up, with BackupExec reporting that it couldn't see it. RDP'd to the server fine, and I could ping the backup server, and ping the errant server from the backup server. I could also, from either server, open an UNC share on ANOTHER server but not on each other. They're both on the same subnet, plugged directly into the new core switch, the ports on which are effectively, at the moment, wide open.

This morning, another server had the same problem, despite backing up yesterday. The error logs on the servers which can't connect have the odd DCOM error which, on closer investigation, could mean one of about forty different things, none of which look like an easy fix. It's all too easy to go off on some wild goose chase here. The core switch is new, so there's a cloud hanging over that, but I had something similar before it was replaced, which I didn't investigate too deeply as it was only a day before the new switch went in. One things for sure - something out there is screwing up my NetBIOS traffic, and I want to know what it is.

A day of deep joy...

How I love sysadmining while surrounded by morons. Today's a prime example. We have an accountancy application which is, like most of these things, just about OK when used in the environment which it was designed for. Local domain, fat client, normal, networked printer. Even then, it's needed a fair bit of tweaking to get it right - it prints from an environment variable, for example, because thats the way it does it. It's one of them.

Someone tried to put it on citrix and we had a nightmare with it. We couldn't get it to print properly at all, despite the application vendor's being on site for a couple of days and dialling in god knows how many times. So I made sure that the people who needed to use it got full-fat clients, quick sharp. Everyone happy.

Except some genius has decided that it would be just too great for someone at a related institute across town to be able to dial into our accounting application through citrix. And our interface to the outside world, I might add, is rubbish. Not in terms of speed, but reliability of service of certain things. We have other people who connect through citrix, for example. Sometimes their printer auto-creation works, sometimes it doesn't. Depends on the wind. Sometimes it takes five minutes to log into NFuse (that's how far behind we are); sometimes, seconds. Reboot router, phone up ISP and complain. Right now, those are our options. So it's not going to work. In a month of Sundays. Even if it did work in the first place, which it doesn't.

Obviously, someone's ego's going to be bruised when it becomes apparent that this is going to have be er, altered. No guesse for who's going to end up wearing it, though. Be nice if I got asked at the start, for once.

Fun with Exchange mailboxes, part 2...

I'm in the middle of upgrading our organization to Exchange 2007 from 2003, and I'm currently "enjoying" the effects that adding a 2007 server to our Exchange organization's having. Not only does it screw our existing global address list, but helpfully, it's also "updated" it so that I can no longer administer it from the Exchange 2003 box. Marvellous.

I've also discovered that I've got a few shared mailboxes out there that have dissappeared, altogether, from any address list. So now, I can't even get my users to see them - which is lovely for our internal marketing, as we're rolling out a new desktop image. It's an issue I can really do without. Tonight I'm going to rebuild the Recipient Update Services on the 2003 box and hope like hell something shows up tomorrow.

On the image rollout, we've been ordered to put Office 2007 on the new image, which as you probably know, is more different to previous versions of Office than any release ever. One would expect some staff training - for our users - to be in order, then. But no. The person who's supposed to be doing THAT, had Office 2007 installed nearly a year before everyone else for precisely that reason, and who was one of the main drivers for putting Office on seems to have rinsed their hands of it. No guessing which department everyone's looking at to blame. IT and short memories seem to be natural bedfellows around here.

Plate full of Password Problems

Every week or so something fun gets tossed onto my brimming plate, and today it's the turn of password management. It's a pain in the ass, full stop, and now I'm to look at smoothing troubled waters by implementing some kind of solution that'll enable our users to reset their own passwords: memorable question kind of thing. It's the kind of thing that even a year ago would have had me in a cold sweat, thinking of all the possible security horrors. I seem to have undergone some kind of transformation though - if it adds to the user experience, makes students and the helpdesk's lives easier, then I'm all for it, and I'll deal with the security horror if it appears. Quest's Password Manager looks like it might do the do. How easy it'll be to implement is, of course, entirely another matter.

So Microsoft's officially cutting jobs. And they can't even bring themselves to issue a revenue / profit forecast. Share price fell nigh on 10%. Not a good week for them.

Citrix finding a new raison d'etre?

I talked before about Citrix being a company in need of a new killer app. Virtualization, it seems, is where Citrix are putting their money on their new future being.

They paid out $500m for open-source virtualization company XenSource, and have been aggressive in pushing their new baby. They've also got an interesting take on the cloud / no cloud thing. They reckon companies need internal clouds first - hosted of course, on Citrix virtualization / application delivery boxes - to be ready to take advantage of the opportunities when the bridges to the real cloud fall into place. They've developed Citrix Cloud Center too, to push to the third-party cloud vendors, just so you're in no doubt they're serious.

Now they're collaborating with Intel, creating a bare-metal hypervisor based on the Xen one, probably aimed at delivering virtualized desktops, which will have the considerable bonus of being fully encryted.

Now all they need to do is get the Xen hypervisor integrated with HP's industry leading System Insight Manager. Fortunately, it's apparently "on the list."

Just when I thought they looked dead and buried, Citrix suddenly looks like it might not be takeover fodder after all.

Fun with Outlook Address books; Cisco looking for a fight.

I'm having fun with Outlook Address Books this morning. A couple of weeks ago I built and introduced an Exchange 2007 server, looking towards migrating our accounts over from Exchange 2003. I created connectors between the two servers, and they're seeing each other fine. I pulled over a test mailbox, which seemed to go smoothly although I haven't been able to fully check that out yet because I need to update the ACL's on our PIX firewalls to include the new server.

So far, so good, until it was pointed out to me that somehow, mysteriously, the behaviour of my users address books in Outlook has changed. One set of users defaulted to one address list, another to another - both stored below the Global Address list. Now, those lists aren't visible from outlook, even though they both still work as email distribution lists. Confused yet? I am.

So I've populated two address lists above the GAL and they work fine, only problem being I haven't yet sussed if I can push our users to these via Group Policy, which would be ideal. So for now, the helpdesk are going to have to sort it - if someone complains, which as yet, they haven't. I know they will though, and probably before I fix it.

On another note, it looks as though Cisco are wading into the Blade-Server market. Coming hot on the heels of news that they're planning on wading into the virtualization market too, and in the face of HP's switch/routing challenge in the shape of Procurve, it's beginning to look more than a little like the day when KFC peddled their first burger and Ronald McDonald deep-fried his first chicken bollock. Hopefully, like that happy day, this ends up as good news for the customer, but with no sickly aftertaste, clogged arteries, or lingering sense of guilt attached.

Opera slings mud at Microsoft, sticks.

So the antitrust thing's back. The EU says Microsoft's violated competition laws by continuing to include Internet Explorer with versions of Windows. Opera, the original re-complainant, is understandably delighted.

So where's Microsoft go from here, other than back into the courtroom? Given that the fine dished out by the EU last time was 899 million Euros, it's a fair bet that someone's going to be digging into their pockets, deeply.

And with Microsoft feeling the pinch - its share price this morning stood at $19.71, down from over $35; and with persistent murmurs of impending cutbacks - now represents perhaps the EU's best chance to get the software giant to sit up and listen, properly.

Yes, the last antitrust issue before the EU was different - that was to do with Microsoft getting in the way - as the commission saw it - of other vendor's attempts to get their software to work properly on Microsoft operating systems.

But the EU budget's not getting any smaller, and member countries are raising less tax revenue than six months ago, thanks to the recession. Milking the Redmond cash cow might, in the once-removed eyes of European ministers, go down an absolute storm.

Active directory management permissions

Our user accounts aren't, inexplicably, created within the IT team. That's a fight for another day, but right now I'm securing our Active directory, specifically against the people whose jobs it is to create our users, non of whom is anything else other than an IT part-timer. Unbelievably, they've been given full admin rights up to now, but today that stops.

So what I've done instead is to:

• save an .msc file of the AD users and computers MMC snap in.

• Create a user group called Account Managers and add these staff to it. I've granted this group Read Access to the .msc file, and provided them with the file path to it.
  

• Give the Account Managers the neccesary permissions - Read, Write and Modify - to the OU's in which our user accounts (not our System Accounts - they're somewhere else)

• Delegated control of user accounts by right-clicking on the root domain in AD Users and Computers and - well, just walking through the wizard.

• Remove our users from the Admin groups

I'm sure there's going to be some whingeing sometime soon, but that I can handle, by the old-school SysAdmin technique of hiding behind my manager. Hey, it's what he's there for. And I'll sleep just a little bit better tonight, although I know I'll wake up tomorrow and find something else that frightens me.

Downadup panic

I got to work, opened my email, checked the web for news and found that the Downadup worm's causing untold panic, such is the rate of spread. F-Secure estimate that the worm had infected nearly 9 million PC's by Friday, up from just over 2 million on Monday. The worm's hitting a long-standing vulnerability in XP, 2000 and Server 2003 which Microsoft patched - with plenty of publicity - 3 months ago.

Apart from demonstrating just how many systems out there haven't been patched, Downadup's also notable for the numerous ways in which it propogates, via flash and network drives, plus the usual array of social networking hooks.

It is though, easily removed. Tools are at F-Secure for free, and better directions at precisesecurity.

If nothing else, Downadup's showing again the best security practices of all - regular patching, up-to-dat AV and malware programs, and not opening spam. How easy does it have to be?

Replacing Altiris with Configuration Manager

Altiris has been around for a while now. It hasn't changed much since I first used it, in terms of functionality at least. It's under the Symantec jackboot now, and it'll be mildly interesting to see what becomes of it. I've got to admit to not always being the world's biggest fan of Symantec: my experiences with Norton AV haven't ever left me with anything approaching joy, and on the few occasions I've had to use them, the Symantec product support mechanism has frequently left me at entirely the other end of the spectrum of joy, to the point where I've wanted to chew my own hand off.

But that's by-the-bye. My point is that Altiris is, for us at least, now approaching the point where we're looking round for a replacement. As an educational institute we get really good deals from Microsoft under our campus agreement, so I've been looking at Systems Center Configuration Manager. From reading the blurb, it looks like there's nothing that this won't do.

What it can tie in with and what it needs in order to run effectively are confusing me right now. I already know that it speaks to our WSUS server and imports some of the stuff from there. How the software packaging side of things works is a mystery to be solved.

The biggest mystery at the moment though, is how to get the client software to install. From within Configuration Manager there's about five different options for pushing it out. Configuration manager can see my clients - it imports them from AD - but I'm not getting any joy with any of the installations. There's just nothing happening, and the thin, dusty trail in the logs is proving to be fruitless.

I have no doubt I'll solve it eventually, but right now Altiris lives. And that's important because it's this time of year we re-image all our desktops and push out all our software for the upcoming academic year. So far, it's been totally trouble free.

And right there you see our difficulty. There's so much we can potentially do by becoming a one-stop, Microsoft shop. What we're seeing already though, is that the costs we save are going to be offset by an increase in the difficulty of replacing 3rd-party systems like Altiris, like VMWare, that became popular because they work.

That doesn't mean the challenge isn't a valid one. Once all those clients are out there for this year; once all our students are in and settled; I'll be bringing more and more of these projects forward from the back burner, looking towards the future.

More casualties

The downturn's hitting hardware makers too. AMD have just announced 1100 job cuts - 9% of its workforce. The pain's even reaching to the boardroom - AMD's CEO and executive chairman are each going to take a temporary 20% cut in their base salary, and other employees at the chip-maker will also have their wages cut by between 5 and 15%.

That comes hard on the back of job losses at the number one hard drive manufacturer Seagate looking at slashing 10% of its workforce. CEO Bill Watkins didn't survive that one to take a salary cut. Number two in the storge market, Western Digital, is ahead of the curve, having stated that it would slash 5% of its workforce way back in mid December. HDD head manufacturer TDK is letting 9000 go.

The mighty Intel can't be far behind. as yesterday it posted a 90% drop in profits and warned of even tougher times ahead.

With so little money going through the IT industry, it's a bad time for Microsoft to have the EU taking yet another look at it over the seemingly never-ending saga of bundling Internet Explorer with Windows. Maybe this time Microsoft won't simply be able to pay, stall the EU with a flotilla of expensive lawyers, carry on like before. Stranger things are happening in the world right now.

Times like this can make a man nervous.

So, the seemingly impregnable Google's laying off workers. The guys and girls for the axe are 100 recruitment workers, so don't be hankering for that job at Mountain View any time soon. And the old company of new Yahoo! CEO Carol Bartz (already labelled in some areas of the press as "foul mouthed", although personally, "friggin'" doesn't register on my radar unless it's uttered by a cheeky matelot with a glint in his eye), Autodesk, has also put the knife in today.

And now Microsoft's wielding the axe, according to some sources. Or not. Either way, it's a fair bet there'll be few requests for a pay rise at the software giant anytime soon.

Sign of the times? I did some crystal ball gazing for work this afternoon, trying to come up with a three-year plan. Practically an impossible task, given the pace in change of the world around us right now.

What did I come up with? Well, if we're going to upgrade from Server 2003 we'll be facing some pretty substantial hardware costs as 2008 R2 is 64 bit only. I'm sure there''ll be a few issues on the back of that one, given the number of legacy apps we're running. Virtualization will be something we'll make more of, although I suspect we'll be looking closely at other offerings beside VMWare.

The other thing that I feel I have a duty to look at is exactly what parts of our server estate could be candidates for moving into the Cloud. Now, my knowledge of the possibilites that Azure, Google and whatever it is that Amazon eventually comes up with is tiny. Nothing at all, in fact, beyond knowing that they're going to be there. But it seems a funny time, to be sure, to be leading the charge in a direction which could very well put me out of a job.

Expanding a Point

I thought I'd expand on one of yesterday's postings; that which alluded to Citrix's killer app status slipping as the competition have caught up.

I've always been a fan of the possibilities of thin-client computing. The picture that Citrix paint - and deliver, to be fair, in many places - of an IT infrastructure with a smaller TCO, a smaller carbon footprint and centralized administration: who isn't waiting to be converted?

So when I came here and found a legacy Citrix environment - Metaframe XP FR3, two years out of support but still happily chugging along, supporting a couple of hundred users quite happily - one of the first things I looked at was updating this and asking the questions: What else can I do with this? Can we expand our thin-client useage, save money on our clients and our power bill, reduce our carbon footprint and be responsible global citizens? And unfortunately, to all of those questions, the answers were not enough and no.

Citrix do quite a good job of pointing out the cost / benefits of a thin-client network. But who, I ask, can afford to chuck their existing fat clients in the bin, and start again? Who can afford to run two networks side-by-side - because that's what we found we would almost need to do. Yes, we could look to savings three years down the track, when our current desktop refresh cycle reached it's end. But for a public sector organisation, especially one in up to its neck in the financial mire - three years is forever.

The real killers though, are Microsoft and Procurve. Microsoft because their new Windows Server 2008 does everything XP FR3 did (albeit without the crap that no-one used, like application billing). Procurve have finally been unleashed by HP and allowed to compete with Cisco, who have started making grumbling noises sounding like Cisco are going to kcick off their own range of Blade Servers, but that's bye-the-bye. Net result: when our network infrastructure reached the end of its lease, we were able to deliver gigabit to the desktop at two-thirds the cost of the Cisco offering - which offered less.

So the extra bandwidth that Terminal Services - or whatever Microsoft are calling it now - is going to consume doesn't matter any more. Citrix is looking pretty dead.

The final nail in the coffin is the ability of the machines now reaching the end of their lives, ones which we traditionally stuck a Citrix client on and punted to the backroom staff, so they could still have a reasonable user experience on old hardware. With 2ghz P4's now coming into retirement - where's the need?