Inane IT conversations

This morning, the office has been full of much hilarity and mirth – as well as extreme geekiness.

It all started off when discussing the appropriate colour patch leads to use for a new network (really – network administrators will understand that this is important) and Nick suggested that the colour of the cable is related to the speed (it’s certainly true that the light blue cables which are our corporate connections have significantly slower Internet access than the yellow ADSL in the corner!). Allan had his own theory that whatever is planned, in reality cable colour is directly related to the proximity of the cable – it doesn’t matter what colour should be used, the answer is whatever is closest to hand.

Next comes in the Project Manager, looking for a “jealousy” of architects (she claimed that was the correct collective noun), which got me googling…

According to Chris Sells’ blog post on collective nouns for geeks, it’s a “glass house” of architects and a “slack” of project managers. There are some other funny ones in Chris’ post that I won’t repeat here but I’m returning to my glass house now. Really, I like to think of myself as just one element of a RAIG (Redundant Array of Intelligent Geeks), although based on our conversations today the use of the word intelligent is questionable…

Removing MOM’s Active Directory management pack helper object

A few months back I had a look at Microsoft Operations Manager (MOM) 2005. Then, a couple of weeks back, I noticed that one of my servers had the Microsoft Operations Manager 2005 Agent installed, as well as the Active Directory management pack helper object. I uninstalled the Microsoft Operations Manager 2005 agent from the Add/Remove programs applet in Control Panel, but when I went to remove the helper object I was greeted with the following error (and the MSI Installer logged event ID 11920 in the application log):

Active Directory Management Pack Helper Object
Service ‘MOM’ (MOM) failed to start. Verify that you have sufficient privileges to start system services.

Retrying the operation produced the same error, so I was forced to cancel, then confirm the cancellation, before finally receiving another error message (and the MSI Installer logged event ID 11725 in the application log):

Add or Remove Programs
Fatal error during installation.

The answer was found on the newsgroup – I needed to reinstall the MOM agent before the AD management pack helper object could be removed but there was a slight complication because I no longer have a MOM server (I deleted my virtual MOM server after finishing my testing). Manual agent installation is possible, but I needed to supply false details for the management group name and management server in order to let the installation take place with a warning that the agent would keep retrying to contact the server (all other settings were left at their defaults).

Once the agent installation was complete, it was a straightforward operation to remove the Active Directory management pack helper object, before uninstalling the MOM agent (successfully indicated by MSI Installer event ID 11724 in the application log).

It’s a simple enough workaround but represents lousy design on the part of the MOM agent/management pack installers – surely any child helper object installations should be identified before a parent agent will allow itself to be uninstalled?

Creating an RJ45 Ethernet loopback cable

Sometimes it’s handy to make a PC think that it is connected to a network, even if there isn’t one physically present (e.g. in a test environment where not all services are replicated). This is quite easy to achieve, with an RJ45 Ethernet loopback cable. By using 6″ lengths of the core from a CAT5 Ethernet cable to connecting pin 1 to pin 3 and pin 2 to pin 6, a simple device is created which will fool a network interface card into thinking it is connected to a network.

RJ45 Ethernet loopback cable

The nice thing about standards is that there are so many to choose from

A couple of weeks back, I wrote about Microsoft Office 2007, including the new OpenXML file format. In a recent Windows IT Pro magazine network WinInfo Daily Update, Paul Thurrott reported that the competing OpenDocument Foundation has announced a plug-in for Microsoft Office that will let users open and save documents natively in the open-source OpenDocument format (ODF), which has recently been standardised and is supported by IBM and Sun Microsystems. The plug-in, which has been in development for about a year, makes OpenDocument documents seem as if they’re native to Office. Add Adobe’s portable document format (PDF) and Microsoft’s XML paper specification (XPS – formerly codenamed Metro) into the mix and we have plenty of scope for document confusion.

Both OpenXML and ODF are open standards that are freely licensed but it remains to see whether either will become dominant. I have a feeling that we’ll have competing XML-based document standards to grapple with for many years to come.

Redirecting web proxy access when the server name changes

Despite the problems I experienced migrating from Proxy Server 2.0 to ISA Server 2004 last night, I did have some success using a little DNS trickery to avoid changing the proxy settings on all clients (the new web proxy server has a different name to the old one). Here’s how it works:

  1. In DNS, delete the original host address (A) record for the old server.
  2. Next, create a host address record for the new server and an alias (CNAME) record with the name of the old server, pointing to the fully qualified domain name of the new server.

All DNS lookups for the old server should be redirected to the new server (via the DNS alias), allowing the proxy settings in the web browser to be updated at leisure (of course, in an Active Directory environment, they could also be updated via group policy).

Configuring network connections for ISA Server 2000/2004 (aka when proxy server migrations turn bad)

It was supposed to be so easy. The new server was already built, with the same IP addresses as the old one. All I had to do was disconnect the NT 4.0 Proxy Server from the network and power on the new Windows Server 2003 R2 box with Internet Security and Acceleration (ISA) Server 2004 on it, then configure and test a few filter rules; but I had forgotten the first law of IT consultancy – nothing is ever straightforward – which is why I’m writing this post on the train to work after rolling back the migration and getting just 4 and a half hours sleep last night…

Firstly, I decided that the ISA Server should be joined to the Active Directory. My original plan had been that leaving it in a workgroup would be secure, but as I didn’t want to allow unrestricted anonymous (i.e. unmonitored) Internet access I’d be limited with my authentication options (either set up a RADIUS server to handle authentication or mirror the user accounts on the ISA Server). I wasn’t confident that ISA Server would work well if it was joined a domain after installation so I uninstalled ISA Server, joined the computer to the domain, and reinstalled ISA Server, plus service pack 2 and other updates.

It only took a few seconds to configure the cache and set up a firewall policy rule to allow all ports outbound access (just as a test, I could lock it down again later), add all the internal networks and enable the web proxy client, following which Internet access from the local network was restored. The trouble was that none of the machines on remote sites could access the Internet.

Suspecting a DNS issue, I began to investigate name resolution problems and (here was my mistake) questioning why no forwarders were configured on the internal DNS server (because DNS monitoring showed that the simple queries were fine, but recursive lookups were failing). If I’d been thinking clearly, I would have realised that the internal network doesn’t need to have a recursive DNS path to the ISP’s DNS servers (the proxy server should handle that on behalf of the clients) – although I do think that having a clear path from clients to the internal DNS and onwards to the ISP’s DNS is the most straightforward configuration, supporting both internal (Active Directory) and external (Internet) name resolution (and Microsoft’s advice is to configure only internal or external DNS on the ISA Server – not both).

The problem was the network configuration on the ISA server. Jim Harrison’s excellent article on configuring ISA Server interface settings is my bible when configuring the network cards on an ISA server, but I hadn’t set up the routes from the external network to my internal networks correctly. The local LAN was fine, but ISA Server was rejecting requests from remote internal networks because it didn’t understand the underlying network path (flagging a configuration error alert warning that the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table). When I monitored the traffic flow, I could see incoming requests that were denied with no rule was given as the reason – another clue that there was a problem with the network rules.

Although the configuring ISA Server interface settings article points out that a route will be required to each internal network, I’d set the next hop as the internal interface of the ISA server, rather that the local router (the internal NIC doesn’t have a default gateway if configured correctly). Adding persistent routes for each of the internal networks (route -p add remoteinternalnetwork mask subnetmask routeripaddress) fixed the issue, after which nslookup (and web access) began to work from all sites.

Unfortunately, by the time I’d worked this out, it was too late to set up and test the various filter rules that are needed to ensure correct (authenticated) HTTP(S) and FTP browsing, SMTP e-mail, access to OWA, etc., so I decided to back out and reconnect the legacy proxy server. At least now I know that the connectivity problems are resolved, I can attempt the migration again another evening.

High definition TV appears pixelated

A few months back, I wrote about how I was receiving free-to-air digital TV from Sky but yesterday, I noticed that the picture was clearer on analog than on digital, which appeared pixelated. Well, it seems that Sky is getting ready to launch it’s high definition service next week in glorious 1080i or 768p; however for those of us who are still hoping to get a few more years of life from our widescreen CRT TVs (I bought a 32″ Sony Trinitron in 1998 and it will probably outlast many flat panel TVs on sale today) it seems that our picture quality will deteriorate.

If HD’s a mystery to you then check out the HD TV article on Wikipedia . According to the BBC, Sky’s new service starts on 22 May but digital terrestrial (Freeview) viewers may have to wait until after the UK has completely switched to digital TV in 2012 to receive HD broadcasts.

Finding out how Windows product activation works

Most of the work I do with Microsoft software is carried out for clients who have a volume license agreement, so working with OEM copies of Windows Server 2003 R2 over the last week or so has been my first exposure to Windows product activation. After having built and activated a server, then wondering whether blowing it away and starting again would affect the activation status I found Alex Nichol’s description of Windows product activation on Windows XP (it’s basically he same for Windows Server 2003 R2). I decided not to rebuild the server in the end but Alex’s article was a certainly a useful description of how the activation process works and the hardware changes that can affect the validity of the software.

Using unprivileged accounts in Windows

A few weeks back, Microsoft UK’s Steve Lamb presented a session on using the principle of least privileged access to reduce exposure to security threats under Windows (basically, running as much as possible as a standard, non-administrative user). Unfortunately I missed the event but I was chatting with Steve last week and he filled me in on the basic principles (which I’ve padded out with a few notes from his slidedeck).

The runas command can be used to start a program as a different user (as programs inherit their permissions from the parent process, starting a cmd shell as an Administrator and then launching an application will launch that application as an Administrator. Within the Windows GUI, there is often a right click option for runas, although for control panel applets shift and right click is used to expose the runas option. Shortcuts can be modified to run with different credentials for applications that always require a higher level of access.

There are occasions when runas just doesn’t work – for example applications that reuse existing instances (Windows Explorer, Microsoft Word) or those that are started through the shell using the ShellExecute() API call or dynamic data exchange (DDE). Unfortunately Microsoft Update is one of those applications for which runas won’t work. Aaron Margosis has some advice on his blog to help work around issues with runas and Windows Explorer.

Privileged command shell windows can be set apart using a different colour scheme, for example:

cmd.exe /t:cf /k title Administration Shell

For the GUI, the TweakUI power toy can be used to set an alternative bitmap for Internet Explorer and Windows Explorer, or Aaron Margosis’ PrivBar displays the current privilege level.

Whilst it’s true that using a local account will prevent domain-wide issues, there are side effects in that there is no access to domain resources, different profile settings (and per-user policy settings) are in effect and some applications assume that the installer is the end user. One possible resolution is Aaron Margosis‘ MakeMeAdmin tool which allows for temporary elevation of the current account’s privileges (and any applications which inherit the user context. MakeMeAdmin can be downloaded from Aaron’s blog and he has a later follow-up post with more information.

Some applications are written to run as Administrator and there’s not a lot that an end user can do about poor coding (other than replacing the application with something else). Adding the user to the local Administrators group to resolve such issues is not good practice, although it may be possible to loosen the ACLs on application-specific resources (i.e. %ProgramFiles%\applicationname\ and HKEY_LOCAL_MACHINE\SOFTWARE\applicationname\Settings) but this should not be carried on operating system resources (e.g. %windir%, %windir%\System32 and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows). The important thing to remember is to do this in a granular fashion, applying additional permissions only to those resources to which access is required.

If an application writes to HKEY_CLASSES_ROOT, then it’s usually a bug. HKEY_CLASSES_ROOT is a merged view of HKEY_LOCAL_MACHINE\SOFTWARE\Classes and HKEY_CURRENT_USER\SOFTWARE\Classes so writing to HKEY_CLASSES_ROOT effectively goes to HKEY_CURRENT_USER if the key already exists. Consequently, problems with HKEY_CLASSES_ROOT can often be overcome by pre-creating keys under HKEY_CURRENT_USER.

If all else fails, utilities such as MakeMeAdmin can be used to allow an application to run with elevated privileges but they require the user to know the Administrator password – alternatives include Valery Pryamikov‘s RunAsAdmin and DesktopStandard PolicyMaker Application Security.

In Windows Vista, everything changes again with new functionality known as user access control (also known by other names including user access protection and flexible account control technologies):

  • All users run as an unprivileged user by default, even when logged on as an Administrator.
  • Once running, the privilege of an application cannot be changed.
  • Administrators only use full privilege for administrative tasks or applications.
  • Users are prompted to provide explicit consent before using elevated privilege, which then lasts for the life of the process.
  • A high level of application compatibility is achieved using redirection (which allows legacy applications to run as a normal user with HKEY_LOCAL_MACHINE\Software access being emulated by a virtual location under HKEY_CURRENT_USER and attempted writes to the %SystemRoot% and %ProgramFiles% folders being redirected to a per-user store); however this is a temporary mitigation for 32-bit product versions only (i.e. not implemented in 64-bit versions of Windows Vista).

Although Windows has come a long way to making least privileged access usable, it’s important to remember that there are some things that least privileged access can’t guard against:

  • Anything you can do to yourself.
  • Weak passwords.
  • Attacks on services.
  • Phishing.
  • Stupidity.

Unfortunately I’m writing this post on the notebook PC supplied by my employer with a standard corporate build and my domain account is also a local administrator. I think that probably falls into the last category listed above… doh!

Configuring database size limits with Exchange Server 2003 SP2

One of the enhancements provided in Exchange Server 2003 service pack 2 (SP2) is the increase of the maximum database size for Exchange Server 2003 standard edition from 16GB to 75GB. I originally thought that it was just a case of installing the service pack after which the database would be allowed to grow past the 16GB barrier but as Microsoft knowledge base article 912375 and the database size limit configuration and management article in the Microsoft Exchange Server TechCenter describe, the limit actually needs to be configured manually.

Scott Lowe’s article at TechRepublic details the necessary configuration as follows:

  1. Start the registry editor and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\servername\storeguid.
  2. Create a new DWORD value named Database Size Limit in GB and set it to a size between 1 and 75.
  3. Restart the Microsoft Exchange Information Store service.

This configuration method can be used with Exchange Server 2003 standard edition to configure (on a per-store basis) any value between 1GB and 75GB and for enterprise edition (which has no limit by default) to enforce a limit of up to 8000GB if required; however if the Exchange server is recovered using the /disasterrecovery switch, the registry keys will need to be recreated.