A few weeks back, I bought myself a Toshiba 320GB 7200 RPM external USB 2.0 hard drive with 8MB data buffer – a bargain at Â£109.99. It’s been so good that last night I dropped by on my way home to buy another one (to back up my data – disk is so much easier than tape). The price had increased to Â£119.99 but after making the effort to visit the store, I bought one anyway.
When I got home, I checked the web and found that the best online price was also from PC World, who were selling the same item online for Â£99.99 with free shipping (or collection from store). I understand that online prices should be lower than instore (lower overheads, etc.) but decided to return the disk and buy it again online at the lower price. Before I did that, I needed to call PC World and check the returns policy (for unwanted goods it is “at the manager’s discretion”) before committing to buy another.
Unfortunately for me, the Internet price increased overnight to Â£109.99 but that’s still a tenner less than I had paid, so this evening I returned the disk, explaining that there was nothing wrong with it – I’d just be saving myself a few quid by buying another one on the ‘net.
Unexpectedly, the staff member that I spoke to not only refunded my original purchase, but then ordered me one at the web price, which I then “collected” and paid for (of course, it was the same one I’d just taken back). She explained that they are not supposed to do that, but understood that it saved me from making another trip (or waiting for delivery). I won’t name the store or the staff member because I don’t want to get them into trouble; but if you’re reading this – thank you.
A colleague just sent me a link to Mailinator – a service for creating temporary mailboxes that are valid for just a few hours in order to receive (but not send) e-mail, e.g. when registering on a website and needing to see the initial registration e-mail, but wanting to guard against receiving unsolicited commercial e-mail (UCE – more commonly known as spam) afterwards.
This is how the guys at Mailinator describe it:
“It’s like super-instant, always-ready, any-email-you-want email. Right now. It’s your personal disposable email account. Here is how it works: You are on the web, at a party, or talking to your favorite insurance salesman. Wherever you are, someone (or some webpage) asks for your email. You know if you give it, you’re gambling with your privacy. On the other hand, you do want at least one message from that person. The answer is to give them a mailinator address. You don’t need to sign-up. You just make it up on the spot[…] â€” pick anything you want.
Later, come to [the Mailinator] site and check that account. Its that easy. Mailinator accounts are created when mail arrives for them. No signup, no personal information, and when you’re done â€” you can walk away â€” an instant solution to one way spammers get your address. It’s an anti-spam solution for everyone. Your temporary email account will be automatically deleted for you after a few hours.
I haven’t tried it yet, but it sounds like a great idea!
With Windows Vista and Office 2007 now at beta 2, I figured that it’s time to test them out on a decent PC. I’d also like to dual-boot with a Linux distro as the only way to really get to know an operating system is to use it on a daily basis but the problem is that I’m running out of hardware. Most of my PCs are around 3 years old, with 1.5GHz Pentium 4 CPUs and between 256MB and 512MB of memory. I could buy some more memory for the older PCs, but I’m hoping to buy two new machines later this year instead. Meanwhile, the Fujitsu Siemens Lifebook S7010D that my employer has provided for my work is a 1 year-old machine with 1GB RAM – plenty for my testing (although I haven’t checked if the graphics card will support the full Aero interface).
My problem is that I can’t just wipe my hard disk and start again. The Lifebook is joined to a corporate domain and has VPN client software installed so that I can access the network from wherever I happen to be. That’s where virtualisation comes in… I thought that by performing a physical to virtual (P2V) conversion, I could run my Windows XP build inside a virtual environment on a Windows Vista or Linux host.
I’m also co-authoring my employer’s virtualisation strategy, so I called PlateSpin in Canada (because I’d missed the end of the business day in the UK) and they agreed to supply me with three evaluation licenses for their PowerConvert software. The good news is that I completed my P2V conversion. The bad news is that my experience of the product was not entirely smooth and it took a fair chunk of last week and most of my bank holiday weekend too.
The software installation was straightforward enough, detecting that there was no SQL server installation present and installing an MSDE instance. PowerConvert Server doesn’t show up as an application on the Start Menu as it is actually just a set of Microsoft .NET web services and a separate client is required to perform any operations, downloadable from http://servername/powerconvert/client.setup.exe.
Once everything was installed, I got to work on discovering my network infrastructure. PowerConvert automatically located the various domains and workgroups on the network and when I ran discover jobs it found my Microsoft Virtual Server 2005 R2 installation (but didn’t see my VMware Server beta 3 installation). It also struggled for a while with discovering server details for my Windows XP source machine (even after a reboot and with the client firewall disabled) – I never did find the cause of that particular issue (even after following PlateSpin knowledge base article 20350) but after taking the PC to work, hooking up to the corporate LAN and bringing it home again that night, everything jumped into life.
With all PCs discovered, I was ready to carry out a conversion. The basic process is as follows:
Discover the source and target server details.
Create a virtual machine on the target server.
Boot the virtual machine into Windows PE and load the PowerConvert controller.
Take control of the source server, boot this into Windows PE and load the PowerConvert controller.
Restart the target virtual machine, and finalise configuration.
That sounds simple enough, until considering that PowerConvert also handles the changes in the underlying hardware – something that’s not possible with simple disk duplication software.
Everything looked good up to the point of loading the controller on my source machine which just couldn’t connect (and didn’t seem to recognise the network). I tried various conversion job settings and after various failed attempts, including stalled jobs which refused to be aborted (once an attempt is made to abort a job, PowerConvert doesn’t check to see if it was stopped successfully – it just refuses to allow a subsequent attempt to abort the job) and consequential removal and reinstallation of PowerConvert as detailed in PlateSpin knowledge base article 20324 (to free up the source machine and allow another attempt at conversion), I re-read the text file supplied with the installation. It turns out that the out-of-the-box installation didn’t recognise my Broadcom NetXtreme gigabit Ethernet card (not exactly an uncommon network interface) but once the physical target take control ISO packages were updated, that particular issue was resolved (as confirmed using the PlateSpin Analyzer tool – see PlateSpin knowledge base article 20478). Rather than having to manually apply updates, I’d prefer to see the installation routine check the PlateSpin website for updates and install them automatically.
It looked as if I finally had everything working and I left a conversion running overnight but came down the next morning to see the target machine rebooting with a STOP 0x0000007B error (blue screen of death). It turns out that although I’d configured the PowerConvert job to convert my single physical hard disk with two partitions into two dynamic virtual IDE disks, it had still configured a virtual SCSI controller on the target virtual machine and not surprisingly that couldn’t read the IDE disks. I tried various resolutions, including rebooting the virtual machine into the Windows XP Recovery Console but without the administrator password (I had access to an account in the Administrators group but not the Administrator), I couldn’t do much. Unfortunately, the software is licenced on a per-conversion basis (althere there are other options) and “PowerConvert will burn a license once the file transfer step of the job has been completed” (see PlateSpin knowledge base article 20357) so that was one of my evaluation licenses burned.
Accepting that my failed attempt was not recoverable, I aborted the job and tried again, this time converting my two physical partitions to two dynamic virtual SCSI disks. This time the job completed successfully.
I now have a working virtual corporate notebook, still joined to the domain, still with the same security identifiers and disk signatures but with a different set of underlying hardware. I still need to get my VPN client working inside the virtual environment but if I can clear that final hurdle then I’ll be ready to ditch the source machine and reach my dual-boot Vista/Linux goal.
In summary, PlateSpin PowerConvert tries to do something complex in a simple and elegant way, using modern technology (web services, the Microsoft .NET framework and Windows PE). Unfortunately, I didn’t find it to be very robust. I’m no developer but I am an experienced Windows systems administrator and infrastructure designer and this was hard work. The product may be better with VMware but I didn’t get a chance to try as it didn’t recognise my VMware Server beta 3 installation. One thing’s for sure – PowerConvert has stacks of potential – if PlateSpin can sort out the reliability issues. If not, then I might as well take a look at the VMware P2V assistant, or Microsoft’s Virtual Server migration toolkit (VSMT).
Over the last couple of days, I migrated my e-mail service to Microsoft Exchange Server. I’ve been meaning to do this since I first bought my own domain name in the late 1990s but a lack of suitable hardware to dedicate to the task has meant that until now it’s been easier to leave the service with my ISP and download it to Outlook using POP3. Using virtualisation technology has enabled me to build an e-mail infrastructure without using any extra hardware.
Phase 1 of the project was installing the mail service and connecting to my ISP’s servers. I wanted to use Microsoft Exchange Server 2003 but for various reasons I didn’t want to extend the schema for my Active Directory (AD), so I created a separate resource forest with an outgoing trust to the original domain and installed Exchange Server there. Following this, I was able to create disabled user accounts and associate the mailboxes with external accounts in the original forest, allowing me to authenticate to my mailbox in the resource forest using my normal account credentials from the original domain (as described in Marc Grote’s article on the MSExchange.org site, although assigning the external associated account is now much simplified using the Exchange Task wizard).
Next, I needed to tell my ISP’s servers to allow messages for my domain to be routed to my server. The ADSL connection that I use is not associated with my domain but it does have a static IP address (an alternative is to use a dynamic DNS service), so after opening up TCP port 25 on the firewall to allow inbound SMTP traffic I created two DNS records for each domain that I own:
Host (A) record to define a server name that resolves to my IP address.
Mail exchanger (MX) record for the domain that resolves to the A record created previously.
With the appropriate DNS records in place, that was all the configuration needed at the ISP’s end, but Exchange still needed to be configured to forward e-mail to the ISP’s SMTP relay – easily accomplished using the Exchange Server 2003 Internet Mail Wizard. The important thing to be sure of is that the server is not configured as an open relay (recent versions of Exchange Server lock this down by default). Once the SMTP connection was in place, e-mail started to flow (although for a while some mail was still being delivered to my ISP’s servers until the DNS entries had completely propagated around the Internet).
DNS Stuff is a mine of useful information, so I ran a DNS report on my domain name. This turned up various warnings about my ISP’s DNS configuration (which I can’t really do much about) but also a warning that my server’s SMTP greeting included an non-existent host name (the internal DNS name for the Exchange server):
220 hostname.internaldnsdomainname Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 May 2006 12:30:31 +0100
According to the warning, if the server sends e-mail using a non-existent host name in its EHLO or HELO, e-mail could be blocked by anti-spam software, as well as being a technical violation of RFC 821 section 4.3 and RFC 2821 section 4.3.1.
220 mailserver.domainname Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 25 May 2006 13:18:44 +0100
Note that the hostname given in the SMTP greeting doesn’t have to be precise – it doesn’t matter that the SMTP server may handle e-mail for multiple domains (as mine does), as long as the host name given resolves to the correct IP address.
It’s important to configure the underlying network correctly – i.e. check the binding order of the various network interfaces, disable unwanted services on the external interface, only configure one interface with a default gateway (the external interface), only configure one interface for DNS and check that there is a valid route configured back to each internal network. Jim Harrison has written an excellent article on configuring ISA Server interface settings.
By default, ISA Server 2004 will not let any traffic pass (on any interface) – i.e. it is secure by default.
Do not configure the ISA Server to use both internal and external DNS servers. The ideal solution is to configure DNS forwarding from the internal DNS server(s) to the ISP’s DNS servers and create an access rule to allow outbound DNS traffic. If DNS is configured incorrectly, then the server may have difficulties contacting Active Directory which will have a consequential effect on authentication.
Configure individual access rules to allow all required outbound network services and consider the order of the rules (i.e. is one rule denying access before another is processed). Multiple rules can be configured for different user sets and schedules.
In general, access rules are used to allow outbound access whilst internal resources are “published”.
When publishing HTTP(S) servers, make sure that there is an appropriate web listener configured.
When publishing SMTP (or other) servers, there is no web listener, but there must be an appropriate network listener configured. Generally, internal SMTP servers will be configured only to allow mail to be received from certain hosts, so it may be necessary to make the traffic appear as if it originated from the ISA Server. Thomas Shinder has written an excellent article on troubleshooting SMTP server publishing rules.
If restricting access to certain users, ensure that integrated authentication is enabled and authentication is required.
Indeed, late last night I received an e-mail inviting me to download beta 2 of Office 2007 but strangely it said that “The Windows Vista Beta is not yet available. The Beta Experience newsletter will inform you about the availability of the Windows Vista Beta”. Vista beta 2 (build 5384) is clearly available for download from Microsoft Connect but, as usual, the product groups don’t seem to be talking to one another.
I still like the new user interface although I haven’t used any of the telephony or video-chat functions. The Windows Live Messenger beta was recently expanded and is well worth investigating for those who are currently using MSN Messenger. Alternatively for cross-network instant messaging without any telephony frills, switch to GAIM.
A few days ago I was completely amazed to hear how one of my clients had duplicated some of their servers – they had simply broken a mirror, placed the second disk in a new server, then added another disk in each server to recreate the mirror (repeat until all servers are successfully duplicated). It may be ingenious, but it’s also extremely bad practice.
The client in question is in the process of preparing for a migration from Windows NT to Windows Server 2003 and Active Directory. Although NT doesn’t get too upset if servers are cloned, including their security identifier (SID), Active Directory does. They now have three choices:
Rebuild the problem servers.
Remove the servers from the domain.
Use a tool like Sysinternals NewSID to change the SIDs (both officially unsupported by Microsoft).
Whatever the decision, it’s all extra (and unnecessary) work – completely avoidable.