Microsoft beta madness

Posted on By Mark Wilson

Talk about confusing… the long overdue Windows Vista beta 2 (not a community technology preview but a real beta release) has widely been expected to ship this week and yesterday, Bill Gates announced that beta 2 versions of Windows Vista, Windows Server (codenamed Longhorn) and Office 2007 are available.

The betas are ready! Office

Indeed, late last night I received an e-mail inviting me to download beta 2 of Office 2007 but strangely it said that “The Windows Vista Beta is not yet available. The Beta Experience newsletter will inform you about the availability of the Windows Vista Beta”. Vista beta 2 (build 5384) is clearly available for download from Microsoft Connect but, as usual, the product groups don’t seem to be talking to one another.

Windows Live Messenger Beta goes public

Posted on By Mark Wilson

Windows Live Messenger

I’ve been using the Windows Live Messenger Beta for a few months now and since I originally wrote about my first impressions of the product, it’s changed quite a bit (although doesn’t seem to have overcome any of the issues which Alex criticised it for at the time).

Windows Live Messenger Beta - new interface

I still like the new user interface although I haven’t used any of the telephony or video-chat functions. The Windows Live Messenger beta was recently expanded and is well worth investigating for those who are currently using MSN Messenger. Alternatively for cross-network instant messaging without any telephony frills, switch to GAIM.

Meanwhile, corporate users should move away from using public IM services and switch to something like Live Communications Server 2005 and the Office Communicator client.

How not to image servers

Posted on By Mark Wilson

A couple of weeks back, I wrote about using Microsoft’s system preparation tool (SysPrep) to prepare virtual machine images for duplication. It doesn’t really matter whether the machine is virtual or physical, the principle is still the same (my point was that cloning virtual machines using a file copy is easy but needs to be prepared in a specific way – i.e. using SysPrep).

A few days ago I was completely amazed to hear how one of my clients had duplicated some of their servers – they had simply broken a mirror, placed the second disk in a new server, then added another disk in each server to recreate the mirror (repeat until all servers are successfully duplicated). It may be ingenious, but it’s also extremely bad practice.

The client in question is in the process of preparing for a migration from Windows NT to Windows Server 2003 and Active Directory. Although NT doesn’t get too upset if servers are cloned, including their security identifier (SID), Active Directory does. They now have three choices:

  • Rebuild the problem servers.
  • Remove the servers from the domain.
  • Use a tool like Sysinternals NewSID to change the SIDs (both officially unsupported by Microsoft).

Whatever the decision, it’s all extra (and unnecessary) work – completely avoidable.

Inane IT conversations

Posted on By Mark Wilson

This morning, the office has been full of much hilarity and mirth – as well as extreme geekiness.

It all started off when discussing the appropriate colour patch leads to use for a new network (really – network administrators will understand that this is important) and Nick suggested that the colour of the cable is related to the speed (it’s certainly true that the light blue cables which are our corporate connections have significantly slower Internet access than the yellow ADSL in the corner!). Allan had his own theory that whatever is planned, in reality cable colour is directly related to the proximity of the cable – it doesn’t matter what colour should be used, the answer is whatever is closest to hand.

Next comes in the Project Manager, looking for a “jealousy” of architects (she claimed that was the correct collective noun), which got me googling…

According to Chris Sells’ blog post on collective nouns for geeks, it’s a “glass house” of architects and a “slack” of project managers. There are some other funny ones in Chris’ post that I won’t repeat here but I’m returning to my glass house now. Really, I like to think of myself as just one element of a RAIG (Redundant Array of Intelligent Geeks), although based on our conversations today the use of the word intelligent is questionable…

Removing MOM’s Active Directory management pack helper object

Posted on By Mark Wilson

A few months back I had a look at Microsoft Operations Manager (MOM) 2005. Then, a couple of weeks back, I noticed that one of my servers had the Microsoft Operations Manager 2005 Agent installed, as well as the Active Directory management pack helper object. I uninstalled the Microsoft Operations Manager 2005 agent from the Add/Remove programs applet in Control Panel, but when I went to remove the helper object I was greeted with the following error (and the MSI Installer logged event ID 11920 in the application log):

Active Directory Management Pack Helper Object
Service ‘MOM’ (MOM) failed to start. Verify that you have sufficient privileges to start system services.

Retrying the operation produced the same error, so I was forced to cancel, then confirm the cancellation, before finally receiving another error message (and the MSI Installer logged event ID 11725 in the application log):

Add or Remove Programs
Fatal error during installation.

The answer was found on the microsoft.public.mom newsgroup – I needed to reinstall the MOM agent before the AD management pack helper object could be removed but there was a slight complication because I no longer have a MOM server (I deleted my virtual MOM server after finishing my testing). Manual agent installation is possible, but I needed to supply false details for the management group name and management server in order to let the installation take place with a warning that the agent would keep retrying to contact the server (all other settings were left at their defaults).

Once the agent installation was complete, it was a straightforward operation to remove the Active Directory management pack helper object, before uninstalling the MOM agent (successfully indicated by MSI Installer event ID 11724 in the application log).

It’s a simple enough workaround but represents lousy design on the part of the MOM agent/management pack installers – surely any child helper object installations should be identified before a parent agent will allow itself to be uninstalled?

Creating an RJ45 Ethernet loopback cable

Posted on By Mark Wilson

Sometimes it’s handy to make a PC think that it is connected to a network, even if there isn’t one physically present (e.g. in a test environment where not all services are replicated). This is quite easy to achieve, with an RJ45 Ethernet loopback cable. By using 6″ lengths of the core from a CAT5 Ethernet cable to connecting pin 1 to pin 3 and pin 2 to pin 6, a simple device is created which will fool a network interface card into thinking it is connected to a network.

RJ45 Ethernet loopback cable

The nice thing about standards is that there are so many to choose from

Posted on By Mark Wilson

A couple of weeks back, I wrote about Microsoft Office 2007, including the new OpenXML file format. In a recent Windows IT Pro magazine network WinInfo Daily Update, Paul Thurrott reported that the competing OpenDocument Foundation has announced a plug-in for Microsoft Office that will let users open and save documents natively in the open-source OpenDocument format (ODF), which has recently been standardised and is supported by IBM and Sun Microsystems. The plug-in, which has been in development for about a year, makes OpenDocument documents seem as if they’re native to Office. Add Adobe’s portable document format (PDF) and Microsoft’s XML paper specification (XPS – formerly codenamed Metro) into the mix and we have plenty of scope for document confusion.

Both OpenXML and ODF are open standards that are freely licensed but it remains to see whether either will become dominant. I have a feeling that we’ll have competing XML-based document standards to grapple with for many years to come.

Redirecting web proxy access when the server name changes

Posted on By Mark Wilson

Despite the problems I experienced migrating from Proxy Server 2.0 to ISA Server 2004 last night, I did have some success using a little DNS trickery to avoid changing the proxy settings on all clients (the new web proxy server has a different name to the old one). Here’s how it works:

  1. In DNS, delete the original host address (A) record for the old server.
  2. Next, create a host address record for the new server and an alias (CNAME) record with the name of the old server, pointing to the fully qualified domain name of the new server.

All DNS lookups for the old server should be redirected to the new server (via the DNS alias), allowing the proxy settings in the web browser to be updated at leisure (of course, in an Active Directory environment, they could also be updated via group policy).

Configuring network connections for ISA Server 2000/2004 (aka when proxy server migrations turn bad)

Posted on By Mark Wilson

It was supposed to be so easy. The new server was already built, with the same IP addresses as the old one. All I had to do was disconnect the NT 4.0 Proxy Server from the network and power on the new Windows Server 2003 R2 box with Internet Security and Acceleration (ISA) Server 2004 on it, then configure and test a few filter rules; but I had forgotten the first law of IT consultancy – nothing is ever straightforward – which is why I’m writing this post on the train to work after rolling back the migration and getting just 4 and a half hours sleep last night…

Firstly, I decided that the ISA Server should be joined to the Active Directory. My original plan had been that leaving it in a workgroup would be secure, but as I didn’t want to allow unrestricted anonymous (i.e. unmonitored) Internet access I’d be limited with my authentication options (either set up a RADIUS server to handle authentication or mirror the user accounts on the ISA Server). I wasn’t confident that ISA Server would work well if it was joined a domain after installation so I uninstalled ISA Server, joined the computer to the domain, and reinstalled ISA Server, plus service pack 2 and other updates.

It only took a few seconds to configure the cache and set up a firewall policy rule to allow all ports outbound access (just as a test, I could lock it down again later), add all the internal networks and enable the web proxy client, following which Internet access from the local network was restored. The trouble was that none of the machines on remote sites could access the Internet.

Suspecting a DNS issue, I began to investigate name resolution problems and (here was my mistake) questioning why no forwarders were configured on the internal DNS server (because DNS monitoring showed that the simple queries were fine, but recursive lookups were failing). If I’d been thinking clearly, I would have realised that the internal network doesn’t need to have a recursive DNS path to the ISP’s DNS servers (the proxy server should handle that on behalf of the clients) – although I do think that having a clear path from clients to the internal DNS and onwards to the ISP’s DNS is the most straightforward configuration, supporting both internal (Active Directory) and external (Internet) name resolution (and Microsoft’s advice is to configure only internal or external DNS on the ISA Server – not both).

The problem was the network configuration on the ISA server. Jim Harrison’s excellent article on configuring ISA Server interface settings is my bible when configuring the network cards on an ISA server, but I hadn’t set up the routes from the external network to my internal networks correctly. The local LAN was fine, but ISA Server was rejecting requests from remote internal networks because it didn’t understand the underlying network path (flagging a configuration error alert warning that the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table). When I monitored the traffic flow, I could see incoming requests that were denied with no rule was given as the reason – another clue that there was a problem with the network rules.

Although the configuring ISA Server interface settings article points out that a route will be required to each internal network, I’d set the next hop as the internal interface of the ISA server, rather that the local router (the internal NIC doesn’t have a default gateway if configured correctly). Adding persistent routes for each of the internal networks (route -p add remoteinternalnetwork mask subnetmask routeripaddress) fixed the issue, after which nslookup (and web access) began to work from all sites.

Unfortunately, by the time I’d worked this out, it was too late to set up and test the various filter rules that are needed to ensure correct (authenticated) HTTP(S) and FTP browsing, SMTP e-mail, access to OWA, etc., so I decided to back out and reconnect the legacy proxy server. At least now I know that the connectivity problems are resolved, I can attempt the migration again another evening.