Urgent client request

So here I am, last Friday before Christmas… trying to clear out my Inbox before the holidays and an urgent client request comes in…

We have received a late requirement for a virtualised global distribution system based on a traditional Linux Red Hat (with Red Nose) operating system utilising fat-client vertical drop-off delivery systems. The solution must be delivered by 24 December in order for the client to meet business deadlines and avoid massive disappointment to his customers.

The solution must be capable of scaling to meet global demand and have capacity to cater for worldwide overnight silent delivery.

Pull technology must be utilised using the open-source “Reindeer/Sleigh” principle and customer satisfaction is usually measured via the proprietary mince pie/brandy method. Alternative e-satisfaction measures have been tried but failed to satisfy the client.

Our client operates from a single site classified at top secret level using the latest encrypted/ virtualised addressing regime. I am allowed to tell you that the operating components (EL-VE-S) are highly resistant to frost.

Storage Area Network Technology Architecture (SAN-TA) is the essential core component.

Any design templates for a solution such as this from previous deployments (last December?) would be welcomed.

All those replying are guaranteed to have a great Christmas. The client has promised.

Happy Holidays

(Thanks to DT for letting me share this)

Migrating passwords with the Active Directory Migration Tool

I’ve spent most of this month working with a customer who is consolidating various Active Directory forests into a single domain. We didn’t use any third party tools – just the standard Microsoft utilities, i.e. Active Directory Migration Tool (ADMT) v3 and Exchange Migration Wizard (one of the Exchange Server 2003 deployment tools) – but they seem to do the job.

As migrating several hundred users to new accounts (with new passwords) would cause a huge number of support calls, I wanted to get the ADMT password migration DLL working. This took some time, but with the help of my enterprise support colleagues (effectively a PSS call), we found a way through. This is what was required:

(For reference, both the source and target domains were in Windows Server 2003 domain and forest functional mode, running Windows Server 2003 with a mixture of service packs 1 and 2.)

  1. Make sure that there is a trust in place between the source and target domains.
  2. Install ADMT by running admtsetup.exe and follow the installation wizard on the computer that will be used for the migration (I used a domain controller in the source domain but ideally you would have dedicated computers for migration activities and it seems logical that this should be in the target domain).
  3. If not already created by ADMT, create a new domain local group called domainname$$$. This group must be empty, and is required in order to migrate the sIDHistory information between source and target accounts.
  4. On the domain controller that will be used to export the account information (usually the DC holding the PDC Emulator operations master role for the source domain), create/set a value of 1 for a DWORD registry key called TcpipClientSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\.
  5. In both the source and target domains, ensure that success and failure auditing is enabled for account management.
  6. On a computer with ADMT installed, create a password encryption key for each source domain, by shelling out to a command prompt and entering the following commands:
    cd %systemroot%\ADMT
    admt key /option:create /sourcedomain:domainname /keyfile:filename.pes

    (the domainname can be specified in NetBIOS or DNS format.)
  7. On the domain controller in the source domain that holds the PDC Emulator operations master role, connect to the computer with ADMT installed (e.g. via the c$ administration share) and access the %systemroot%\ADMT\PES folder.
  8. Run pwdmig.exe to install the ADMT Password Migration DLL and follow the installation wizard. During the installation, supply the password encryption (.PES) file that was created earlier.
  9. This is the step that’s not in the instructions – even though the password encyption file was supplied during the installation of the ADMT Password Migration DLL, it still needs to be imported manually on the PDC Emulator, by shelling out to a command prompt and entering the following commands:
    cd %systemroot%\ADMT
    admt key /option:import /sourcedomain:domainname /keyfile:filename.pes
  10. On the domain controller that will be used to export the account information, create/set a value of 1 for a DWORD registry key called AllowPasswordExport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\. Note that this key constitutes a security risk and should only be enabled during the period of migration.
  11. Restart the computer with the ADMT Password Migrator DLL installed.
  12. Start the Password Export Server service.

Most of this is exactly as per the documentation – the main difference is the need to manually import the password encryption file. Without this, I was receiving the following message:

Unable to establish a session with the password export server. The source password export server and the target server do not have the same encryption key for the source domain.

Finally, what permissions are required? I used Local System for the Password Export Server service. For everything else, I used an account which had been created in both forests with identical passwords and which was a member of the Domain Admins group. That’s a little excessive, and best practice would involve using an account with the minimum required permissions. Basically, an account is required that is:

  • Domain administrator in the source domain.
  • Local administrator on the computer on which ADMT is installed.
  • Delegated permissions on OUs that are targets for resource migration in the target domain, including the extended right to Migrate SID History (visible in the Security for an object using the Advanced Features view in Active Directory Users and Computers).

Further advice can be found in the ADMT v3 Migration Guide.

What happened to not being evil…

A few weeks back, I saw the number of browser visits to this site drop dramatically overnight whilst RSS subscriptions remained constant. Thankfully, traffic is now back up to the previous levels and there could be many reasons for this but I have to suspect it’s down to Google’s latest round of cat and mouse with the SEOs.

Webstats for the last few weeks, showing a sharp dip and return to normal and last year's numbers for comparison.

markwilson.it is not a big-shot technology website – just the blog of a guy who works in IT, writes down what he learns, and publishes it for others to read. I don’t charge for that content, largely because I don’t think anyone would pay for it but also because I don’t think that to do so would fit with the spirit of the Internet. I like it when I meet people that read my blog. And I like it when I write something and someone gives something back, like a comment that says it helped them, or that they have something to add to the story. I like it when I find myself in conversation with the public relations agencies of some of the world’s largest IT companies. I also like that the advertising revenues, though still small, have been enough to cover my hosting costs and maybe buy me the odd gadget. Or at least they did until Google made its latest round of changes.

Google is trying to penalise paid links and, at the time of writing, I have a few (clearly marked under the heading of sponsors). There’s nothing wrong with what Google is doing (trying to increase the quality of the results in its index) but it’s the way they do it. I sell advertising here because I need to (somehow) monetise this site (although if I convert that into an hourly wage rate, I’m sure it will make me cry). Ironically, it seems to be OK to carry Google’s paid ads but not anybody else’s – even if they are relevant.

Prominent Google blogger, Matt Cutts, said (in 2005) that:

“Reputable sites that sell links won’t have their search engine rankings or PageRank penalized […] However, link-selling sites can lose their ability to give reputation (e.g. PageRank and anchortext).”

That’s fair enough. It seems that I can take some revenue from selling links but it won’t help the sites that I link to gain PageRank; however, if the paid links are relevant, there is a chance that people reading my site will click through to them and everyone’s a winner. Except that now that seems to have changed and selling links can hurt Google rankings. For what it’s worth, I have a disclosure notice and the advertising, sponsorship and other forms of compensation received do not influence the editorial content on this site. I also use rel="nofollow" tags where relevant to ensure that I follow Google’s directions (although I acknowledge the contribution that comments make to the blogosphere by removing the rel="nofollow" as appropriate). And after two months of tweaking links to fit Google’s model, this week my biggest sponsor ended our contract prematurely because they are dropping this form of advertising altogether.

Thanks for nothing Google. Cutts may be right when he asserts that:

“[…] Google has the right to do whatever we think is best (in our index, algorithms, or scoring) to return relevant results.”

but now they are hitting the small guys too. I can’t rely on AdSense alone. It varies too wildly (and has been declining in recent months, suggesting to me that people are spending less on Internet advertising – probably a reflection on the state of various western economies) and now you’ve started to hit the only form of regular income that this site has. What happened to the “don’t be evil” corporate motto?

I will continue to blog about things I find interesting. Maybe some other people will find it interesting too. Perhaps they will link back here and maybe the number of visitors will start to climb again as I gradually increase my placement in the Google index (however I look at things, I’m still 34.95% up on unique visits so far this month, compared to the same period last year, 47.71% up in pageviews with average pageviews and time on site also on the up, and a falling bouncerate – so the metrics all look good, it’s just the financials that are suffering). Until then, I guess I won’t be buying the MacBook Pro that I’ve had my eye on for so long.

Why I will be remastering my childrens’ DVDs

There’s been much discussion of the UK’s archaic copyright laws as I’ve questioned the need for DRM and written about ripping DVDs and converting between multimedia formats. I’ve also criticised the BBC for it’s substandard iPlayer service (even if it does now stream content it still doesn’t allow offline playback on all platforms and, when it does, the DRM on the offline content is overly-restrictive). Well, here’s another example of DRM madness brought to me by the BBC – this time it’s a menu system on a legally purchased DVD.

My children don’t watch a lot of television, but there is one programme, In The Night Garden…, that is almost guaranteed to attract my three-year-old’s attention for a full 30 minutes (believe me, that is an achievement) and also provides a fair amount of delight for my one-year-old (I have to confess that I enjoy it too). It’s a very gentle programme, perfect for a spot of post-lunchtime relaxation, or for winding down before stories and bed. So, there we were, trying to calm down an overtired and slightly poorly little boy who was desperate to see Igglepiggle in the Night Garden and who doesn’t understand the idea of a TV schedule, when we decided that the DVD we had bought the boys for Christmas would be better used right away (and at least give us the chance to prepare a meal for the little people before a sleep).

On went the TV and the DVD player, in went the disc, I pressed the play button and was greeted with 2 and a quarter minutes of loud, high energy trailers for other childrens’ programming from the BBC. I tried to skip the trailers and to go straight to the menu but all attempts were greeted with a message that said “operation currently prohibited by the disc”. Now I can understand making me watch the legal notices, but forcing me to watch the trailers (on a DVD intended for children) is wrong. So I will be ripping the programmes from that DVD and re-recording them to disc without the menus, trailers, or anything else. In effect, BBC Worldwide is forcing me to break the copyright on a DVD that I have legally purchased – just to avoid the advertising.

I would complain to BBC Worldwide, but they only publish a postal address (no e-mail) for contact, so I can’t be bothered. And writing to Points of View won’t help either! In the meantime, I’ll leave my complaint on the Internet for any other prospective childrens’ DVD purchasers to consider…

Not blown away as Altec Lansing goes into orbit

Just over a year ago, I bought an iPod speaker system from Altec Lansing. Easily as good as the Apple equivalent (and at less than half the price), I’ve been really pleased with them, so when Altec Lansing‘s public relations team got in touch and asked if I’d be interested in a new portable speaker for review, I was pleased.

Unfortunately, my pleasure didn’t last too long once I received the speaker (yes, singular). You see, I’m now in the second half of my thirties… closer to 40 than to 30 and I have two kids, so I guess I’m entitled to be a grumpy old man. I find it offensive when people (generally teenagers) walk around playing their music on their phones or other portable devices through poor quality, low powered speakers and can’t help thinking that at least in my day I had a “ghettoblaster” the size of a large piece of luggage to annoy people with my idea of good music (I won’t embarrass myself by divulging any further details…). What’s that got to do with the iM207 speaker (also known as the Orbit) that Altec Lansing sent me? Well, quite a lot as it happens as I’ve had my Orbit for a couple of weeks now and I have been trying to think of something good to write about it:

  • I could say that the Orbit is small. But it’s not really – just look at the picture of one next to a standard iPod.
  • Product shot of Altec Lansing Orbit portable speaker

  • I could say that the Orbit looks good. But it doesn’t. I’m sorry but I just don’t find black and chrome-effect plastic very attractive (although, now I come to think of it, that’s what the iPod uses…).
  • What about battery life? To be honest, I don’t know (Altec Lansing claim 24 hours on three triple-As) and anyway, that will vary according to a number of factors including the battery brand and characteristics, as well as the type and volume of music being played.
  • What about sound quality – surely that’s the most important thing? Yes, it is, but my iPhone’s internal speakers are better and when I plug the Orbit into my iPod I can only listen at up to about 25% volume before the distortion starts to kick in.
  • I could say that the Orbit is inexpensive. But I think £29.99 is a lot for something that’s not really very good. £14.99 would be a different story.
  • The best thing I can say about the Orbit is that the cable storage is well thought through and it’s iPhone friendly. There’s also a 2.5mm converter for use with mobile phones that don’t have a 3.5mm headphone jack.
  • There is one more thing too… you can get an Orbit for free – and hey, maybe you’ll like it better than I did. Just go to the YouGroove site and sign up.

So, I’m sorry Altec Lansing… you asked for a fair review and I really tried but the Orbit just doesn’t do it for me. Maybe I’m just not in that target “YouGroover” audience and I like my music to either be personal (i.e. in-ear) or to be played through a decent speaker system.

Dara Ó Briain talks about IT

So there I was, lying in bed in my hotel room, when Dara Ó Briain comes on the telly and starts talking about IT… it made me laugh a lot. So much that I thought I’d reproduce it here:

“[IT is] full of amazing bullshit job titles that didn’t exist 10, 20 years ago. You’re a developer for Christ sake eh! Do you have a web master in the office? [Yes] Of course you do. Yeah. Web master is my favourite of all of those – walking around the office going ‘I Am A Web Master. I Am Master Of The Web. Feel The Power Of My Fire Wall. It is not actually a wall of fire, no it is more of a protocol for e-mails, anyway, nevermind – I Am A Web Master. I am not social situation master – no I can’t do that at all no. I am not talking to women master – no there are too many variables in that situation as well I can’t be handling that’.

That, and my favourite thing about your industry by the way is ‘solutions’. You do love the solutions don’t ya? You know, when your computer’s not working and you’re kinda going, ‘ah, it’s not working, get the guy’ and one of your people arrives, in a cape, going ‘I, am a Solution Provider. You, you’re a problem provider, back away problem provider – you would not understand my solution, it is too technical for you, get out, get out of the room. Do not look at the computer – your eyes hurt the computer – get out! Have they gone? Lovely. Control – Alt – Delete…'”

[Dara Ó Briain, Comedian]

Microsoft security suffers from “the Škoda badge problem”

I’m attending a Microsoft Forefront Security course and it was interesting to hear the analogy that the instructor used to describe how people perceive Microsoft and security when used in the same sentence… he referred to it as the Škoda badge problem – i.e. that everyone knows a modern Škoda is a well engineered car built on a trusted Volkwagen platform but Škoda is still struggling to discard its image as a producer of cheap eastern-European cars. Similarly, Microsoft has some excellent security products (e.g. ISA Server) but the perception is that they are from Microsoft so they can’t be secure.


For the last few days, I’ve been writing a migration process for an Active Directory and Exchange migration that I’m working on.

It shouldn’t be necessary to cram documents for technical people full of screenshots but experience tells me that:

  • It’s what many IT team leaders expect.
  • If you don’t provide lots of pictures then people don’t follow the process correctly.

Unfortunately, experience also tells me that:

  • People don’t follow the process correctly anyway.
  • Adding many screenshots to a document greatly increases the time it takes to produce the process and the cost of maintaining it.

Anyway, getting back to the point, I’ve just written a document with a lot of screen shots in it. It makes very dull reading (and it wasn’t much fun to write either) but the process of taking the screenshots was greatly improved using the SnagIt screen capture software from TechSmith.

Why not just stick with Alt+PrtScr? Because that needs me to paste the screen grab into something afterwards (and before someone leaves a comment – yes, I do know that Linux and Mac users can just save a .PNG file to the desktop). SnagIt will let me select the region of the active window that I want to grab (e.g. just a particular menu), control output of the screenshot, name it for me, put it in a folder, etc. and generally save me a load of time.

Microsoft releases a beta for Hyper-V

Windows Server 2008 beta testers are probably aware that the release candidate distributions include a pre-release version of the new virtualisation platform that is now known as Hyper-V (formerly known as Windows Server Virtualisation and codenamed Viridian).

With Hyper-V due to follow Windows Server 2008 release (within 180 days), it was widely anticipated that no formal beta would be available until Windows Server 2008 was finalised but Microsoft is announcing the first Hyper-V beta release today, including support for quick migration and high availability, ability to run Hyper-V as a Server Core role and integration of Hyper-V into Server Manager. Further details of Hyper-V are available on the Microsoft website.

WordPress blog fails with more than 10 e-mail addresses on a page

Arghhh! I’ve just spent the last 3 hours trying to write a post on another site that I manage using WordPress. I can’t find anything on the support forums but it seems that every time a page or post includes more than 10 items that look like an e-mail address then the following message is displayed when an attempt is made to save it to the database:

Internal PHP Processing Error (#99911 – q:numberofemailaddresses) in /usr/home/username/public_html/wp-admin/post.php. Please contact support and include this message.

In my case we’re at a critical stage in the campaign and encouraging people to contact their local Councillor. With 11 Councillors on the committee the 10 e-mail address limit is frustrating…

I’ll post a link here if I ever get a resolution to this. In the meantime, if any WordPress or PHP experts have a suggestion for a fix or workaround, please leave a comment!