Fluff stops play

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I think I heard the other day that Apple has sold something like 5 million 3G iPhones since launch. That’s a drop in the ocean compared with the number of devices that manufacturers like Nokia sell but nevertheless quite a bit chunk of the smartphone market. Unfortunately it also seems that the quality control has slipped in order to get so many devices out (based on the problems that some of my friends have had) and the v2.x software is certainly not as solid as the v1.x (even without applications installed).

Bearing that in mind I was disappointed, but not entirely surprised, to find that my the microphone in my iPhone headset was not working last week. I wasn’t sure if the problem was with the headset or the phone itself but I booked an appointment with a “Genius” at my local Apple Store to see if the problem could be identified. Sure enough, it was – and it was probably the least taxing of all the problems that particular genius had to solve today… some fluff inside the headphone socket, preventing the headset jack from making a proper connection. Once cleaned out everything was working fine. So, if you are experiencing similar problems, take out a can of compressed air and save yourself a trip to the Apple Store.

Active Directory design considerations: part 6 (domain controller placement and site design)

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Continuing the series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, this post discusses the design considerations for placement of Active Directory domain controllers and the associated site links.

Domain controller (DC) placement can have a huge impact on user experience (e.g. the impact on logon times) but generally the choices are for placement on hub sites or at satellite (branch) locations and these should each be considered on a case-by-case basis, looking at the network and application requirements.

It’s worth mentioning that available network bandwidth has generally increased considerably since early Active Directory deployments were designed and this will allow for consolidation of the overall number of domain controllers in many cases.

With regards to global catalog (GC) servers, there are very few reasons not to make all domain controllers global catalog servers. Indeed, in a single-domain forest, all domain controllers are effectively GCs. In particular, multi-domain forests using user principle names (UPNs) for logon should consider making each DC a GC.

Read-only domain controllers (RODCs) are new in Windows Server 2008 and provide read-only access to Active Directory. Many people (myself included) have compared this functionality with Windows NT backup domain controllers (BDCs) but that’s not a true comparison as no passwords are stored locally and an RODC cannot be promoted to a full DC. The introduction of RODC functionality is really a security feature to mitigate against the theft of a DC on a high-risk site (e.g. a branch location without a physically secure computer room) and is not really intended for DMZ access to AD. RODCs can reduce replication, as they only replicate inbound traffic; however where users travel between several remote sites they can increase logon traffic as the users details may not be available on the RODC.

The decision as to whether to deploy an RODC or a full DC will depend on:

  • Application requirements (e.g. does the application need to write to the directory).
  • Site topology (e.g. site link bridging turned off – see below).
  • Password replication policy (no account caching will lead to increased WAN/hub DC traffic).

Further details may be found in Microsoft’s RODC planning and deployment guide.

AD site design is closely linked to DC placement and there are two basic models:

  1. A logical site for every physical location, assigning subnets for each physical location to the corresponding site.
  2. A logical site for every physical location that has one or more DCs, assigning subnets for physical locations to the most appropriate site (based on the underlying network).

Both approaches work well; however with the first option, DNS site coverage must be considered (i.e. ensure that that appropriate name server records are in place). With the second option, clients are automatically referred. It’s also worth considering other applications (e.g. DFSR) and if there is no DC on site then option 1 may make more sense.

Site links should map to the underlying physical network with appropriate costs and replication schedules applied. According to Microsoft, one common mistake is to assign all sites to the DEFAULTIPSITELINK – effectively using a single link for replication and preventing the application of appropriate costs for least-cost routing.

Also, the option to bridge all site links is on my default and, although this is appropriate on a fully routable network (i.e. one where all DCs can communicate freely) it is not recommended for branch offices (due to the overheads associated with the intersite messaging transport and calculating site links) and can be disabled using repadmin /siteoptions (which still allows DFSR to calculate site link costs).

Custom site link bridges may be used where a network is not fully routable (e.g. if firewalls restrict communication between DCs).

The AD replication topology is automatically managed by the knowledge consistency checker (KCC) based on the site link design, automatically creating the connection objects that are required for replication. The KCC-generated topology is used for AD and sysvol replication using the file replication service (FRS); however in Windows Server 2008 sysvol is replicated using DFSR, once the domain functional level is at Windows Server 2008. This increases scalability (removing inefficiencies around FRS version vector joins). For new Windows Server 2008 native domains, replication of sysvol via DFSR is automatic but for upgraded domains there is a migration process to follow.

In the next post in this series, I’ll take a look at the design considerations for domain controller configuration.

More on Microsoft’s ad campaign – are you a PC?

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

So, were the Gates/Seinfeld ads canned? Who knows – right from the start they were supposed to be teasers, something to get a conversation started – and they sure did that – the ‘net is awash with people (like me) saying how lame they are (although I’ve seen a few comments from people saying that they were starting to get into things with the second ad). PC
Now the blogosphere (and mainstream industry sites) are awash with people saying how Microsoft has come up with “I’m a PC” to take a swipe back at Apple – but without being funny. Hang on guys… you’re missing the point! I’m a PC is just a soundbite – saying how (Windows) PCs have been stereotyped as dull things from the office, things that are unreliable, things that can’t do anything exciting – but that over a billion real people use (Windows) PCs to do real things and showing some of those people. Personally, I don’t like the “I’m a PC” statement from the myriad users featured in the ads (“I use a PC” would be fine) but, then again, I come from the country that invented the English language (England) and these ads are targeted at people who speak American (there is no such thing as US English!).

Then there is the Life without Walls campaign – showing how many things can be done on a PC and how one operating system transcends so many devices used throughout the world.

Windows - Life Without Walls

And the Mojave Experiment, which basically said “come and look at Windows before writing it off as a disaster”.

I can see that this campaign is multifaceted. It seems to lack something to link the disparate themes of Mojave, Seinfeld/Gates, I’m a PC, Life without Walls and the manufacturer-focused Vista Velocity but I do at least understand where this is heading now. And I think it’s a smart move inviting consumers to add their own videos to the campaign, further underlining the fact that ordinary people use Windows PCs (a PC is not a stereotype).

As for the Microsoft-bashers, well, they’ll always find something to poke at, like that the ads were apparently made on a Mac Apple PC – but really, so what? (Many professional design studios do use Macs but that doesn’t mean a Windows PC is not perfectly good enough for home movies).

At last, this campaign seems to be going somewhere, but I can’t help thinking there are a bunch more Bill and Jerry ads waiting to slip out one day.

An alternative view

The links below highlight the views on this subject from a few well-known Microsoft-watchers:

Active Directory design considerations: part 5 (security groups)

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Continuing the series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, this post discusses the design considerations for the creation and use of security groups within Active Directory.

First of all, let’s recap on the various group scopes.

Account groups are used to group users and computers. There are two types:

  • Global groups may contain members from their own domain (only).
  • Universal groups may contain members from any domain in the same forest and their membership is included in the global catalog in order to support mail-enabled groups.

Permissions may be assigned to either type of group (as long as they are in the same or a trusted domain).

Resource groups are used to assign rights and permissions and, again, there are two types:

  • Domain Local groups may contain members from any trusted domain in any forest (so are required if there is to be a cross-forest group membership).
  • Built-in local groups.

Permissions may be assigned to either type of group but only in their own domain.

Some organisations will ignore the differences in group scope if they are using a single domain environment, as the various types of group will function in a similar manner; however it’s worth considering that the forest/domain design may change over time (e.g. as a result of business changes) and so it is always good practice to use the appropriate group type.

The recommended approach is to add users to account groups, then add account groups to resource groups and use the resource groups to assign permissions on objects.

One consideration is nesting – whilst nested groups help to keep the size of the kerberos token down (Microsoft knowledge base article 263693 is old now, but explains why this this may be an issue), it can also make auditing difficult. Nesting is not to be totally avoided; however the complexity of the nested groups should be carefully considered. In particular, nesting groups into the built-in Administrator group should be avoided as it creates a potential “back door” into a system – anyone with the ability to add users to one of the nested groups can effectively make themself an administrator!

Adding users directly to a domain local group is not good practice but there are situations where it can be useful. For example, if there are two forests with a trust relationship, adding user accounts from one forest into a domain local group in the other may be preferable to adding a global group from the trusted domain to the domain local group, which effectively delegates control over the domain local group to the administrator in the trusted forest – almost certainly undesirable.

Basically, add users to account groups, account groups to resource groups and assign permissions to resource groups where possible but sometimes a little flexibility may be required.

In the next post in this series, I’ll take a look at the design considerations for domain controller placement and the associated site links.

Bye bye iTunes… hello 7digital

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

For the last few years, I’ve been using Apple iTunes to manage my music collection. I ripped all of my full length CDs to MP3 using iTunes (at the highest bitrate it allowed at the time – 192kpbs) although I still have about 500 CD singles to do and I now favour a higher bitrate (even if I can’t hear it, I’d like to know that the quality is there should I want to do something else with the media at a later date as technology progresses). Sam C. Lin carried out an interesting study comparing MP3 encoding with and the linear PCM recording used for CD audio.

Until today, all of my digital downloads have come from the iTunes Store (DRM-free where the record companies allow it). Unfortunately the record companies don’t like Apple’s market dominance and the DRM-free iTunes Plus catalogue is still very limited.

Whilst indie music fans have DRM-free alternatives like eMusic, for my more mainstream tastes I’ve been waiting for Amazon to bring their digital download service to the UK but then, frustrated by the 30 second clips of various mixes on iTunes of “Paddy’s Revenge” by Steve Mac (sampling the Penguin Café Orchestra), I decided to Google a little and found an alternative download site – 7digital. 7digital logoNot only did 7digital sample a different section of the track (allowing me to decide which mix I would like) but it offers MP3 downloads at up to 320kbps and a big discount if I buy all the mixes together (just like when I used to buy CD singles). Furthermore, 7digital has just become the first European music site to offer DRM-free downloads from all four of the big music publishers.

Within a few minutes, my shopping basket included a couple more individual tracks that I’ve been thinking of getting – “Love Is Noise” by The Verve and “Sex on Fire” by Kings of Leon (I did stop short of buying Katy Perry‘s “I Kissed a Girl” though). Then I saw that 7digital had a section for music from TV Ads and I got browsing… a few minutes later I’d also picked up “She’s So Lovely” by Scouting for Girls.

I still don’t buy albums in digital format as I’d like a physical media backup and, to be perfectly honest, knocking a pound off the retail price is not a big enough discount – it’s not as if the artists get paid a bigger share and the distribution costs must be almost nothing – but then I saw that 7digital had albums on sale at £2, £3 (and even free). It’s not just obscure stuff that’s reduced either – I could buy “Yours Truly, Angry Mob” by Kaiser Chiefs in 320kbps MP3 format for £4.99 (although I chose to buy just the tracks I wanted) but not all albums are that cheap as their earlier album “Employment” was £7.99 (so, pretty much on a par with the supermarkets, Amazon.co.uk and Play.com).

To checkout, I needed to create an account but I could pay by card, PayPal or text message and, once my payment had been processed, I could download my tracks individually or as a zip file (even change format for tracks that had multiple formats available at the same price) and those tracks are still available for me to download again at a later date (via a feature called my locker).

7digital locker

After downloading, I simply dragged the MP3 files to iTunes, switched to my “Recently Added” playlist, selected the new tracks and added them to the “Purchased” playlist. As should be expected, all tracks were supplied complete with album art and other metadata.

So what does this tell me?

  1. iTunes is easy – that’s why I’ve been buying tracks there for the last few years. But, now that DRM is no longer an issue, downloading tracks from somewhere else is just one extra step (after importing them into iTunes they can be synced with my iPhone/iPod).
  2. It is possible to get better quality downloads (legally) and better pricing if you shop around. Maybe not everyone will have the same catalogue but 7digital has a major advantage through its arrangements with all four major music publishers.

What should it tell the music industry?

  1. People will still pay for DRM-free music, at the right price.
  2. People like me, who are too old to spend Saturday afternoons hanging around HMV (anyway, I have a family these days) will still buy music if you make it easy enough – maybe not in the quantities I used to but it’s worth noting that I spent money this afternoon that I wouldn’t have done if there wasn’t a legal download option.

I’ll still use iTunes to manage my music and video library but I don’t see any reason for me to go back to the iTunes store now… regardless of what the the new “Genius” sidebar in iTunes 8.0 tells me (I hate Apple’s use of that word!) – from now on, it’s 7digital all the way for me.

Apple iTunes 8, showing recently added tracks and the genius sidebar

Active Directory design considerations: part 4 (group policy objects)

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

So far in this series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, I’ve looked at forest and domain design and organizational unit (OU) structure. This post discusses some practices for the application of group policy objects (GPOs).

Group policy is a powerful feature of Active Directory but it’s important to consider management at the design stage as GPO management can become problematic if not carefully controlled.

At present, Microsoft Consulting Services is advising the use of:

  • Separate OUs for user and computer settings – this makes GPO application easier to troubleshoot, especially if complex features such as loopback (see Microsoft knowledge base article 231287) are in use.
  • Small GPOs with fewer settings where possible – whilst this will increase the overall number of GPOs to process, it aids management (easy to keep track of which GPO is doing what) and if a policy change is detected by a client at startup or during a scheduled refresh downloading a smaller GPO will assist with performance.

Advanced Group Policy Management (AGPM) (formerly DesktopStandard GPOVault) is a feature of the Microsoft Desktop Optimisation Pack (MDOP) – a software assurance benefit for Microsoft customers with particular licensing agreements. It allows the creation of a change control and reporting workflow so that GPOs are not created at will by administrators but are implemented in a controlled manner (i.e. check out policy, offline edit, check in policy, gain approval, release new policy). AGPM v3.0 (which is due for imminent release) will provide new features including increased granularity, a role-based administration model and improved reporting.

Windows Server 2008 also implements a new feature called Group Policy Preferences (formerly DesktopStandard PolicyMaker Standard Edition and PolicyMaker Share Manager). Group Policy Preferences is included within the Group Policy Management Console in Windows Server 2008 but requires client side extensions to be installed on downlevel clients (see Microsoft knowledge base article 943729. The technology allows the configuration of items that are not normally possible in Group Policy (e.g. granular targeting of printer assignment) to avoid the use of login scripts (which increase login times and create additional management overhead).

In the next post in this series, I’ll take a look at the design considerations for creation and use of security groups within AD.

In case you were wondering why I don’t write much about VMware…

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

VMware logoWearing as many hats as I do, I enjoy a variety of relationships with a number of IT hardware, software and services companies on various levels. I try to remain objective when I write on this blog but sometimes those other companies make it difficult.

For example: Microsoft talks to me as a partner, as a customer and as press (they take a very broad view of the press and include bloggers in that group – real journalists will almost certainly disagree) and I get a lot of information, some of which I can write about, and some of which is under NDA (sometimes the problem is remembering in which context I heard the information and therefore what I can or can’t say!); Fujitsu talks to me as an employee (and for that reason I can’t/don’t/won’t say very much about them at all); VMware sort of talk to me as a customer and it would be nice if they talked to me as a partner (they do speak to a number of my colleagues) but mostly they don’t talk to me at all…

This summer, I attended two events about desktop virtualisation within a few days of one another – one from Microsoft and the other from VMware. I was going to write a blog post about desktop virtualisation and Microsoft but I decided to hold back, in the interest of balance, to compare the Microsoft desktop virtualisation story with the VMware one. Except that the “VMware VDI Roadshow” event that I was attending turned out to be hosted by a partner (BT Basilica) and VMware were just the warm-up act for the pre-sales pitch. There was no mention of that when I registered – in fact no mention of Basilica until the last pre-event e-mail (when the sending address switched from events@vmware.com to marketing.campaign@basilica.co.uk) but within a few hours of attending (and before I was back in the office) I’d received an e-mail from someone at BT Basilica asking if they could help me at all with my virtualisation deployments.

Meanwhile, VMware had promised that the slide decks from the event would be made available if I asked for them on my feedback form (I did), so I didn’t make full notes at the presentation. Almost three months on, with calls to BT Basilica, an e-mail to the VMware presenter from that day, and having registered my displeasure in a follow-up telesales call on behalf of BT Basilica, I still don’t have the presentation slides.

So that’s one reason why I don’t have much that’s good to say about VMware right now. That and the fact that I have enjoyed almost no benefits for being a VMware Certified Professional. I would hope that VCPs would be the ideal audience to target for information about product developments, new releases, roadmaps, etc. but apparently not. If I want to stay current on VMware products then I have to do my own research (or pay for a training course).

Then there’s my purchase of VMware Fusion. After weeks of asking why their licensing system showed the license key for my copy of the product (which was purchased in an Apple store) as an evaluation copy, I was unable to get a satisfactory answer. Then version 2.0 was released as a free upgrade for existing registered customers and I heard… silence.

Next week, VMware is running its Virtualisation Forum in London and I registered for attendance a few weeks back but, with a week to go, I’m still waiting to hear if my registration has been accepted (despite having received confirmation that they have my details and will be in touch) – and my follow-up e-mails are, as yet, unanswered. Maybe I’m on a waitlist because the event is full but it would be good to know if that’s the case.

I could go on but, by now, you are probably getting the picture…

VMware are leaders in their market but my experience of the company is not a good one – neither as a business customer nor as a consumer. This is a tiny blog and I’m sure VMware don’t care what I have to say (far less so than they would for Alessandro Perilli or virtualisation specialists like Scott Lowe) but, as I said at the top of this post, I wear many hats, and one of them involves building up my organisations capabilities around a certain vendor’s virtualisation products. So, next time I write about Microsoft’s virtualisation products here, please bear in mind that I did try to balance things up… and VMware didn’t want to know.

Account lockouts and software updaters

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

CA eTrust update configuration, with no option to use the browser settings<rant>Why can’t application developers use the default browser settings for Internet access via a proxy? For two months now, I’ve been struggling with account lockouts whenever I visited the office (thankfully that’s not too often) and then today I discovered, purely by accident, that my anti-virus client was out of date and that I had it configured to use the corporate proxy server using what was probably an old password. Coincidence? We’ll see next time I visit the office. As you can see from this screenshot, I can enter proxy settings, even proxy authentication details but I can’t elect to use the browser settings (which I change according to whether I’m at home or in the office). Gahhhhhh!</rant>

Hate Windows UAC? Have you actually tried the alternatives?

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

The next time somebody complains about Windows User Account Control (UAC), I’d like them to actually try using a Mac as a standard user (i.e. not the default setting, which is an Administrator, albeit not the root user). I’m in the process of applying Apple’s latest 10 updates, which are huge (I didn’t notice the total for all 10, but I it was well over half a gigabyte – just one HP Printer Driver Update was 142MB and the Mac OS X 10.5.5 update is 321MB).

In the intervening time, during which I’ve been writing this post on another PC, I’ve had to enter my Administrator credentials four five six times to allow Apple Software Update to do its thing. Mac OS X (and Linux) use a time-based system whereby once I’ve entered my elevated credentials they are valid for a set period but at least once I’ve told Windows Update that I do want to install a bunch of updates, that process (and any child processes) are then allowed to continue unhindered. It seems that the answer for me should really be to use setuid and make Apple Software Update run elevated but that is not necessarily a good idea either.

I guess there are advantages and disadvantages to either approach (actually, the time-based approach has a significant weakness in that any process can run elevated during that window) but the real point is that UAC is there for our protection – and it’s not really that big a problem in my experience.

Meanwhile, for hardcore Windows users that would like to implement an equivalent of the Linux/OS X setuid command in Vista (or Windows Server 2008, I guess), Joel Bennett explains how to do it with PowerShell.

Active Directory design considerations: part 3 (organizational units)

This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In the previous post in this series of posts about design considerations for Microsoft Active Directory (AD), based around the MCS Talks: Enterprise Architecture series of webcasts, I looked at forest and domain design. This post continues with a look at organizational unit (OU) structure.

The OU structure is not exposed to users but can make a big difference to the management of Active Directory objects. It is very flexible and therefore easy to change but change costs money and has a potential to impact on production applications (so should be avoided where possible.

Consequently, there are a couple of guiding principles to be followed:

  1. Design the OU structure for the delegation of administrative responsibility.
  2. Design the OU structure for group policy object (GPO) application.

Delegation of administration should be given priority, because GPO application can also be filtered using security groups, but Microsoft does also recommend the following:

  • Do not move domain controllers out of their own OU (some applications may rely on well-known GUIDs and default GPOs).
  • Do not move built-in users and groups from the Users container (due to the potential impact on the monitoring of ACL changes using AdminSDHolder – see Microsoft knowledge based article 232199).
  • If Windows Server 2008 is being used protect OUs from accidental deletion (this will be enabled for new OUs but not for legacy OUs from an in-place upgrade.

There is no “correct” way to design an OU structure – as the appropriate model varies from organisation to organisation but one approach to OU design is to base the top level OUs on the object type and then subdivide by role. Another approach is a geographic top level (countries do not change very often…) but the most important point is to follow an appropriate administrative model and where different objects are managed by different administrative teams, consider delegation. One thing that is almost universally agreed upon is not to replicate the organisational structure – security groups can be used for this (and are much easier to manage – e.g. for filtering GPO application).

In the next post in this series, I’ll take a look at design considerations for group policy objects.