ISA Server 2004 “gotchas”

After having to abort last week’s attempt to replace an aging Microsoft Proxy Server 2.0 installation with Microsoft Internet Security and Acceleration (ISA) Server 2004, last night I had another go and I’m pleased to say that the ISA Server is now up and running. There are still some minor issues that I need to resolve, but here’s a summary of the key points that affected me:

  • It’s important to configure the underlying network correctly – i.e. check the binding order of the various network interfaces, disable unwanted services on the external interface, only configure one interface with a default gateway (the external interface), only configure one interface for DNS and check that there is a valid route configured back to each internal network. Jim Harrison has written an excellent article on configuring ISA Server interface settings.
  • By default, ISA Server 2004 will not let any traffic pass (on any interface) – i.e. it is secure by default.
  • Do not configure the ISA Server to use both internal and external DNS servers. The ideal solution is to configure DNS forwarding from the internal DNS server(s) to the ISP’s DNS servers and create an access rule to allow outbound DNS traffic. If DNS is configured incorrectly, then the server may have difficulties contacting Active Directory which will have a consequential effect on authentication.
  • Configure individual access rules to allow all required outbound network services and consider the order of the rules (i.e. is one rule denying access before another is processed). Multiple rules can be configured for different user sets and schedules.
  • In general, access rules are used to allow outbound access whilst internal resources are “published”.
  • When publishing HTTP(S) servers, make sure that there is an appropriate web listener configured.
  • When publishing SMTP (or other) servers, there is no web listener, but there must be an appropriate network listener configured. Generally, internal SMTP servers will be configured only to allow mail to be received from certain hosts, so it may be necessary to make the traffic appear as if it originated from the ISA Server. Thomas Shinder has written an excellent article on troubleshooting SMTP server publishing rules.
  • If restricting access to certain users, ensure that integrated authentication is enabled and authentication is required.

Microsoft beta madness

Talk about confusing… the long overdue Windows Vista beta 2 (not a community technology preview but a real beta release) has widely been expected to ship this week and yesterday, Bill Gates announced that beta 2 versions of Windows Vista, Windows Server (codenamed Longhorn) and Office 2007 are available.

The betas are ready! Office

Indeed, late last night I received an e-mail inviting me to download beta 2 of Office 2007 but strangely it said that “The Windows Vista Beta is not yet available. The Beta Experience newsletter will inform you about the availability of the Windows Vista Beta”. Vista beta 2 (build 5384) is clearly available for download from Microsoft Connect but, as usual, the product groups don’t seem to be talking to one another.

Windows Live Messenger Beta goes public

Windows Live Messenger

I’ve been using the Windows Live Messenger Beta for a few months now and since I originally wrote about my first impressions of the product, it’s changed quite a bit (although doesn’t seem to have overcome any of the issues which Alex criticised it for at the time).

Windows Live Messenger Beta - new interface

I still like the new user interface although I haven’t used any of the telephony or video-chat functions. The Windows Live Messenger beta was recently expanded and is well worth investigating for those who are currently using MSN Messenger. Alternatively for cross-network instant messaging without any telephony frills, switch to GAIM.

Meanwhile, corporate users should move away from using public IM services and switch to something like Live Communications Server 2005 and the Office Communicator client.

How not to image servers

A couple of weeks back, I wrote about using Microsoft’s system preparation tool (SysPrep) to prepare virtual machine images for duplication. It doesn’t really matter whether the machine is virtual or physical, the principle is still the same (my point was that cloning virtual machines using a file copy is easy but needs to be prepared in a specific way – i.e. using SysPrep).

A few days ago I was completely amazed to hear how one of my clients had duplicated some of their servers – they had simply broken a mirror, placed the second disk in a new server, then added another disk in each server to recreate the mirror (repeat until all servers are successfully duplicated). It may be ingenious, but it’s also extremely bad practice.

The client in question is in the process of preparing for a migration from Windows NT to Windows Server 2003 and Active Directory. Although NT doesn’t get too upset if servers are cloned, including their security identifier (SID), Active Directory does. They now have three choices:

  • Rebuild the problem servers.
  • Remove the servers from the domain.
  • Use a tool like Sysinternals NewSID to change the SIDs (both officially unsupported by Microsoft).

Whatever the decision, it’s all extra (and unnecessary) work – completely avoidable.

Inane IT conversations

This morning, the office has been full of much hilarity and mirth – as well as extreme geekiness.

It all started off when discussing the appropriate colour patch leads to use for a new network (really – network administrators will understand that this is important) and Nick suggested that the colour of the cable is related to the speed (it’s certainly true that the light blue cables which are our corporate connections have significantly slower Internet access than the yellow ADSL in the corner!). Allan had his own theory that whatever is planned, in reality cable colour is directly related to the proximity of the cable – it doesn’t matter what colour should be used, the answer is whatever is closest to hand.

Next comes in the Project Manager, looking for a “jealousy” of architects (she claimed that was the correct collective noun), which got me googling…

According to Chris Sells’ blog post on collective nouns for geeks, it’s a “glass house” of architects and a “slack” of project managers. There are some other funny ones in Chris’ post that I won’t repeat here but I’m returning to my glass house now. Really, I like to think of myself as just one element of a RAIG (Redundant Array of Intelligent Geeks), although based on our conversations today the use of the word intelligent is questionable…

Removing MOM’s Active Directory management pack helper object

A few months back I had a look at Microsoft Operations Manager (MOM) 2005. Then, a couple of weeks back, I noticed that one of my servers had the Microsoft Operations Manager 2005 Agent installed, as well as the Active Directory management pack helper object. I uninstalled the Microsoft Operations Manager 2005 agent from the Add/Remove programs applet in Control Panel, but when I went to remove the helper object I was greeted with the following error (and the MSI Installer logged event ID 11920 in the application log):

Active Directory Management Pack Helper Object
Service ‘MOM’ (MOM) failed to start. Verify that you have sufficient privileges to start system services.

Retrying the operation produced the same error, so I was forced to cancel, then confirm the cancellation, before finally receiving another error message (and the MSI Installer logged event ID 11725 in the application log):

Add or Remove Programs
Fatal error during installation.

The answer was found on the microsoft.public.mom newsgroup – I needed to reinstall the MOM agent before the AD management pack helper object could be removed but there was a slight complication because I no longer have a MOM server (I deleted my virtual MOM server after finishing my testing). Manual agent installation is possible, but I needed to supply false details for the management group name and management server in order to let the installation take place with a warning that the agent would keep retrying to contact the server (all other settings were left at their defaults).

Once the agent installation was complete, it was a straightforward operation to remove the Active Directory management pack helper object, before uninstalling the MOM agent (successfully indicated by MSI Installer event ID 11724 in the application log).

It’s a simple enough workaround but represents lousy design on the part of the MOM agent/management pack installers – surely any child helper object installations should be identified before a parent agent will allow itself to be uninstalled?

Creating an RJ45 Ethernet loopback cable

Sometimes it’s handy to make a PC think that it is connected to a network, even if there isn’t one physically present (e.g. in a test environment where not all services are replicated). This is quite easy to achieve, with an RJ45 Ethernet loopback cable. By using 6″ lengths of the core from a CAT5 Ethernet cable to connecting pin 1 to pin 3 and pin 2 to pin 6, a simple device is created which will fool a network interface card into thinking it is connected to a network.

RJ45 Ethernet loopback cable

The nice thing about standards is that there are so many to choose from

A couple of weeks back, I wrote about Microsoft Office 2007, including the new OpenXML file format. In a recent Windows IT Pro magazine network WinInfo Daily Update, Paul Thurrott reported that the competing OpenDocument Foundation has announced a plug-in for Microsoft Office that will let users open and save documents natively in the open-source OpenDocument format (ODF), which has recently been standardised and is supported by IBM and Sun Microsystems. The plug-in, which has been in development for about a year, makes OpenDocument documents seem as if they’re native to Office. Add Adobe’s portable document format (PDF) and Microsoft’s XML paper specification (XPS – formerly codenamed Metro) into the mix and we have plenty of scope for document confusion.

Both OpenXML and ODF are open standards that are freely licensed but it remains to see whether either will become dominant. I have a feeling that we’ll have competing XML-based document standards to grapple with for many years to come.

Redirecting web proxy access when the server name changes

Despite the problems I experienced migrating from Proxy Server 2.0 to ISA Server 2004 last night, I did have some success using a little DNS trickery to avoid changing the proxy settings on all clients (the new web proxy server has a different name to the old one). Here’s how it works:

  1. In DNS, delete the original host address (A) record for the old server.
  2. Next, create a host address record for the new server and an alias (CNAME) record with the name of the old server, pointing to the fully qualified domain name of the new server.

All DNS lookups for the old server should be redirected to the new server (via the DNS alias), allowing the proxy settings in the web browser to be updated at leisure (of course, in an Active Directory environment, they could also be updated via group policy).