markwilson.it

Author: Mark Wilson

  • ieSpell – a spell checker for Internet Explorer

    One of my favourite features in .Text (the blogging engine used by my Conchango Blog) is ieSpell – a spell checker for Internet Explorer.

    ieSpell is a free (for non-commercial use) Internet Explorer browser extension which can be used to check the spelling of text input boxes on a web page. Particularly useful for users who perform a lot of web-based text entry (e.g. web mails, forums, blogs, diaries), it is both fast (i.e. it runs client-side) and flexible, as its personal word list (custom dictionary) is the same for whichever site it is run against (cf. a server-side system, which would only work for one particular web application). I also like it because it has a UK English dictionary as well as the ubiquitous US English default dictionary.

    Once installed, ieSpell may be accessed in one of three ways:

    1. Using the Tools menu.
    2. Using the Toolbar button.
    3. Using a context-sensitive (right-click) menu.

    ieSpell is available for download from the ieSpell website.

  • Five ways to help protect your identity

    A few months back I wrote about the Microsoft At Work microsite and its advice for maintaining your computer at work. It may be a little high level – but it is aimed at end users and that in itself is good because us techies are generally not too good at communicating with non-technical people.

    Microsoft At Work has a sister microsite – Microsoft At Home. Again, it’s full of practical advice, but is more consumer-focused and one of the articles that caught my eye recently discusses avoiding phishing scams. Phishing is a rapidly increasing form of online crime concerned with identity theft. In a phishing scam, a malicious person attempts to obtain personal information such as credit card numbers, passwords, account information, or other personal information by convincing the end user to give it to them under false pretences. Phishing schemes usually come via spam e-mail or pop-up windows.

  • Windows Update Services name change?

    Windows Update Services (WUS) is the new name for Software Update Services (SUS). Except it might not be. Last week, Thomas Lee (who is well placed to comment on such things, being both a Microsoft Regional Director and an MVP) quite rightly pointed out that WUS a) sounds bad; and b) is not an accurate description of what the product does.

    For more information about SUS/WUS see SUSserver.com and the Windows Update Services Wiki.

  • Biometric USB flash drive – how cool is that?!

    I know that it is just a logical evolution of the humble USB flash drive and the decreasing cost of biometric security (even my local gym uses a fingerprint reader now for members to sign in and out) but last week Thomas Lee showed me the Trek ThumbDrive Swipe, which combines fingerprint swipe sensor technology with flash memory based USB storage. Fingerprint security on a USB stick is cool. Now all I need is for someone to invent something to stop me losing mine all the time…

  • New features of Windows Server 2003 Active Directory

    A couple of weeks back, I was at a Microsoft TechNet UK event, where the topic was New features of Windows Server 2003 Active Directory, presented by John Howard, IT Pro Evangelist, Microsoft UK.

    I’ve been working with Active Directory (AD) since the early days of Windows 2000 (windows NT 5.0 as it was then), and to be perfectly honest wondered how much there could be that’s new with the latest version. Whilst the session was possibly a little lightweight, I was surprised to learn just how many new features there are, as my previous view of Windows Server 2003 was that much of the improved functionality comes in the form of new services.

    The new AD features fall into in four main areas:

    • Simplified management.
    • Connecting forests.
    • Connecting small offices.
    • Managing group policies.

    The rest of this post will discuss each of these in turn.

    Simplified management
    Simplified management is about improving the user experience for administrators. For example, within the AD User and Computers and AD Sites and Services Active Directory management tools, users can now drag and drop users into new containers, OUs or groups, e.g. when adding user(s) or group(s) to a group, or moving a server to a new site.

    Tip: Within AD users and computers it helps if the option to view users, groups and computers as containers is selected.

    Improvements have also been made in locating objects, with new functionality such as saved queries in AD users and computers, accessed like a folder, e.g. queries based on a user or group name or description, or the number of days since the last logon). The queries are LDAP-based and can have their own root (i.e. do not have to be relative to the whole domain). It should also be noted that saved queries are local to the computer and can be exported – e.g. űbergeek queries can be created and exported to a help desk machine.

    Tip: To see exactly where an object exists in the directory, turn on advanced features and look in the object page of the item properties.

    There are also a whole head of new tools, which can be called from the command line or from within custom scripts, allowing for repetitive tasks to be automated and complex commands to be simplified. Back in September 2004, I posted further information on new commands in recent Windows releases and Microsoft knowledge base article 322684 discusses using the directory service command-line tools to manage Active Directory objects in Windows Server 2003.

    Connecting forests
    It is now possible to connect forests using trusts (e.g. following a merger or acquisition, of under some business partnership scenarios), simplifying access to resources in both forests, and facilitating single sign-on.

    Forest trusts can be one- or two-way and create a transitive trust between the domains in each forest, but not between forests. With a forest trust, UPN suffixes are used to publish namespaces, which in turn are used to establish where a logon originates from. Each forest is trusted to be authoritative for the namespace(s) which it publishes.

    In order to support forest trusts, both forests must be running at Windows Server 2003 forest functional level.

    Connecting small offices
    Small or branch offices are often characterised by low speed wide area network links and may not have a local global catalog server, leading to slow logons. Windows Server 2003 includes a new option in the Active Directory Installation Wizard (dcpromo) to create a domain controller from a replica. It works by backing up the system state from an existing domain controller to removable media, then restoring that data on a remote server and running dcpromo /adv. In this way, the initial synchronisation time is reduced, as all the new domain controller needs to synchronise is the changes since the backup was taken. There is one gotcha through – the backup cannot be older than the tombstone lifetime (60 days by default).

    Another useful new feature when connecting small offices is universal group membership caching. Because universal groups may span multiple domains, a global catalog server is required to query the membership (non-global catalog-enabled domain controllers only hold full details for objects in their own domain).

    By caching the membership lists for universal groups, global catalog lookups only need to occur once for each universal group. The membership list is held indefinitely, but is refreshed every 8 hours. Universal group membership caching is enabled at the site level, within the NTDS Site Settings.

    One alternative to universal group membership caching is to make each branch office domain controller a global catalog server, but this has a cost in increased domain replication traffic.

    Managing group policies
    One of the major criticisms of Active Directory group policy objects (GPOs) is that they are is difficult to administer. Microsoft does provide tools, but until recently, they have been limited in their capabilities. Shortly after Windows Server 2003 was released, Microsoft made the Group Policy Management Console (GPMC) available for download. Since then, GPMC with service pack 1 has been released which includes a number of bug fixes, revised licensing (to allow GPMC to be run against Windows 2000 domain controllers), support for more languages and a revised XML engine.

    The GPMC is a new administrative tool for centralised management of GPOs, together with a collection of scriptable objects and associated scripts, which use a combination of Windows Management Instrumentation (WMI), Active Directory Services Interfaces (ADSI) and the GPMC object model.

    Surprisingly, although in almost every organisation which uses Active Directory, GPOs affect every user within the business, many organisations do not think about backing up and restoring GPOs. Whilst they can be restored with an authoritative AD restore, that is not a simple process, and the scripts provided with the GPMC allow policies to be backed up and restored, as well as exported and imported (e.g. between test and production domains/forests).

    Tip: Beware (as I found out with one of my clients), that if naming standards allow the use of non-standard characters (e.g. & and ‘) the GPMC scripts may not work as intended. For further information, refer to the September 2004 post which discusses recommendations for Active Directory object naming.

    The GPMC also allows modelling of group policies in a similar manner to the previous Resultant Set of Policy (RSoP) tool. This is particularly useful for its ability to highlight the winning GPO for a policy setting, as well as the ability to view (and save) reports in HTML, or XML format (e.g. for intranet publishing and reference by IT support staff). Note that some settings (e.g. WMI, loopback, IPSec, Wireless, and disk quotas) may be estimates. Also, if a client PC used for modelling is running Windows XP service pack 2 with the default Windows Firewall settings and the original version of GPMC is used (i.e. without service pack 1), it will fail as described in Microsoft knowledge base article 883611.

    Other useful group policy management tools include Group Policy Monitor (gpmonitor), which is used to create and display reports when policy settings are refreshed and the Group Policy Verification Tool (gpotool), which allows administrators to check GPO stability and monitor policy replication including checking for consistency within and across domains. This tool also displays information about GPOs, including properties that cannot be accessed through the Group Policy Object Editor such as the functionality version number and extension globally unique identifiers (GUIDs). Other diagnostic tools (also available in Windows XP) include Group Policy Results (gpresult) and the Group Policy Refresh Utility (gpupdate).

    When diagnosing issues with GPOs, it is also worth checking DNS, as at the event I attended, Microsoft commented that 50% of GPO-related support calls are actually DNS issues.

    Another new feature of Windows Server 2003 group policy is software restriction policies, which can be used to confront the problem of regulating unknown or untrusted code. Software restriction policy rules create one or more exceptions to the default security level, defined by software restriction policies.

    The following types of software restriction policy rules can be created:

    • Certificate rules, which recognise software that is digitally signed by an authenticode software publisher certificate.
    • Hash rules, which recognise specific software based on a hash of the software.
    • Path rules, which recognise software based on the location in which the software is stored.
    • Registry path rules, which recognise software based on the location of the software as it is stored in the registry.
    • Internet zone rules, which recognise software based on the zone of the Internet from which the software is downloaded.

  • SQL Server 2005 Express Edition

    According to Microsoft “SQL Server Express is a version of SQL Server 2005 designed to helps developers build robust and reliable applications by providing a powerful database that is also free and easy to use.”

    I know nothing about SQL Server, except that there is a free cut-down version called the Microsoft database engine (MSDE), used by many products where a full-blown SQL Server installation would be overkill.

    With SQL Server 2005 Express Edition (the replacement for MSDE), Microsoft have made some changes in the packaging and promotion of the product – it’s better in some ways, but more limited in others. It also has a partner product – Microsoft SQL Server 2005 Express Manager, which can be used for database administration (including existing SQL Server 2000 and MSDE installations).

    You can read more about SQL Server 2005 Express Edition, including a comparison with MSDE and links for download on Mat Stephen’s weblog (Mat is one of the Microsoft UK IT Evangelists).

  • Battle spammers with Outlook’s tracking options

    I just came across a top tip on the Microsoft website to stop spammers from verifying your e-mail address using a read/delivery receipt.

    Basically, it involves enabling the tracking option to “ask me before sending a response”. That way you can tell when someone has attempted to validate your e-mail address – I had thought that sending a fake non-delivery report (NDR) would be enough but it seems without this setting I could also have been sending a read receipt without realising it when I deleted the spam.

  • Even more problems with a Dell Latitude D600

    I’ve decided that the notebook PC that I use for work must have been built on a Friday afternoon (or a Monday morning). Over the last five months it has had a replacement motherboard (3 weeks, 4 engineer visits, 2 no-shows before the PC was fixed), a replacement hard disk, and last week the battery had to be replaced. Sure enough, Dell replaced all of these parts under warranty, but it doesn’t say much for the build quality of the equipment.

  • Why some middleware should be bundled with the operating system

    Anti-trust laws are supposed to protect consumers from monopolistic companies. As such, it is hardly surprising that Microsoft regularly finds itself in court facing yet another anti-trust suit, but the latest move by the US government concerns me greatly.

    I have a licensed version of Windows XP Professional on my laptop, so I’m not bothered by the Windows Genuine Advantage program, whereby users have to prove that their copy of Windows is legitimate before downloading additional software.

    According to the Windows IT Pro magazine network WinInfo Daily Update:

    “Windows Genuine Advantage is designed to reward owners of non-pirated Windows copies with value-added advantages for being legitimate customers. Like Product Activation, Windows Genuine Advantage seeks to curb software piracy, which various analyst groups say is rampant around the world. IDC reports that software piracy is a $30 billion problem, with pirated software accounting for about 30 percent of all software used worldwide; in the United States, that figure is 23 percent.”

    After all, Microsoft is facing competition in areas where it has previously dominated (desktop and low-mid range server operating systems, office productivity suites) and it needs to protect its revenues whilst not being seen as anti-competitive. As such, users need to see that they get something back – additional functionality for example, which is where my anti-trust worries come into play.

    Last week, federal regulators at the US Department of Justice (DOJ) revealed that they will soon begin an investigation of the next version of Windows (codenamed Longhorn) to ensure that it doesn’t violate the terms of Microsoft’s US antitrust settlement. The DOJ are also voicing concerns about Windows XP Service Pack 2 (SP2), claiming that they require further information from Microsoft in order to determine whether Windows satisfactorily honours user middleware choices.

    SP2 is a massive security update, but it does include some new functionality – most significantly a much improved Windows Firewall. That may or may not be considered middleware, but we can’t continue to lampoon Microsoft for security flaws at the same time as stopping them from shipping security features within the operating system. On the same level, we should expect anti-malware functionality too, and for that matter, anti-spam capabilities in Exchange. These features are all being implemented, but if the DOJ (and the European Union) get their way, Microsoft will be severely limited in what it can ship to its legitimate, paying customers.

    In the same way that many of the infrastructure deployment techniques that I have practised for years are now viewed as commodities and my company has to find new areas in which to add value, so are some of the software products which Microsoft is criticised for bundling within Windows (browser, firewall, etc.). Or to take another example, who would consider an operating system without a TCP/IP stack today? (something which once upon a time was an added extra with an associated cost). Those who have built a business around such commodities must find new areas in which to innovate, and leave Messrs Gates, Torvalds, and Jobs to include what have become basic system requirements in their operating systems.

  • Troubleshooting an MS-DOS application which hangs the NTVDM subsystem in Windows XP and Windows Server 2003

    I’ve been working on an intriguing (and frustrating) issue for a few weeks now and a couple of days back we finally resolved the issue.

    My client has an MS-DOS (FoxPro 2.6a database) application running within an NTVDM on Windows XP. Every now and then, the application will hang – seemingly randomly. Windows XP did have service pack 2 applied, but the issue also occurs on service pack 1 PCs (I didn’t try the RTM version). Only the application hangs – it is possible to terminate the NTVDM process and carry on working as normally.

    Normal actions for troubleshooting MS-DOS applications in Windows XP were not helping to resolve the issue, but the software vendor managed to narrow the issue down to FoxPro waiting for input. Occasionally, the input does not timeout and return control to the calling program – it seems that this is the root cause of the NTVDM hang. Identifying this allowed them to construct a test program which polled for input, timing out every few seconds and would reliably hang an NTVDM at a seemingly random time, but always within an hour.

    Using their test program on a variety of PCs, the software vendor found that the problem was related to the Intel hyper-threading technology (my client has standardised on a version of the IBM ThinkCentre M50 which includes a single 3GHz Intel Pentium 4 processor with HT technology). Whilst disabling hyper-threading is unlikely to result in any significant performance degradation (hyper-threading only provides an average 10-20% performance gain as most applications do not fit completely with the hyper-threading model), it was still considered by IBM, Microsoft, my client and myself as a tactical workaround, rather than a strategic fix.

    After seeking advice from Microsoft, I ran the test program on a Compaq ProLiant DL380 G2 server with two Pentium III 1.26GHz processors and found that the issue is not limited to Windows XP and hyper-threading, but to both Windows XP and Windows Server 2003 when running with an ACPI Multiprocessor PC HAL. Turning off hyper-threading on the PCs was no longer good enough as we can expect to see multiple processor cores constructed on a single die in the near future, leading to a rise in the use of multi-threaded applications (the logical processor provided by the hyper-threading technology in the Intel Pentium 4 processor is simply a precursor to this).

    So why does an MS-DOS application running within an NTVDM on a 32-bit version of Windows use multiple processors? The answer it seems is that although the MS-DOS application is not multi-threaded, modern versions of Windows are, and can allocate parts of the NTVDM process to any available processor. With that in mind we re-ran the test program with processor affinity set to use only CPU0 in Task Manager. The results were the same as disabling hyper-threading – no NTVDM hang! Obviously, setting processor affinity manually is not sustainable outside the test environment, and short of running the application on Windows Server 2003 Enterprise Edition (with the Windows System Resource Monitor to control processor affinity) we needed to find an alternative solution.

    That solution came in the form of the imagecfg.exe tool provided with the Microsoft Windows 2000 Resource Kit (supplement one). This can be used to edit an executable file and permanently set the processor affinity for a given application:

    Using the imagecfg -a 0x1 c:\windows\system32\ntvdm.exe command did the trick, although Windows File Protection/System File Checker quickly restored the original ntvdm.exe file so I needed to perform this on a copy of ntvdm.exe in a temporary folder, and then overwrite both c:\windows\system32\ntvdm.exe and c:\windows\system32\dllcache\ntvdm.exe.

    Once updated, the NTVDM process runs on CPU0. Of course, this limits all programs under the control of the NTVDM subsystem but it is far more preferable to disabling logical or physical processors in the BIOS; however, as this is a change to an operating system file, it must be considered alongside the implementation of any service packs and/or hotfixes from now on. Reversing the change is simply a case of restoring the original ntvdm.exe file.