Dales Diary
Musings of a sys admin
Ebook readers for technical manuals
Aug 25th
I’d thought I’d post a little ditty about ebook readers, I’ve had one for a while now and thought I’d post my experiences.
Firstly my ereader is a sony pocket reader (prs-300) and to be honest its not a useful as I thought it might be. I had looked around before I bought it and understood that the technical diagrams might come out a bit funky but the issues I have with the device are more substantial than that.
The pocket reader seems to be only actually of use for say novels, that is to say a large amount of unformatted text, which technical manuals do not have. As you know tech books normally have maybe a paragraph or two like that then it’ll have boxout’s and diagrams which normally normally go hideously wrong on my pocket reader, also when you turn to a page that includes a picture of some description the time to process and display that page increases dramatically to 15+ seconds which is a lifetime compared to turning the pages of a book.
As a side note if you have the page size set to small then the formatting of the pages is generally acceptable however the font I am quite sure would be far too small for anyone to read at a comfortable distance.
Speaking to other IT bods a good ebook reader for technical manuals is the kindle DX as it has a much larger screen than mine so can display a properly formatted page at a decent font size. So I think I may be putting mine on ebay and saving up for a DX which at the moment I think is available in the UK.
If you want a pdf reader for technical manuals or anything that does not consist of one large block of text then a Sony Pocket Reader is not for you.
Security tool fake-AV
Aug 18th
Hi all,
Well today a staff member handed me their laptop to have a look at (a toshiba something with vista HP on it), it was infected with the security tool fake antivirus product. I am always really impressed with these types of infections they are very well written and can be a complete headache for anyone to try and remove. usually access to the command prompt and task manager is disabled, and the code is buried in all sorts of places so malware products find it tricky to remove, a reboot later and there it is still well and truly stuck on your computer.
Now the extra problem with this laptop is that it has never had any antivirus products installed on it and of course also had various p2p clients installed on it which is obviously just asking for trouble.
The fix for this one was simple as I was fairly sure that the infection must have been recent because the security tool is fairly prominent on an infected machine and generally causes a nuisance.
All I did was roll back to the last system restore point (type “system restore” into vista’s search function, this will work for any OS from XP upwards) and viola it was gone. Next I installed the Comodo internet security suite (free firewall and av product www.comodo.com ). I then disabled the system restore feature and rebooted the laptop so it removed the system restore backups. (as viri’s and trojans can reside in these locations and antivirus products cannot remove them, although they are generally only a risk if you use system restore to revert to a point where the viri’s reside).
A quick reboot later I began a full av scan with comodo and also installed malwarebytes http://www.malwarebytes.org/ and ran that, both came up clear, several reboots after that the security tool has not reappeared so all now seems to be well. Then re-enabled the system restore feature.
The laptop can now be handed back to the staff member with a scathing reminder to: not use p2p services, have and use av products, and never do general browsing as administrator and treat uac prompts whilst browsing with a very high amount of suspicion.
These type of events always take me back to my first IT job working for a repair workshop, I mostly repaired home users pc’s and they would phone up saying “my machines all messed up and doing weird things” OK I’d say, you’ve got AV haven’t you. ” yes of course I have”, Ok you better bring it in then.
80% of the time you could bet that they have norton or mcaffee installed and it was a year or two out of date at least. Then you go down the “well I take it you’ve got a backup of all your work ” (blink) blank stare fiasco.
ahh lovely!
RODC password replication
Aug 3rd
Read Only Domain controllers in windows server 2008 are designed primarily for use in branch offices (satellite locations with no onsite IT staff and slower links back to HQ).
I have blogged previously about installing an RODC which is a nice straightforward dcpromo with an added tickbox at the end, and the purpose obviously of an RODC is to provide local authentication and if required a local DNS and global catalogue. One thing that is not stored within an RODC is passwords for user accounts which obviously results in WAN traffic when an authentication attempt is made.
However there are two ways in which local users passwords can be stored within the RODC’s db.
One way is to add the users at the branch office to the “allowed RODC password replication group” in a writable domain controller.
The other is to assign objects to the “password replication policy” tab in the RODC’s computer account in AD.
When I say object this can be a group or individual user accounts (although creating and assigning a group for this purpose if clearly easier).
It is quicker and easier to add the user accounts to the allowed RODC password replication policy group in AD however this presents a possible minor issue. By putting users into this group it will replicate the password data to all RODC’s in the domain. This is not a problem if you only have one branch office, but what about if you have more than one say you have 20 or more all over the world, and branch offices can have a decent number of staff in them. This could quickly balloon the Wan traffic in each branch office as they receive all the completely unnecessary password data for the other 19 branch offices in the organisation.
Of course even with a modest residential ADSL line it probably wont bring the connection crashing down around your ears but every meg counts.
So if you have more than one branch office or it seems expansion of the business is on the cards then taking a few extra minutes to set up new groups and assign them specifically to the RODC computer accounts.
Within the RODC’s computer account “PRP” tab you can also add other groups and accounts to the policy and also specify whether the group/user is allowed or denied the password replication policy, as always if a user is a member of several groups then a deny permission always over rides an allow.
Also dont forget that computer accounts also logon to the domain so adding computers to the policy is also a good idea as a prolonged wan outage may well cause issues for the computers if their passwords are not cached as well.
Cloned Template Hardware Bug in Vmware ESX 3.5 U2
Jul 29th
Today I’ve been wrestling with this http://xtravirt.com/xd10070 bug in ESX 3.5 u2.
The link provides a good insight into what causes it (basically when cloning a template and editing the hardware before the clone begins the source vmdk is actually used instead of the newly cloned vmdk).
This of course becomes a problem if you decide you dont need the template anymore and delete it, the flat file doesnt delete but everything else does and the next time you go to reboot the problem vm you get “a file not found” error and will not let you boot the vm back up again.
I managed to get round this problem by creating a blank vm with the same specifications (most importantly disk size and OS version).
Then copy the remaining flat file of the corrupted vm into the folder containing the newly created vm using the datastore browser.
Rename the newly created vm’s flat file either though ssh on a host to /vmfs/volumes/{your bit here} or through the datastore browser.
Rename the corrupted flat file to the newly created vm name (for example the corrupted flat file might be called vm1-flat.vmdk and the newly created vm might be called vm2, so rename vm1-flat.vmdk to vm2-flat.vmdk).
Then power on the vm and confirm that the os is still intact and working as it should.
I though it was best to copy the corrupted flat file just incase something went wrong as I was performing these actions so I would still have the actual vm os data to go back to.
TTFN.
Read Only Domain Controller for Windows Server 2008 R2
Jul 7th
RODC (Read Only Domain Controller’s) is a great new feature of server 2k8. A nice little light feature as well that does not require a great deal of setting up or babysitting.
RODC’s primary purpose is to provide local caching of the active directory database and DNS if required to remote branch offices. The main reasons for this could be that the link between the branch office and the domain controller at the head office is slow or prone to failures.
To implement a RODC there are several obvious pre-requisits:
Because its read only the RODC will need to be installed in an already established domain so all the fun stuff that goes with it is also required.
A RODC also has a couple of gotcha’s you will need to keep in mind, a RODC has a local administrator account….. Yep thats right it fly’s in he face of everything you know about domain controllers but it does, or at least a domain user or group is elected the local administrator of the RODC only. You can think of an RODC as not actually a full DC but maybe something along the lines of a a member server running a mini DC role. The handy thing with having a local administrator password is that maybe someone at your branch office has been given a little bit of power on the server, maybe they are allowed to reboot it for you if required or check something, They can without any fear of them being able to fiddle with any aspect of the DC service.
To install an RODC you will need to have added the server to the domain already as a member, it does not need to be added to the exact domain that the server will be an RODC for only a domain in the tree.
You would then need to run a DCpromo and follow the prompts as you would normally expect to until you get to the point of clicking the RODC option. You will also then have the choice of including DNS and global catalog as part of the RODC’s role. Now thinking back to the purpose of an RODC which is primarily to provide local authentication to branch office users without the constant game of ping pong across a WAN or some other slow means it sensible to leave DNS and global catalog so that it will be installed on the RODC as well. This will have the added bonus of allowing at least some backup and functionality on the branch site should the WAN link go down, this would leave the branch office at least some form of name resolution and authentication to any other servers or services in the branch site.
By default an RODC will not store password information from AD in its RODC role, this is controlled by 2 policies one allow and one denied. You may decide that it would be a good idea to allow password caching on the RODC for the users based at the branch office so they dont need to hop across the WAN for all authentication requests.
I will post another blog on administering an RODC once the role has been installed.
Increasing the amount of concurrent Vmotions
May 25th
Here’s a nice little tip which has helped my ESX production deployment no end. By default ESX 3.5 will only vmotion 2 guests at a time which if you have a few on the host can add up a bit of time. It can also cause update manager to fail if the vmotion of the guests takes too long.
Simply change the vpdx.cfg file (normally in c:\docs & settings\all users\app data\vmware\vmware virtualcenter ) file on your vcenter server to the value you desire and restart the virtualcenter service.
The change is required inbetween the <vpdx></vpdx> marker tags and you will need to insert the following:
<ResourceManager>
<MaxCostPerHost>16</MaxCostPerHost>
</ResourceManager>
Now the trick with this is to decide what you want the max cost to be and as usual there is a little light maths involved:
A Hot Migration = 4
A Cold Migration = 1
So if you wanted 4 hot migrations to run concurrently then you would need to add 16 as the max cost. As with all fiddling with production servers you should make a backup of the vpdx.cfg file first before making any changes and then make small changes to the max cost ensuring nothing is honking during the migrations.
Deploying ESX4 VSphere guide
May 25th
Those lovely people over at Xtravirt have had this guide kicking around for a while now and its a brilliant read to get you up to speed with deploying VSphere whether you are a old hand at previous versions or a total newbie!
Check it out, its always worth saving this doc in your tech docs as you never know when it may come in handy!
Control panel as admin under IE7 and above
May 13th
Hi all,
Here’s a quick little tip for you that hopefully may help you guys a bit. Most of us probably still support XP mainly in our enviroment and since IE7 you probably noticed that you cannot do the old right click runas admin and then entering “Control Panel” into the address bar. This was a nice and quick way to get to make administrative changes within the control panel without logging the user out (because all users only have user rights dont they!)
After a bit of digging I have found a way to get into the control panel as admin under as user account again.
What you need to do is whilst logged in as a normal user navigate your way to the c:\windows folder within that folder will be a hidden folder either called IE7 or IE8 (its hidden so you may have to show hidden files and folders). Within that folder you will find the old IE6 style exe and you can quite happily right click and runas on that. You will then open IE6 and will be able to navigate to the control panel as you used to.
Its really handy to still have that funcionality however I think it might rather be a security risk as Microsoft appear to have swept IE6 to the side of the OS rather than replaced it entirely with IE7 and above.
Windows 7 Applocker and Software Restriction Policies PT1
Feb 6th
Thought I’d knock out a quick blog post on my studies of Windows 7′s implimentation of Applocker and SRP’s. Now traditionally SRP’s have been good in theory but if you attempt to use them they will lead to a world of hurt. The same is still true so unless you REALLY REALLY need to lock down your systems that much then leave well alone. Still its covered in the exam objectives so I gotta study it in some form.
Software restriction policies are a way of limiting the applications that can be executed on windows 7. These policies are set in group policy so they can be set on the local workstation or as part of an AD GPO distribution. Applocker does the same thing but in a slightly different way (and it also overides a clashing SRP).
To begin to configure a SRP you will need to get into either the local workstations gpedit.msc tool or AD’s GPO editor and drill down into COMPUTER CONFIGURATION/WINDOWS SETTINGS/SECURITY SETTINGS/SOFTWARE RESTRICTION POLICY. The container starts life empty so you will need to right click on the node and choose “Create software restriction policy”.
You will then be greated with these new options
From within the Security Levels you have 3 available options which are Disallowed, Basic User and Unrestricted. These 3 settings will specify the default options for applications that have no specific rule defined. Disallowed obviously means that software with no specific policy defined will not be allowed to run. Basic User allows software to run that does not have a specific policy defined providing that it requires no administrative access to the file system etc. Unrestricted simply means that any software will be allowed to run that does not have a specific SRP defined. To enable any of these settings you need to open the setting type you want and click the set as default button.
I shall miss out on the Additional Rules section for the moment as this is where you set specific rules for applications. The next option down is Enforcement, this defines how strict the default policies are, configurable options include applying the policies to all software files excluding or including DLL files etc. You can also specify if the SRP’s apply to users or all users including administrators (dangerous) and ignoring or enforcing certificate rules.
The Designated File Types option specifys what is considered to be executable file types (in addition to exe and vbs), from this menu you can remove any of the default types or add your own.
The Trusted Publishers option allows you to specify who is allowed to manage the list of trusted pulishers and you can set either to allow both users and administrators to manage the list, or just administrators or just enterprise administrators. There are also 2 other settings you can change which relate to checking whether the publishers certificate is still valid or not.
Looking at this post I think I will split this into two or three posts, I will go into actually creating a SRP in the next blog but for now heres a video of a basic one in action.
Comptia Lifetime certs now with less lifetime
Jan 18th
CompTIA have recently dropped a bombshell (I say dropped I actually mean sneaking it through the backdoor) by changing their policies.
The policy change is to do with how long test takers certifications last (including their A+,N+ and Sec+ certifications). Historically their certifications have been for life but they have now changed it to just 3 years which after such time you will need to take the highest exam again to renew all of your certifications. This you would think would apply only to those who are certified after the date of the policy change but I’m afraid not dear reader, this currently also affects ALL test takers who have EVER passed a CompTIA exam.
So all of a sudden my lifetime A+ certification is now expiring and I will be required to take the test again should I wish to renew it.
CompTIA’s official line is that they are bringing their policies in line with other certification vendors (sources I have read on the internet suggest they have cited the likes of Cisc0 and MS having a renewal policy, Cisco do but MS do not have such a policy). However this smacks a little of a money making scheme to me.
I can understand that thinking recertification is a good thing because technology does move on at a fair rate so my A+ taken back in 2003 talked about 400Mhz cpus etc is vastly outdated, however there is one big glaring problem with the renewal policy. The A+ and similar exams are meant for entry level candidates looking to break into IT, who in their right mind 3 years down the line in their IT career are going to go back are renew that A+ or whatever, when they are more than likely will have higher level certifications or knowledge that renders the A+ obsolete anyway.
So why am I worried about the change then well TBH it does not really bother me were it not for a couple of facts, a couple of years after the millenium I decided I wanted to get into IT, I bought the relevant Mike Meyers book studied lots and lots and took the 2 exams required to become A+ certified. This back then was a lifetime certification no matter what happened I would always be A+ certified and which is also why each exam was extremely expensive to take (from memory it was about £130 back then, considering today MS exams are £88 a pop). Now they have suddenly changed their mind and want to take that certification away from me I dont think its fair. The DVLA wouldn’t say to me that even though I passed my driving test under the understanding that I would not need to take it again until 65 that actually I need to take it again after only 15 years why should CompTIA be allowed to do this!
At the end of the day I have left that certification way behind and can quite happily mark it as expired or strike it off my CV however its the point that I studied and paid for a lifetime cert and now its not!
Their are rumblings on certification forums of class actions etc against CompTIA so we shall have to see how this eventually pans out! I shall be checking out CompTIA’s news pages over the next few weeks with great interest.
http://www.comptia.org/certifications/listed/renewal.aspx
EDIT: Well it looks like they are rightly reversed their decision and are now only imposing their 3 year renewal for people who take their tests after 2011. So thats a good result for us who already have the certification and it may well jolt some into taking the test before the lifetime certification ends.