Authentication Roadblock for WSS 3.0 Access on the local Server

Ran into a fun little authentication issue with IIS 7 and SharePoint recently. I installed a SharePoint farm on one machine and set up my first site collection with a custom host header. Once the site was created I was unable to access it from the host server where I was working. I received an authentication prompt three times and the browser would report that the page load was "Done" but the result was a blank page. The problem did not occur when I set up the site using the host name and a port number.

A peek in the server event logs showed my account failing the authentication with the following:

Security Log Error: 4625
Keyword: Audit Failure
Failure Reason: An Error occurred during Logon.
Status: 0xc000006d

A little Internet searching and a look at one of my favorite troubleshooting resources, www.eventid.net, resulted in a link to Microsoft KB 896861, which explains an authentication issue with Integrated Authentication and versions of IIS over 5.1.

The fix that worked for me was to disable the loopback checking, a security feature designed to prevent reflection attacks. Make the following change to the registry and everything will be right in your SharePoint world.

1. In Registry Editor, locate and then click the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa


2. Right-click Lsa, point to New, and then click DWORD Value.


3. Type DisableLoopbackCheck, and then press ENTER.


4. Right-click DisableLoopbackCheck, and then click Modify.


5. In the Value data box, type 1, and then click OK.


6. Quit Registry Editor, and then restart your computer.

Digital Readers and Twitter May Change Reading and Writing

Check out this interesting segment from NPR this morning, "How E-Books Will Change Reading and Writing", regarding the introduction of digital readers and social media into the mainstream.

Lev Grossman (a Time magazine book reviewer) says the real challenge for writers is electronic-book readers like the Kindle. He says the increasingly popular devices force people to read books in a different way.

"They scroll and scroll and scroll. You don't have this business of handling pages and turning them and savoring them." Grossman says that particular function of the e-book leads to a certain kind of reading and writing: "Very forward moving, very fast narrative ... and likewise you don't tend to linger on the language. When you are seeing a word or a sentence on the screen, you tend to go through it, you extract the data, and you move on."

I don't agree with the idea that digital readers make people less willing to engage in written material for the long haul. Personally, I read more now and spend more time considering and highlighting segments of books using my Kindle, something I didn't do with a printed book. It not all about "extracting the data and moving on," it's about consuming the data in a medium that makes it accessible during the time you have available.

The segment also discusses cell phone novels and writing via Twitter. While I agree that Twitter is certainly not the future of written novels, I do think it is a fast and reasonably reliable way to gather news and information that is relevant to one's current activities. It might even mean I have more time to read that book.

Mostly Useless Server 2008 Personalization Trivia

When you first load a fresh install of Windows 7 or Server 2008 (original or R2) the desktop is empty of icons except for the Recycle Bin. Personally, I really like it that way. The search mechanism is so easy to use I have little need for icons cluttering up my desktop background.

However, some people like the look of the familiar. In Windows 7, you can use the "Personalization" control panel applet to add back the icons for Computer, Network and Documents. Windows 2008 has no such option in the control panel for restoring those icons by default. Instead you must type "desktop icons" into the search window and select the hidden control panel feature to "Show or hide common icons on the desktop."

You can right click "Computer" in the start menu and there is an option for that component to show on the desktop, but the same feature is not available for "Network." The other option is to install the "Desktop Experience" onto the server, which will add several of the customizing features that one might be wishing for. I also noticed that I have access to the Personalization control panel applet on a server that has Terminal Services (aka Remote Desktop Services) installed.

I suspect there are some registry keys that can reveal some of these interface tweaks. Or maybe this is just a Trivial Pursuit question in the making.

New Years Resolution: Get Certified!

Is your New Years' resolution to finally sit down and take some Microsoft exams? I'm planning to work a bit harder toward my Exchange 2007 MCITP certification in the first half of 2010. Just because Exchange 2010 is released doesn't mean that taking the time to learn an "older" technology isn't useful. Especially if that is what you are faced with administering on a day to day basis.

If you haven't visited the Microsoft Learning website recently, it's worth a look. Microsoft has updated several of their charts and learning paths to make the changes between the MCSE program and the MCTS and MCITP programs a lot clearer. I'm a fan of the the "Certification by Technology" chart that lists out each major product line and the certification paths available.

There are also some downloadable charts detailing the upgrade paths from older certifications, complete with recommendations for online or live training and reading materials. Finally, the Learning Catalog has several free "clinics" covering topics such as "Exchange 2010 in the Enterprise" and "Exploring Microsoft Virtualization". They are easy place to get started.

Here's to a productive 2010!

Recovering Hard Deleted Items in Outlook

This isn't new information, but it's something that comes up from time to time - recovering hard deleted (SHIFT+DEL) items from Outlook. Hard deleted items skip over the "Deleted Items" bin, so they can't be recovered using the regular "recover deleted items" tool within the Outlook client.

Exchange 2003 OWA can be used to recover items that were hard deleted using the Outlook client. To get back those items, log into the OWA web page. Then edit the URL to be: "https://server_name/exchange/user_name/inbox/?cmd=showdeleted". The "dumpster" for the inbox will appear and you can recover your deleted email. If you want to recover items from other folders, just change the word "inbox" in the URL to the folder you need, like "calendar" or "drafts".

If you are using Outlook 2003 as your mail client there is a registry setting that you can add to turn the dumpster on for all the folders. Outlook 2007 has the registry setting already enabled by default. Of course, recovering any deleted items assumes that the deleted items retention settings have been configured on your Exchange server.

Installing IIS for SQL 2005 and SharePoint

I've started planning out an installation of SharePoint at work and have found myself installing some of the necessary WSS 3.0 components in the lab. I want to set up SharePoint as a small server farm on one server, which requires SQL to be pre-installed. Both SQL 2005 (if you want all the services) and WSS 3.0 require IIS, but the default installation of IIS on Windows Server 2008 does not include all the necessary components for either one.

First to support WSS 3.o, you'll need to make sure all the components in this list are selected. But if you go with the just components on that list, you'll still get a warning about "IIS Feature Requirement" when installing SQL 2005. Most of the necessary components overlap with WSS 3.0 except for one - HTTP Redirection - so be sure to select that one as well.

Finally, if you are looking around for some WSS 3.0 installation guides, here is a link to some of the downloadable documentation. Perfect if you are looking for some fresh reading on your Kindle.

Keeping track of the SQL User Provisioning Tool

Here's a tool I find myself looking for over and over again. After installing SP2 or SP3 on an installation of SQL 2005 you have the option to run the User Provisioning Tool for Vista", allowing you to set proper access permission.

However if you haven't restarted SQL services before running it, it fails to connect to the database and then closes. There isn't a shortcut anywhere to restart it, so it can be a mystery as to how to locate it again. The path to the tool is:

%ProgramFiles%\Microsoft SQL Server\90\Shared\sqlprov.exe

For more information about why this tool exists, check out this msdn blog post.

Who's Geeky? She is.

Happened across the She's Geeky conference while surfing around the web. "She's Geeky" is an event specifically for women interested in and/or working in the technology, math and science industries. Actually, it's an "un"conference - 3 days of geek-minded women gathered together with a daily agenda of tracks and sessions generated fresh every morning.

I'm always up for an interesting tech conference, plus it's hard to pass up an event being held at the Computer History Museum in Mountain View, CA. Seems like a great chance to check out the Babbage Engine, too!

Handy ASP.NET 2.0 Tidbit

I've been familiarizing myself with WSS 3.0 this week and as part of that process I've been doing several installation in the lab. I ran into an issue on Windows 2003 Server with the installation of .NET 3.0 Framework and ASP.NET 2.0, which are required for the installation of Windows SharePoint Services.

While I had all the components installed, the ASP.NET 2.0 appeared to be missing from IIS. Our DBA has some experience with IIS and had run into a similar problem in the past, so he had the answer for me. ASP.NET 2.0 isn't automatically registered with IIS and that problem is easily solved by running this command:

c:\windows\microsoft.net\framework\v2.0.50727\aspnet_regiis -iru -enable

I want to keep this fix handy, since my co-worker certainly saved me some time. Figured I might as well pay it forward and share it with others who may run into the same issue.

Exchange Server under the tree this Christmas?

I've been reading a lot about Exchange 2007 and have been thinking about what the next move for our Exchange server at the office should be. We haven't decided on Exchange 2007 vs. Exchange 2010 yet, but no matter... I want Santa to bring me a way to eliminate all the PST files being used around the office.

We don't have a large staff. With less than 70 people our Exchange server doesn't work that hard. However, with the desire to bring email services back up as quickly as possible after a failure we have a policy in place that limits the amount of mail stored on the server to 250MB per user. This leaves our data store at a little over 18GB. Our last test restoration of exchange required about 2 hours for loading the database.

Contrary to this is everyone's need to keep every scrap of every email message. This has lead to numerous PST files created as archives for all this mail. It's pretty safe for me to assume that almost every employee has at least one PST file and they are all stored on the network shares.(Yes, I know PST storage on the network is unsupported.) My quick search yielded about 30 GB of PST files and I know I didn't find them all.

So what exactly can Santa bring me?

First, I would be lying if I said I needed a server with more space. The current exchange server still has upwards of 180GB free, so it's likely I could support years of user email with our current setup just by throwing open the storage limits.

I would like to have a proper email archiving system that would automatically move mail from the active mailboxes to secondary storage, thus leaving my primary database small while allowing users to seamlessly access old messages. Personally, I don't keep much in the way of work email and I think that if my company wants me to keep mail for historical purposes, they should provide an easy way to do so. However, I haven't managed to convince the powers-that-be that this is something to embrace quite yet.

My next choice would be reconfiguring Exchange using 2007 or 2010 to take advantage of additional storage groups and "dial-tone" mail service. If I could virtualize the mail server with a SAN for storage, I could bring basic services up in a snap(shot). By breaking up users into multiple storage groups, it would be possible for us to restore mail service immediately and then backfill the databases in small chunks. While it would still take time to restore all the data, users would be able to send and receive mail while old mail would trickle in as the storage groups come back online.

I know "dial-tone" restores are possible with my current setup, but utilizing it in Exchange 2007 or later is much easier than Exchange 2003 due to the auto-discovery features. I also would like to have at least one storage group (with only one database) per department, nearly double of the four storage group limit with Exchange 2003. With the 50 storage group limit in Exchange 2007 I wouldn't have any problem meeting my goal. Also, Exchange 2010 has some good "starter" archiving features for mail management that might be worth a closer look.

Of course Exchange 2007 and 2010 require 64-bit hardware, so maybe Santa can bring me that new server after all.

IT Roadmap at Moscone Center

Yesterday was the Network World IT Roadmap in San Francisco. I had the experience of being the user case study presenter for the virtualization session. If you happened to catch it, I apologize for talking too fast. I'm working on that!

Other sessions covered application delivery, green IT, IP communications, data center, cloud, network management, security and compliance and WAN, LAN and mobility. Phew. Network World offered a lot in one day, plus several additional keynotes and the expo hall. My co-worker caught the WAN, LAN and mobility session, so I'm curious to see what trouble he'll be looking to cause in the office next week.

There was some twittering happening related to the conference, but I was disappointed to see that the @itroadmap Twitter handle didn't tweet at all during the event. They had advertised Twitter on the conference site as a way to stay connected during the conference yet didn't reach out to that audience once. Twitter is becoming a popular way to interact as things happen - several attendees were tweeting during sessions - so it seems like Network World missed out on an opportunity there.

Old Tech is Cool Tech

Hope you didn't miss out on the news that Charles Babbage's Difference Engine has been built (twice!) and is on display in London and at the Computer History Museum in Mountain View, CA.

Check on the article on NPR.com or check it out in person before the end of 2010.

If You Build It, Can They Come?

I've posted several times about working on a disaster recovery project at the office using Server 2008 Terminal Services. We've officially completed the testing and had some regular staffers log on and check things out. That was probably one of the most interesting parts.

One issue with end user access was problems with the Terminal Services ActiveX components on Windows XP SP3. This is disabled by default as part of a security update in SP3. This can usually be fixed with a registry change which I posted about before, however that requires local administrative privileges that not all our testing users had. There are also ActiveX version issues if the client machine is running an XP service pack that is earlier than SP3.

Administrative privileges also caused some hiccups with one of our published web apps that required a Java plug-in. At one point, the web page required a Java update that could only be installed by a server administrator and this caused logon errors for all the users until that was addressed.

In this lab setting, we had also restored our file server to a different OS. Our production file server is Windows 2000 and in the lab we used Windows 2008. This resulted in some access permission issues for some shared and "home" directories. We didn't spend any time troubleshooting the problem this time around, but when we do look to upgrade that server or repeat this disaster recovery test we know to look into the permissions more closely.

Users also experienced trouble getting Outlook 2007 to run properly. I did not have issues when I tested my own -there were some dialog boxes that needed to be address before it ran for the first time to confirm the username and such. While the answers to those boxes seem second nature to those of us in IT, we realized that will need to provide better documentation to ensure that users get email working right the first time.

In the end, detailed documentation proved to be the most important aspect of rolling this test environment out to end users. In the event of a disaster, it's likely that our primary way of sharing initial access information would be by posting instructions to the Internet. Providing easy to follow instructions that include step-by-step screenshots that can be followed independently are critical. After a disaster, I don't expect my department will have a lot of time for individual hand-holding for each user that will be using remote access.

Not only did this project provide an opportunity to update our procedures used to restore services, it showed that it's equally as important to make sure that end users have instructions so they can independently access those services once they are available.

On my calendar - SharePoint and Virtualization

I've got a couple if interesting things coming up this week.

First, I'm taking a quick 2-day LearnIT! class on Windows SharePoint Services 3.0. There has been a desire to add on some collaboration tools specifically for meeting management at the office and I'm hoping this short class will get me pointed in the right direction.

Later this week, I'll be one of the case study speakers on virtualization at Network World's IT Roadmap 2009. If you are there, be sure to drop me a tweet @jkc137. The conference Twitter handle is supposed to be @itroadmap, but that account currently seems to be a bit spam-filled at the moment. I hope they resolve that before Thursday.

What's in a Pop-Up?

Last week, I posted about how some of our strict group policy settings on our Terminal Services RemoteApp deployment were causing some difficulty using some web-based applications, like our time card application. As I continued to use the application through RemoteApp, I found another hiccup in the GPO settings - the lack of the application to be able to pop up additional windows for some special tasks.

I started with looking at all the GPO settings related to the Pop-up Blocker. There are several - Pop-up allow list, Turn off Managing Pop-up Allow list, Turn off pop-up management. After tweaking and disabling those, I still couldn't get the new task window to appear.

In order to leave no stone unturned, I proceeded to look closely at every IE setting that was configured and came across "Disable Open in New Window menu option", under User Config - Policies - Admin Templates - Windows Components - Internet Explorer - Browser Menus. The provided explanation leads one to believe that it only hides the option from the shortcut menu to prevent users from manually launching a new window from that browser session. However, it also prevents an application from launching the window as well.

Since the Pop-Up Blocker itself wasn't the problem, I was curious about what the Pop-up Blocker actually blocks. MSDN has some in-depth explanations about how the Pop-up Blocker works, but it comes down to this: Pop-up blocking prevents new browser windows being opened automatically using a script. Pop-up Blocker doesn't affect browser activities when they are initiated by a user action (such as clicking a button or hyperlink), when opened in the Trusted sites and Local intranet zones, or when opened by other applications running on the local computer.

It does block script methods that call the following:

• window.open
• window.showHelp
• window.showModalDialog
• window.showModelessDialog
• window.external
• window.NavigateAndFind

An interesting note was that pop-ups created with "window.createPopup" are unaffected by the Pop-up Blocker. That doesn't make sense to me, but I'm not a developer and I'm sure there is something I'm missing.

In my case, changing the Pop-up settings were moot, because the specific policy blocking the "window.open" command trumped any attempt to open a new windows, specifically those initiated by users.

Always Enjoy Lunch

I once received some sage advice from another System Administrator I worked with years ago regarding working with potentially troublesome servers.

It was back in the Exchange 5.5 days. I had a cranky server with a potentially unsolved hardware problem in the disk subsystem. Every time I powered off the server, it damaged the OS and I was forced to restore Exchange from tape. The manufacturer always replaced a part when I called for support, but I had ended up rebuilding it several times and had not yet confirmed that the latest hardware replacement resolved the issue.

My co-worker was on-site to help me set up a new server room after we relocated the office. Because of the history of the server, I was very anxious about possibly having to restore Exchange again. It was approaching lunch time and we were at the point where it was time to power on the mail server.

He turns to me and says, "We are going to press the power button and then walk out to eat without looking back." His theory was that if the server was going to be fine, it would be fine without us watching it boot. If was going to have a problem, the problem would still be there when we returned. At the very least we would have had a relaxing lunch break and would be better able to solve a problem without the additional stress of hunger pains.

Turns out the server was fine.

To this day, I still heed that advice. If I'm about to do something to a system that has the potential to backfire, I make sure I've already enjoyed my lunch.

Microsoft Security Essentials - Accessible for the Visually Impaired

On occasion, someone from one of my non-tech interests overlaps with my "geek" interests. A blind friend posted a question to the "Twitter-verse" asking about anti-virus software that was accessible for the JAWS screen reading software.

My first response was to suggest Microsoft's Security Essentials, but I didn't know if it was accessible in the way that was needed. Turns out, not only does MSE rank well against a variety of other anti-virus software offerings, it is accessible with at least JAWS 9. I suspect it will equally accessible with the most recent JAWS version as well.

The only issue was that download the software itself wasn't particularly accessible. This detailed post on the "Blind Access Journal" blog lists out how to download the software using JAWS. Once that hurdle is overcome, Security Essentials is a great fit for users who have special software needs and don't want AV software to get in the way of other applications that make their computers such valuable tools.

Getting Back in Touch with Hyper-V

Some days I feel really behind the eight ball, so today I spent some time getting back into Hyper-V. The office runs VMWare for our production items, but I'm really trying to make time to give Hyper-V a fair shake. Since all of our lab machines are segregated off into various nooks and corners of the server room, physical access while working on them is less than ideal. I'm happy to remotely connect to servers from the comfort of my desk.

Conveniently my co-worker already has a Hyper-V host server set up, so that saved me from having to hunt down hardware and get going from scratch. In order to get started configuring my guest server, I'm connected to my Hyper-V host machine via Remote Desktop and then connecting to my guest server with a Virtual Machine Connection. Because the mouse might "behave erratically" without Integration Services in this particular scenario, the mouse controls are intentionally blocked.

While one of my many random goals in life may be to navigate Windows without a mouse, it's not something I'm very proficient at currently. In order to install the Integration Services, one needs to be handy with keyboard commands, particularly the alternate versions used in the virtual enviroment. Here are a few that I found useful. The traditional key command is listed first, followed by it's Hyper-V VM equivalent.

• CTRL + ALT + DEL = CTRL + ALT + END
• ALT + TAB = ALT + PAGE UP
• ALT + SHIFT + TAB = ALT + PAGE DOWN
• ALT + ESC = ALT + INSERT
• CTRL + ESC (Start button) = ALT + HOME
• Right-Click (to get to context menus) = SHIFT + F10

Ultimately, I'll be using this guest server to play around with SharePoint 2007, but today I'm happy to have just gotten the OS configured and Windows Updates installed. SharePoint will have to wait until after Turkey Day.

Tech Tidbits - PDFs on Kindle 2, Beta Exams

For those of you who like to be on the bleeding edge of Microsoft exam offerings, don't miss out on the Microsoft Beta Exam Announcements blog. Right now there are 3 new beta exams available:

• 71-663 - Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010
• 71-580 - TS: Windows Mobile® 6.5, Application Development
• 71-579 - TS: Windows Mobile® 6.5, Configuring

Also, Amazon released a firmware update for the Kindle 2 that increases the battery life by several days and added support for native PDFs, which was originally only available in DX version. I don't expect I'll be dumping my Kindle "classic" immediately, but I will put a few whitepapers on my husband's to see how it handles diagrams and other components that don't convert well to the regular Kindle format.

Finally, don't miss out the PacITPros December meeting. Check out www.pacitpros.org for details and to RSVP.

TS RemoteApp, Group Policies, Internet Explorer Zones

It wouldn't be work if we didn't have more than one different, yet similar, things going on in the office at any given time. The disaster recovery user testing is drawing to a close and I'll be the first to admit that opening it up to users has certainly been a learning experience. (More on that later.)

Meanwhile, in an attempt to phase out our Citrix Remote Access farm, we've started to "soft-launch" our production version of Windows 2008 Terminal Services using Terminal Services Web Access and RemoteApp. Two applications we are publishing as remote applications are our financial system and our timecard system. We succeeding in getting both these applications mostly running in our disaster recovery lab last month, but our production version of Terminal Services is a different animal.

In the disaster lab, I didn't configure any special group policies that affected Internet Explorer or any other functions. The setup was just by the basic configuration wizards for Terminal Services, TS Gateway and RemoteApp. Our production version of Terminal Services was set up "by the book" (particularly this book) with lots of security customizations added on with group policies. I'm all for tightening things down until people squeal and then loosening things up as needed and my co-worker had done just that with this installation.

Today, I tested out the timecard application that requires a Java plug-in. The plug-in automatically initializes on our regular desktop machines without issue. On the Terminal Server, which is running the Enhanced Security Configuration, the name of server hosting time timecard web page must be part of the "Intranet" security zone in IE.

Easy fix... except I don't have access to the "Tools - Internet Options" pages in Internet Explorer with my regular user account. That's a group policy setting. Or rather, 3 group policy settings. Because the options available in group policy have grown as each new OS has been introduced, there are several places you can enable, disable and tweak various aspects of what IE menus are available to users. It took me several visits to our Terminal Services policies to restore access to the "security" tab of Internet Options.

Sure enough, once I added the proper web server to the Intranet list, the plug-in initialized. But we don't want to have to explain this to each and every user when they access remote applications for the first time. So next up was getting those setting to automatically configured for each new user.

Our first stop was Group Policy Preferences, which allows for configuration of much of the Internet Options tabs, but not any of the lists for Intranet, Trusted or Restricted sites - how frustrating. But those are simply registry keys, which can be added "a la carte" with Group Policy Preferences as well. The end seems near.

A quick search yields this MSDN article, Adding Sites to the Enhanced Security Configuration Zones. We ended up adding registry keys for both the regular non-ESC domains and the ESC domains because our testing showed that my user account put zone additions in the regular domain area and my co-worker's went in the EscDomain registry area. (The dword hex of 1 means "Intranet zone", use 2 for "Trusted" sites.)

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\timecard]
  "http"=dword:00000001
  
  
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\timecard]
  "http"=dword:00000001

We didn't experiment further with the "Domain" vs "EscDomain" mystery, instead just added registry keys to cover all our bases for the time being. Now the only thing left is to decide if we want to take away those IE Options pages that I added back in for testing. Jury is still out on that one.

Migrating to Exchange 2010 - Where to Begin?

One of the potential projects on my list for 2010 is migrating our Exchange 2003 server to either 2007 or 2010. I'll likely have to do some more detailed comparisons of features and requirements, as well as take a close look at some of the long term business goals so that we can make the most cost effective decision that will also give us some longevity. It seems like just yesterday that I migrated from Exchange 2000 to Exchange 2003.

Just to wet my feet a little bit, I found some great posts by Rand Morimoto regarding migrating to Exchange 2010.

• The Good, the Bad and the Ugly in Migrating to Exchange Server 2010


• Migrating from Exchange 2003 to Exchange 2010


• Migrating from Exchange 2007 to Exchange 2010

Also, be sure to check out the Exchange Server Supportability Matrix, which lists out which operating systems support installing the various flavors of Exchange, as well as which flavors of Active Directory are also supported with Exchange. For example, Exchange 2003 SP2 will run in a 2008 domain (but not 2008 R2) and don't even think about pushing your forest or domain functional levels past 2003 compatibility. On the flipside, Exchange 2007 and higher won't run on a 2000 Active Directory enviroment, so if you are still sporting that type of domain you know where to start.

At any rate, there are quite a few little ducks that need to be a row. I know I've got a bit more reading to do before I start writing up my migration plan.

PacITPros - December Meeting

Don't forget to check out the details for PacITPros December meeting. We'll be hearing from StorageCraft about bare metal recovery and migrations between physical and virtual machines.

Access Control on College Networks

Recently, I acquired a September back-issue of the student newspaper from my old alma mater, The College of New Jersey. Technically, I attended Trenton State College, but let's not digress.

As I was flipping through, one of the letters submitted to the editor entitled "Internet security measures vital to network health" caught my eye. It was in response to a opinion piece in the previous issue. I hopped online and found the original student opinion - NAC Restricting College Internet Use. There were two response letters, including one from the IT Manager.

The main complaints from the student was that he was worried about installing the necessary NAC client software because its purpose was not clear, and he did not believe he should be required to use anti-virus software. Finally, the restriction on personal router usage was inconvenient.

I recently posted about internet filtering, so the topic of these letters seemed to strike along the same vein. The responses to the student were clear and to the point, detailing how network access control provides overall network security by preventing access for computers that do not meet the basic network security requirements. I have to agree with with IT Manager on this one, hands down.

Based on the letters, it appears the TCNJ is using Impulse Safe-Connect "Policy Key", a NAC system used by many colleges. Networks at education institutions are shared by many and it's important to have measures in place to ensure some management of the variety of computer operating systems that can connect and dictate the basic requirements for using a critical resource. Network access control systems can be a valuable part of network management when direct control over the client machines is not available. For example, Microsoft's Network Access Protection, can evaluate the "health status" of a Windows computer by checking up-to-date anti-virus software, Windows patch levels and firewall status.

In my opinion, TCNJ doesn't seem to be asking students to do anything excessive in exchange for what is essentially "free" access to the web. Running a NAC supplicant to check for anti-virus software is a small concession to make for the average student needing average access to the Internet. The college even offers a free anti-virus software as a download. The outraged student needs to spend a little more time hitting the books and less time complaining that he can't use his router to connect his Xbox.

Internet Monitoring - Good, Bad or just Ugly?

A good friend of mine works at an academic institution where she teaches literature. Her specialization revolves around romance literature. Research in that area often spans into topics that are considered to be NSFW and she's often thwarted by internet filtering when doing research in her office. She objects to this and we shared an exchange about possible reasons for these type of restrictions. As a systems administrator, I can argue bits on both sides.

For me, intentions mean everything. First off, monitoring and filtering meet different needs. Most appliances and applications available today can do both functions and are adjustable to allow various exceptions. I define monitoring as simply logging sites visited, the length of time spent and the amount of bandwidth used. Filtering is when a site is restricted outright or portions of the site are prevented from loading.

I agree that in an academic institution, internet filtering should be kept to a minimum on the staff network. Education institutions thrive on the fact that professional staff produce new works and having unlimited access to the internet and even access to potentially taboo or questionable material could easily be justified. Being that most university professors have private offices, the risk of offending someone who walks by is minimal.

However, general monitoring is often needed to track bandwidth usage and some light filtering may be reasonable to reduce the impact of sites infiltrated with with malware. In a location where the general public or children use the Internet, clearly more strict monitoring and filtering is necessary to block age inappropriate content and prevent abuses. In either case, there needs to be a system that allows for users to request review of websites that are blocked, as most out-of-the-box filtering systems can categorize some sites strangely.

In the classic business world, internet access gets even more slippery. I stand behind my opinion that light filtering to reduce malware and basic monitoring (for bandwidth tracking) is an important part of keeping control of IT costs. Also, I understand that it's helpful to block obvious non-work related or NSFW sites. Unless your business has a specific need to access gambling, online games or other clearly "entertainment" sites, I don't fault management for asking IT to limit access.

Home banking, personal email, news and some social networking sites can be a gray area. I feel that employees work more effectively if they can access some personal conveniences from the office. I can quickly handle an urgent bill or respond to a family member online and then get back on my work task, instead of having to take out of office break time to visit the bank or run another errand that could be completed online faster. Also, many corporations now have identities on social networking sites that need to be maintained.

The big disconnects start to occur when managers start looking at internet usage as a way to determine employee productivity. Using amount of time an employee is online as a sole reason for a write-up, reprimand or worse is inappropriate. If an employee is not completing their required tasks, blaming internet usage shouldn't be necessary. There should be clear areas of suffering in that employee's work product that can be documented.

If an employee IS completing work tasks and still has time to surf the web, either a manager should look to assign additional tasks or examine ways to utilize that employee's efficiency methods. Controlling some of what flows from the public networks to a private network is a necessary component of good IT practices. However, when those same controls start hampering employee's ability to work or are used as poor indicator of productivity no one is gaining anything from the information available online.

The Cost of Kindle Content

I love having a Kindle and I don't mind paying for the content. Most of the time.

I enjoy the convenience of having several different types of reading material on hand without the bulk of carting around multiple books and magazines. The general lack of having something tangible to put on a bookshelf makes some people uncomfortable with the idea, but I'm willing to give up physical paper for the fast access to the variety published content that the Kindle provides.

The potential downside is the cost of the content. Of course it's cheaper to read other ways. I could be better about going to the library for books (especially fiction) but the reality of it is that I'm one of those people that would often buy a new book and then let it collect dust on the bookshelf once I finished. I admit it. So I don't mind paying for just the "bits". The author and distributors of such content deserve their cut regardless of medium and I reap the reward of getting that new hardcover novel at a discount, delivered in seconds.

I also subscribe to the local newspaper. It turns out I read more of the paper now than I did when we had it delivered to our house and I don't feel guilty about skipping a few days when it happens. No guilt about recycling the untouched pages when I don't have time and I'm financially supporting the news outlet in a way that works for me. I even read a larger variety of the articles than I would browsing the same news online.

The only problem I'm having with the Kindle at this point is collecting too many book samples. The Kindle has become the holder of all that I haven't had time to read. When I wander across a good book review, I pull out the Kindle and download the sample section. Sometimes the sample leads to an immediate purchase. Other times, its a placeholder for a future afternoon of reading.

The Kindle isn't for everyone, but I know it's working for me. So in a fit of shameless self-promotion, I setup this blog to be published in the Kindle Store. For a whole $.99 a month you can subscribe to Techbunny, as well as many others. However I'm not expecting to see the "pay for blog" model take off any time soon.

I do just about all of my blog reading online and it's certainly not cost effective to have them all sent to my Kindle, as even the smallest monthly fee available ($.99) would add up quickly. I understand Amazon's desire to offset the costs of "whispernet" for delivery, but I wish there was a free publishing option for some blogs, especially those with a niche topic or limited readership. I think that serving some blogs for free would give more people a reason to invest in a Kindle in the first place. Because once you are hooked it's hard to turn back.

The LearnIT! Tech Kickoff - A first look at what's new this fall

Last week, I had the opportunity to speak about some of the new features in Windows 7 at the LearnIT! Technology Kickoff. This fun evening event was a great way to gain some insight into what's exciting about some of the new software that has launched this fall. I'm almost disappointed I didn't get to attend a session myself.
I've taken several classes at LearnIT! through the years, so it was exciting to have the chance to return the favor. If you happened to catch my session and are looking for the slide deck I used, look no further.

System Adminstration - The "YouTube" Way

Don't miss the Windows 7 72-Hour Film Fest on YouTube. All the videos had to include a character called “CIO Wiggins”, the line of dialog “The guys in IT are going to like this” and mention “Windows 7”. My favorite is Installation, a fun mix of Office Space meets "Flight of the Concords" with a little throw back to the 80's hit, "Say Anything", touting the joys of system administration and Windows 7.

Speaking of fun tech videos, there have been some great ones over the years. If you are looking to kill a little bit of time, I've got some "classics" for you. First off, no one can forget Internet Tech Support, harking way back to 2001 from deadtroll.com. And then there is the ever popular Medieval Helpdesk. I'm hoping Windows 7 isn't as difficult of a transition!

Also, don't forget this great, gamer-themed performance by Tripod - "Gonna Make You Happy". It's about 3 years old, but never ceases to entertain me. Txt Msgs is also good one.

Enjoy!

Drive Safer with DriveSafe.ly

I'm addicted to my Blackberry and thus addicted to text messaging and the instant access to my email. I've overcome some of my need to check it obsessively with each "ding" or "beep" by assigning different sounds to different email accounts, txt messages and UberTwitter so I can better identify what arrived without looking. But it's still hard for me to avoid sneaking a peak when I'm at a stop light. I've considered setting the phone to silent or to my custom "phone only" sound scheme when driving, but I often forget to do that until the first SMS message arrives after I'm already well on my way.

A post about a potential solution to this crossed my twitter feed via @mamamezlove the other day and I think it might do the trick - Drivesafe.ly, an application that reads your incoming texts and emails outloud. The free version only reads 25 words of your messages, but that's often more than enough for a text message. For those who need more, there are two levels of paid service - monthly and a one-time "life of the phone" license. And because it's not always appropriate for your messages to be spoken outloud, it's easy to toggle on and off and adjust the volume of the speaking voice.

Right now this software is only available for Blackberry OS 4.5 and Android OS 1.5, but iPhone, Windows Mobile and Symbian are expected to be coming soon.

Enabling Terminal Services ActiveX on IE7

As great as Windows 7 is turning out to be, many companies with Server 2008 Terminal Services Web Access (or plans to move to Remote Desktop Services in the near future) will likely have users connecting from home with Windows XP and Internet Explorer 7 for foreseeable future. However the Terminal Services ActiveX control required by TSWA is disabled by default in XPSP3 as a security measure. This control in needs to be explicitly enabled in IE7 in order to use the web access features of Server 2008.

Usually you can enable or disable an ActiveX control in IE using the "Manage Add-Ons" tool, but it's likely that you willl be unable to see the TS specific control in IE7 on XP SP3 in that tool. The workaround is to delete the two following keys from the registry:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
• HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}

Once you delete these keys, the required ActiveX control should be enabled in IE7.

Deactivating Kindle WhisperSync

I discovered after some additional poking around, that it's possible to turn of the automatic syncing of the last read page (and bookmarks and notes) on shared books. There is an option all the way at the bottom of the Kindle management page that allows you to turn off that feature.

It doesn't give me all the content control I'd like, but at least the "sort by most recent" lists won't be affected by the activity on the opposite Kindle.

The Kindle 2 - Still Room for Improvement

I surprised my husband with a Kindle this week for our anniversary. Because I already have a Kindle and there are books on it he'd like to read, it made sense to buy another Kindle so they could be hooked to the same account and we could share books. Sharing my Kindle was out of the question, as its rare when I don't have it with me. I debated swapping the new Kindle 2 for my own and giving him my first Kindle, but I decided to stick with the first generation Kindle for myself.

The Kindle 2 does solve some of the annoyances of the Kindle 1. The "next page" and "prev page" buttons are smaller so it's easier to pick up without accidentally turning pages. The keyboard has uniformed sized keys and the navigation cursor is on-screen instead of on the silver bar on the side. The five-way toggle button gives the navigation menus more flexibility.

The Kindle 2 is both powered and synced with a single USB cable with a removable electrical prong adapter. However, much like the iPod/iPhone, it has a proprietary connector on the device end. The Kindle 1 has a separate proprietary power cord, but the USB connector is standard - great for when I decide I need to sync on a Word document or converted PDF at the office and can use any mini-USB cable within my reach.

The Kindle 2 doesn't have any way to expand the internal 2GB memory, but Amazon worked around that by making "archived" purchased content (content that you removed from your Kindle) available directly from the Kindle instead of having to log on to the Kindle management page and have those items pushed out to your device again. This allows you easily to swap books on and off the device if you run out of space. This is a convenience feature I have a bit of an issue with and would like to see some kind of "content control" option for it.

For example, a parent in a family with several avid readers (whom all have Kindles on the same account) might not want their teenager to be able to easily see or download the same books that the adults are reading. And a parent might not be interested in having scroll past the latest slew of "vampire" books when looking for their particular archived content.

This "hive mindset" around the shared content means that if two people have the same book downloaded, both Kindles continuely try to keep track of what was the last page read was - as if the same person read on either device. Also, I'm a big fan of the "sort by most recent first" option for my book menu, so having something that my husband is reading, but I'm not, floating to the top of my book list is a bit irksome.

The ability to specify which content is available to which devices or providing sub-accounts per Kindle would be a great feature addition that could help work around some of these issues. Not only could you better control sharing of content between devices, one might be able use different payment options per Kindle, instead of having all linked Kindles charge to the same credit card.

Overall, I think the Kindle 2 does make some nice improvements to the Kindle 1, but not enough of them to make me want to replace my original Kindle any time soon.

Potentially Troublesome Windows 7 User Profiles

While at "the New Efficiency" event last week, I was tapped to see if I had some insight to a problem someone was having migrating and duplicating local user profiles on Windows 7. I'll admit I haven't much bothered with user profiles since my NT 4.0 days. Even at my current job, we doesn't copy or use customized default profiles as a starting point for desktops. We distribute key icons and settings for users with group policies or scripts and don't worry about maintaining any customizations that each user does for themselves.

My first recommendation was that for migrating existing desktop profiles from XP to Windows 7, Microsoft provides the User State Migration Tool (for large deployments) and Windows Easy Transfer (for a few computers) to move the local documents and settings for users from XP to Windows 7. These tools help ensure all the necessary files are getting moved to the proper locations.

However the question also involved issues copying existing profiles for other users. I didn't have a good answer for someone having this type of problem in Windows 7, but I promised I'd see if I could come up with something.

After some research, I learned that others were having profile duplication issues with Windows 7 - specifically copying an existing profile to the default one. I found a quite extensive thread on the TechNet forums and an IronGeek.com posting which offered a workaround. I didn't delve into experimenting with any of these things, but I did pass them along with the hopes that they might point the requester in the right direction.

The next day, I got an update thanking me for providing the information and that he'd been able to solve the majority of his profile related issues. He also mentioned a program called "Windows Enabler", which I haven't used myself but I suspect might have been recommended by someone contributing to the TechNet thread or another forum. We all know the web can lead you to many things.

So if you are struggling with an issue similar to this, perhaps those same links will lead you to the answer you need. As with anything on the Internet, your mileage may vary.
-------------------------
EDIT 10/30/09 - Here's a link to a great blog post from the Springboard Series with the how/why for Windows 7 profiles work the way they do and the Microsoft recommended way to handle customized default profiles - Configuring Default User Settings, Full Update for Windows 7.

Free eBooks for Windows 7 and Server 2008 R2

Wondering where to get started with Windows 7 and Server 2008 R2?

If you are looking for some fresh reading material, don't miss out on two free eBooks by Microsoft Press. Get more information about the "Deploying Windows 7" eBook at the TechNet Flash Blog and "Introducing Windows Server 2008 R2" at the Windows Server Division Blog.

In My Inbox - An "Enterprise PBX Comparison Guide"

I get a lot of emails for seminars, white papers and other information from a variety of vendors and other marketing venues. Some catch my eye, many don't. I have a very low tolerance for spam, so I usually remove myself from excessive mailing lists as soon as they start to annoy me.

Recently, a email subject line comparing Shoretel to Cisco caught my eye. Turns out it was a comparison chart covering about a dozen VoIP PBX vendors and not just a Shoretel v. Cisco showdown, but interesting none the less. You'll be signing up for marketing emails for sure, but if you are shopping for VoIP this might be a nice summary to start with.

Personally I'm a Shoretel girl and I'll leave it at that. However I will point out that Shoretel did manage to hold it's own against Cisco in this particular 18-point comparison chart, especially if you are looking for a solution for under 10,000 users. (The Giants' AT&T Park sure thought so earlier this year!)

Windows 7 - It's Official

In case you've managed to miss it, today is the official launch of Window 7.

Some great websites to check out if you haven't already are Talking About Windows and the Microsoft Springboard for Windows Clients. Also, check out the Windows Team Blog post from yesterday listing out some additional events and purchase offers.

Finally, if you missed out on one of live "the New Efficiency" events, there is a free virtual event on October 27th, produced by Windows IT Pro magazine.

Enjoy!

Takeaways from "The New Efficiency" Tech Series

Yesterday, I attended Microsoft's "The New Efficiency" technical series, as part of the Windows 7/Server 2008 R2/Exchange 2010 product launch. I was a little disappointed at the turn out, since registration had been closed so early. I expected more people and generally "more" from Microsoft with all these new products coming out in just days. But I guess not every event can be hit out of the park.

That being said, there were several sponsor-led sessions that were interesting and then tracks for Windows 7, Server 2008 R2 and Exchange 2010. My original plan was to hit something from every track, but that proved difficult as the presenters from each track didn't always keep to the scheduled break times. Thus I stuck with the server track, which was presented by Chris Henley.

Here are a few of the features that were touched on during the sessions:

• The integrated Best Practice Analyzer covers more areas, such as Active Directory Domain Services and DNS. The BPA was mostly known for it's use with Exchange, so it's nice to see it expanded to other critical areas.
• The Recycle Bin for AD. This feature makes it easier to restore deleted objects in Active Directory without having to resort to an authoritative restore, effectively extending your recoverablity of objects to nearly a year. While possible, its not recommended to reduce the lifetimes for deleted object and tombstone object below the 180 days each. Also, it's important to note that the recycle bin feature is a schema change and it can't be turned off once implemented. Finally, while item in the recycle bin can't have their UPN used again until it moves out to a tombstoned object, but you can manually force items to be moved earlier.
• In Server 2008 R2 there were changes in the core architecture which affected the networking stack to support IPv6 and IPv4 native to same Windows core protocols.
• The Server Core installation option supports an additional role for WoW64 and IIS 7.5 also supports ASP on Server Core. Server Core has also gained a text menu environment called "S-config" to make it easier to configure basic server settings.
• New features in Remote Desktop Services, such as virtual desktops via Hyper-V, improvements in RemoteApp, multimedia support and bi-directional audio.
• DirectAccess as an alternative to VPNs for corporate network access. DirectAccess requires at least 4 servers and includes a setup wizard that details out how it all hooks together.
• Improvements in Hyper-V, such as Live Migration and the ability to add some "hardware" (like Hard Drives)to virtual machines without powering them off. Don't forget the Microsoft Assessment & Planning Toolkit, which can help minimize capital costs and reduce operating costs in your data center.

At the end of the day, the software giveaway was a copy of Windows 7 (32-bit) and the swag bag had the ever-popular XL t-shirt. Hidden among the product pamphlets in the bag was a cool gift from NetApp - a free copy of the book "Windows Server 2008 Hyper-V: Insider's Guide to Microsoft's Hypervisor". Request your copy by November 20th. I'm sure the request will get you on a mailing list of some kind, but I'll live with that for a free book.

Because It's Already Here

A colleague of mine asked a valid question about my last post regarding how my office IT department uses ImageRight for document management instead of something else, like a Wiki. Of course a Wiki would work just fine. So would SharePoint or any other software the helps manage documentation and allows for collaboration.

I'm not saying that ImageRight is the end-all, be-all for document management. It's just that ImageRight is what we have. One of the big topics that came up at the Vertafore Connections conference I attended a few months ago was that many companies using the product only deploy it to one or two departments to perform very specific business functions. I've found that it can be used by many other business areas if one just takes the time to carve out a place for their specific documentation and processes.

There is that old "law of the instrument" that can make a familiar tool look like the panacea of all problems, but I'm not trying to make an unsuitable piece of software meet our needs. We are simply using a product that our company has already invested in, instead of looking outside our existing infrastructure for a new solution. Not only does this save licensing, installation and maintenance costs for an additional product, it encourages members of our department to use ImageRight regularly, making us better able to support the other staff members in the office. We are not only supporting the backend of the program, but interacting with it as an end-user as well - a win-win for everyone.

Document Imaging Helps Organize IT

Since our implementation of ImageRight, our Network Operations team has embraced it as a way to organize our server and application documentation in a manner that makes it accessible to everyone in our team. Any support tickets, change control documents, white papers and configuration information that is stored in ImageRight is available to anyone in our group for reference.

This reduces version control issues and ensures that a common naming (or "filing") structure is used across the board, making information easier to find. (For reference, an ImageRight "file" is a collection of documents organized together like a physical file that hangs in a file cabinet.) Plus, the ability to export individual documents or whole ImageRight "files" to a CD with an included viewer application is a great feature that I'm using as part of our Disaster Recovery preparations.

I have a single file that encompasses the contents of our network "runbook". This file contains server lists and configuration details, IP and DNS information, network maps, application and service dependencies, storage share locations/sizes, support contact information, etc. It consists of text documents, spreadsheets, PDF files and other types of data. I keep a hard copy printed at my desk so I can jot notes when changes are needed, but ImageRight ensures I have an electronic backup that I can edit on a regular basis. Plus, I regularly export a updated copy to a CD that I add to the off-site Disaster Recovery box.

The value of ImageRight in a disaster scenario expands beyond just our configuration documents. In an office where we deal with large amounts of paper, encouraging people to see that those documents are added to ImageRight in a timely manner will ensure faster access to work products after an event prevents access to the office or destroys paper originals.

Configuring Server 2008 AD - Traditional vs. Virtual Lab Exam

There has been some recent chatter on the web about the 83-640 exam, which is the "virtual lab" version of the 70-640 exam, TS: Windows Server 2008 Active Directory, Configuring. Both of these exams are available by Prometric (at least in CA), but 83-640 is not currently listed as an official exam option for the MCITP: Enterprise Administrator or for the MCITP: Server Administrator if you refer to the MCITP certification list. However, the exam details for 83-640 note that it DOES count toward them. It's hard to say if or when this new version will officially replace the traditional exam.

I did have the chance to sit for the pilot of this test held in late 2008, when it was numbered as 70-113. While the test did have a multiple-choice section, the sections that were done in the virtual lab were actually fun. Yes, I thought the test was fun.

It really gives someone who works a lot with Windows a chance to showcase their skills without having to memorize the exact name of the tab or screen where a setting is located, as is often the case with the regular exam format. Instead, you worked on a fully functional server, making about 10 configuration changes in each test segment. I had access to everything I would have on a "real" server - I could click around to review all the tabs, settings and tools and even had access to the help files. Once all the tasks were completed, you close out that segment and move onto the next.

The experience was as close to a true work environment as you could possibly get for a test. We all know that on any given day, we may not know exactly where to go for what needs to be done, but we certainly know it when we see it. And browsing a few tabs or pressing F1 is part of the process to jog our memories and get us back on track.

If I was given the choice to take 70-640 or 83-640 to meet my certification requirements, I'd look to take the "virtual lab" version, hands down. I hope Microsoft looks to this new format for future exams.

Catalog Error with Backup Exec

The disaster recovery project has been moving along with fits and starts. I was certainly expecting this to be a learning experience and it hasn't failed to disappoint in that regard. Today, I kicked off a catalog of a new tape and promptly received this error:

The requested media is not listed in the media index and could not be mounted. To add the media's catalog information to the disk-based catalogs, run an inventory operation on the media and resubmit the Catalog operation.

I ran another successful inventory of the tape for good measure, but the error remained. I rebooted the server and the tape drive. No love. Frustrating since I've been successfully cataloging tapes for the last few weeks.

Following the links from the error report, I turn off the option to "Use storage media-based catalogs." By clearing the check box for this option, Backup Exec was forced to ignore any catalog information on the tape itself and build the catalog by reviewing each file on tape individually. This process takes longer, but in my case, was successful.

This is the recommended change to make when normal catalog methods fail. It's also something you'll need to do if you must catalog the contents of single tape from a backup job that spans multiple tapes, which can also fail if you don't have all the tapes from the set in inventory. For more information about the differences between storage media-based catalogs and on-disk catalogs for Backup Exec, check out this additional explanation of the "storage media-based catalog" option at Symantec's website.

Restoring IIS 6.0

I love the Internet. I use it every day. But when it comes to making websites work, it's just not one of my strong areas. I've gone through a good portion of last decade working for smaller companies where being the "network administrator" meant being a bit of a jack-of-all-trades. While I don't mind having to search for solutions to issues with software that I don't use often, I've also learn which bits of the tech realm I'd rather leave to someone else. One of those is IIS.

However, this isn't all about me hating on Internet Information Services. Last week, I actually had a experience restoring IIS 6.0 that was remarkably smooth and successful - restoring our company intranet to a different machine.

In order for this to be successful, I needed to have a portable backup of the metabase, my web folders and ASP 2.0 (which we needed for some small web-based applications). I was missing the ASP 2.0 on the base installation of IIS on the new server, but that was easy enough to correct. The web folders were getting backed up nightly, but I was missing the metabase, which was key to making this all go well.

Microsoft Technet had a rundown of how to backup and restore the metabase and this post from IT Solutions KB even includes screenshots of the process. All in all, the whole process took less than 10 steps, including making the initial backup. I was pleasantly surprised, since I expected IIS to be far more complex. I understand that IIS 7.0 is even easier, but I doubt it'll make me what to deal with IIS regularly!

Windows 7 Beta Exam for Pro: Enterprise Desktop Admin

Through the middle of the month, IT Pros will be taking the beta exam version for the 70-686, Pro: Windows 7 Enterprise Desktop Admin. My exam slot was in the middle of last week and as far as testing goes, this one hit on every possible area you could run into Windows 7 in the enterprise.

Obviously, I can't rattle off exam questions and this test had more than the average share of them due the the beta nature. However, I can tell you that there was at least one question for EVERY bullet point in the skills list in the exam catalog.

Because this was geared to the enterprise, general experience with AD and group policy were important, as well as WAN/LAN networking concepts and security methods. And because this is a new OS with plenty of new features, don't plan to empty your pockets at the testing center until you know the differences between the various options for application compatibility, the range of deployment methods (including image and licensing management) and how the newer features in IE8 and Windows Server 2008/2008 R2 can affect the desktop experience.

This exam, combined with the 70-680 exam, make up the MCITP: Enterprise Desktop Administrator 7 certification. While this certification doesn't require as many tests as the MCITP: Enterprise Administrator it's certainly gearing up to be challenging in it's own right, as the desktop client is the portal through which the majority of workers experience your company network.

Microsoft Security Essentials

This evening I installed Microsoft Security Essentials on my Samsung NC10. I replaced the free Avast! scanner that I've been using since installing Windows 7. Avast! certainly appeared to be meeting my needs, however I was hoping to lighten the load on the basic hardware this netbook is sporting.

The MSE installation was quick and easy, the longest part was waiting for the initial full scan that took about 8 minutes. The application seems very lightweight and has very few "moving parts" to configure. Outside of adjusting the schedule for the full scan and the desired actions for the various threat levels, it's good to go. It's advisable to check out what the "recommended levels" for the threat level responses are online (there's a link) or in the help file, just so you have an understand of how it's going to react. Unless you have some deep desire to review everything before it's removed, I think the default settings will meet the needs of most.

The last setting that probably warrants a little attention is the level of information you can opt to send to Microsoft SpyNet. Now, while the name might be a little suspect, SpyNet the "community" all users running MSE must be part of to use the software. The basic setting will send information about detected malware, the action that was taken and the success or failure of that action. The advanced setting will also include the file names and location of the malware, how the malware operates and how it affected your computer. All this data is aggregated to improve signature updates and detection methods. It's not possible to control which incidents you submit, so pick the level you are most comfortable with and accept that providing this data is part of what makes it "free" and will keep it up-to-date and useful.

Finally be sure to check out the Microsoft Security Essentials Community, part of the Microsoft Answers forums for Windows, Security Essentials and Windows Live. There are some lively threads about the feature set of MSE, as well as tips for troubleshooting and submitting possible bugs.

All in all, it seems like this product will fit right in with the other free scanners available and will be suitable for the average home user or very small business that doesn't have a central way of managing virus and malware prevention.

24 Hours Offline - Connectivity is Addictive

I'm addicted to being connected. I admit it.

I went away with some friends for a couple days on a road trip to the Yosemite area this weekend. As soon as we left the major areas of civilization and began traveling through farmland, valleys and mountains my cellular signal became spotty and then abruptly failed.

My blackberry transformed from my link to friends, family and information into a pocket-sized camera, alarm clock and tip calculator. And while it was handy to have those things, I sorely missed my instant access to information about the sights we came across, sharing pictures and comments with friends near and far via Twitter and Facebook, and just "knowing" what was going on even though I wasn't home making my way through my regular routine.

Instead, I enjoyed the informational displays provided by the park services about the places we visited. Shared my thoughts with those people directly around me. And much like the days before constant connectivity - I snapped photos of things to share with others later, though I wouldn't have to wait a week to develop the film.

One of the friends joining us joked several times about my addiction to connectivity. Yet, he didn't seem to mind when I found that 2 bars worth of the free wi-fi at our campsite trickled down to one of our cabins and I could schedule the DVR at home to record a football game he'd forgotten about out.

I went through phases of being relaxed about being cut off from the world, and phases of being frustrated by the "X" in the spot where my signal should have been. I'm glad to have had the chance to get away for this adventure, but you can bet I was thrilled when we broke out of the dead-zone and I was able watch 24 hours of emails and SMS messages flood my phone like a dam had been opened.

I think it's okay that the stream of electronic data and the flow of the babbling brook outside our cabin door both have a place in my life. Though I think a few well-placed signs warning that "cellular coverage will end in 5 miles" would help me with the transition. Addicts can't always go cold turkey, you know.