Always Enjoy Lunch

I once received some sage advice from another System Administrator I worked with years ago regarding working with potentially troublesome servers.

It was back in the Exchange 5.5 days. I had a cranky server with a potentially unsolved hardware problem in the disk subsystem. Every time I powered off the server, it damaged the OS and I was forced to restore Exchange from tape. The manufacturer always replaced a part when I called for support, but I had ended up rebuilding it several times and had not yet confirmed that the latest hardware replacement resolved the issue.

My co-worker was on-site to help me set up a new server room after we relocated the office. Because of the history of the server, I was very anxious about possibly having to restore Exchange again. It was approaching lunch time and we were at the point where it was time to power on the mail server.

He turns to me and says, "We are going to press the power button and then walk out to eat without looking back." His theory was that if the server was going to be fine, it would be fine without us watching it boot. If was going to have a problem, the problem would still be there when we returned. At the very least we would have had a relaxing lunch break and would be better able to solve a problem without the additional stress of hunger pains.

Turns out the server was fine.

To this day, I still heed that advice. If I'm about to do something to a system that has the potential to backfire, I make sure I've already enjoyed my lunch.

Microsoft Security Essentials - Accessible for the Visually Impaired

On occasion, someone from one of my non-tech interests overlaps with my "geek" interests. A blind friend posted a question to the "Twitter-verse" asking about anti-virus software that was accessible for the JAWS screen reading software.

My first response was to suggest Microsoft's Security Essentials, but I didn't know if it was accessible in the way that was needed. Turns out, not only does MSE rank well against a variety of other anti-virus software offerings, it is accessible with at least JAWS 9. I suspect it will equally accessible with the most recent JAWS version as well.

The only issue was that download the software itself wasn't particularly accessible. This detailed post on the "Blind Access Journal" blog lists out how to download the software using JAWS. Once that hurdle is overcome, Security Essentials is a great fit for users who have special software needs and don't want AV software to get in the way of other applications that make their computers such valuable tools.

Getting Back in Touch with Hyper-V

Some days I feel really behind the eight ball, so today I spent some time getting back into Hyper-V. The office runs VMWare for our production items, but I'm really trying to make time to give Hyper-V a fair shake. Since all of our lab machines are segregated off into various nooks and corners of the server room, physical access while working on them is less than ideal. I'm happy to remotely connect to servers from the comfort of my desk.

Conveniently my co-worker already has a Hyper-V host server set up, so that saved me from having to hunt down hardware and get going from scratch. In order to get started configuring my guest server, I'm connected to my Hyper-V host machine via Remote Desktop and then connecting to my guest server with a Virtual Machine Connection. Because the mouse might "behave erratically" without Integration Services in this particular scenario, the mouse controls are intentionally blocked.

While one of my many random goals in life may be to navigate Windows without a mouse, it's not something I'm very proficient at currently. In order to install the Integration Services, one needs to be handy with keyboard commands, particularly the alternate versions used in the virtual enviroment. Here are a few that I found useful. The traditional key command is listed first, followed by it's Hyper-V VM equivalent.

• CTRL + ALT + DEL = CTRL + ALT + END
• ALT + TAB = ALT + PAGE UP
• ALT + SHIFT + TAB = ALT + PAGE DOWN
• ALT + ESC = ALT + INSERT
• CTRL + ESC (Start button) = ALT + HOME
• Right-Click (to get to context menus) = SHIFT + F10

Ultimately, I'll be using this guest server to play around with SharePoint 2007, but today I'm happy to have just gotten the OS configured and Windows Updates installed. SharePoint will have to wait until after Turkey Day.

Tech Tidbits - PDFs on Kindle 2, Beta Exams

For those of you who like to be on the bleeding edge of Microsoft exam offerings, don't miss out on the Microsoft Beta Exam Announcements blog. Right now there are 3 new beta exams available:

• 71-663 - Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010
• 71-580 - TS: Windows Mobile® 6.5, Application Development
• 71-579 - TS: Windows Mobile® 6.5, Configuring

Also, Amazon released a firmware update for the Kindle 2 that increases the battery life by several days and added support for native PDFs, which was originally only available in DX version. I don't expect I'll be dumping my Kindle "classic" immediately, but I will put a few whitepapers on my husband's to see how it handles diagrams and other components that don't convert well to the regular Kindle format.

Finally, don't miss out the PacITPros December meeting. Check out www.pacitpros.org for details and to RSVP.

TS RemoteApp, Group Policies, Internet Explorer Zones

It wouldn't be work if we didn't have more than one different, yet similar, things going on in the office at any given time. The disaster recovery user testing is drawing to a close and I'll be the first to admit that opening it up to users has certainly been a learning experience. (More on that later.)

Meanwhile, in an attempt to phase out our Citrix Remote Access farm, we've started to "soft-launch" our production version of Windows 2008 Terminal Services using Terminal Services Web Access and RemoteApp. Two applications we are publishing as remote applications are our financial system and our timecard system. We succeeding in getting both these applications mostly running in our disaster recovery lab last month, but our production version of Terminal Services is a different animal.

In the disaster lab, I didn't configure any special group policies that affected Internet Explorer or any other functions. The setup was just by the basic configuration wizards for Terminal Services, TS Gateway and RemoteApp. Our production version of Terminal Services was set up "by the book" (particularly this book) with lots of security customizations added on with group policies. I'm all for tightening things down until people squeal and then loosening things up as needed and my co-worker had done just that with this installation.

Today, I tested out the timecard application that requires a Java plug-in. The plug-in automatically initializes on our regular desktop machines without issue. On the Terminal Server, which is running the Enhanced Security Configuration, the name of server hosting time timecard web page must be part of the "Intranet" security zone in IE.

Easy fix... except I don't have access to the "Tools - Internet Options" pages in Internet Explorer with my regular user account. That's a group policy setting. Or rather, 3 group policy settings. Because the options available in group policy have grown as each new OS has been introduced, there are several places you can enable, disable and tweak various aspects of what IE menus are available to users. It took me several visits to our Terminal Services policies to restore access to the "security" tab of Internet Options.

Sure enough, once I added the proper web server to the Intranet list, the plug-in initialized. But we don't want to have to explain this to each and every user when they access remote applications for the first time. So next up was getting those setting to automatically configured for each new user.

Our first stop was Group Policy Preferences, which allows for configuration of much of the Internet Options tabs, but not any of the lists for Intranet, Trusted or Restricted sites - how frustrating. But those are simply registry keys, which can be added "a la carte" with Group Policy Preferences as well. The end seems near.

A quick search yields this MSDN article, Adding Sites to the Enhanced Security Configuration Zones. We ended up adding registry keys for both the regular non-ESC domains and the ESC domains because our testing showed that my user account put zone additions in the regular domain area and my co-worker's went in the EscDomain registry area. (The dword hex of 1 means "Intranet zone", use 2 for "Trusted" sites.)

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\timecard]
  "http"=dword:00000001
  
  
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\timecard]
  "http"=dword:00000001

We didn't experiment further with the "Domain" vs "EscDomain" mystery, instead just added registry keys to cover all our bases for the time being. Now the only thing left is to decide if we want to take away those IE Options pages that I added back in for testing. Jury is still out on that one.

Migrating to Exchange 2010 - Where to Begin?

One of the potential projects on my list for 2010 is migrating our Exchange 2003 server to either 2007 or 2010. I'll likely have to do some more detailed comparisons of features and requirements, as well as take a close look at some of the long term business goals so that we can make the most cost effective decision that will also give us some longevity. It seems like just yesterday that I migrated from Exchange 2000 to Exchange 2003.

Just to wet my feet a little bit, I found some great posts by Rand Morimoto regarding migrating to Exchange 2010.

• The Good, the Bad and the Ugly in Migrating to Exchange Server 2010


• Migrating from Exchange 2003 to Exchange 2010


• Migrating from Exchange 2007 to Exchange 2010

Also, be sure to check out the Exchange Server Supportability Matrix, which lists out which operating systems support installing the various flavors of Exchange, as well as which flavors of Active Directory are also supported with Exchange. For example, Exchange 2003 SP2 will run in a 2008 domain (but not 2008 R2) and don't even think about pushing your forest or domain functional levels past 2003 compatibility. On the flipside, Exchange 2007 and higher won't run on a 2000 Active Directory enviroment, so if you are still sporting that type of domain you know where to start.

At any rate, there are quite a few little ducks that need to be a row. I know I've got a bit more reading to do before I start writing up my migration plan.

PacITPros - December Meeting

Don't forget to check out the details for PacITPros December meeting. We'll be hearing from StorageCraft about bare metal recovery and migrations between physical and virtual machines.

Access Control on College Networks

Recently, I acquired a September back-issue of the student newspaper from my old alma mater, The College of New Jersey. Technically, I attended Trenton State College, but let's not digress.

As I was flipping through, one of the letters submitted to the editor entitled "Internet security measures vital to network health" caught my eye. It was in response to a opinion piece in the previous issue. I hopped online and found the original student opinion - NAC Restricting College Internet Use. There were two response letters, including one from the IT Manager.

The main complaints from the student was that he was worried about installing the necessary NAC client software because its purpose was not clear, and he did not believe he should be required to use anti-virus software. Finally, the restriction on personal router usage was inconvenient.

I recently posted about internet filtering, so the topic of these letters seemed to strike along the same vein. The responses to the student were clear and to the point, detailing how network access control provides overall network security by preventing access for computers that do not meet the basic network security requirements. I have to agree with with IT Manager on this one, hands down.

Based on the letters, it appears the TCNJ is using Impulse Safe-Connect "Policy Key", a NAC system used by many colleges. Networks at education institutions are shared by many and it's important to have measures in place to ensure some management of the variety of computer operating systems that can connect and dictate the basic requirements for using a critical resource. Network access control systems can be a valuable part of network management when direct control over the client machines is not available. For example, Microsoft's Network Access Protection, can evaluate the "health status" of a Windows computer by checking up-to-date anti-virus software, Windows patch levels and firewall status.

In my opinion, TCNJ doesn't seem to be asking students to do anything excessive in exchange for what is essentially "free" access to the web. Running a NAC supplicant to check for anti-virus software is a small concession to make for the average student needing average access to the Internet. The college even offers a free anti-virus software as a download. The outraged student needs to spend a little more time hitting the books and less time complaining that he can't use his router to connect his Xbox.

Internet Monitoring - Good, Bad or just Ugly?

A good friend of mine works at an academic institution where she teaches literature. Her specialization revolves around romance literature. Research in that area often spans into topics that are considered to be NSFW and she's often thwarted by internet filtering when doing research in her office. She objects to this and we shared an exchange about possible reasons for these type of restrictions. As a systems administrator, I can argue bits on both sides.

For me, intentions mean everything. First off, monitoring and filtering meet different needs. Most appliances and applications available today can do both functions and are adjustable to allow various exceptions. I define monitoring as simply logging sites visited, the length of time spent and the amount of bandwidth used. Filtering is when a site is restricted outright or portions of the site are prevented from loading.

I agree that in an academic institution, internet filtering should be kept to a minimum on the staff network. Education institutions thrive on the fact that professional staff produce new works and having unlimited access to the internet and even access to potentially taboo or questionable material could easily be justified. Being that most university professors have private offices, the risk of offending someone who walks by is minimal.

However, general monitoring is often needed to track bandwidth usage and some light filtering may be reasonable to reduce the impact of sites infiltrated with with malware. In a location where the general public or children use the Internet, clearly more strict monitoring and filtering is necessary to block age inappropriate content and prevent abuses. In either case, there needs to be a system that allows for users to request review of websites that are blocked, as most out-of-the-box filtering systems can categorize some sites strangely.

In the classic business world, internet access gets even more slippery. I stand behind my opinion that light filtering to reduce malware and basic monitoring (for bandwidth tracking) is an important part of keeping control of IT costs. Also, I understand that it's helpful to block obvious non-work related or NSFW sites. Unless your business has a specific need to access gambling, online games or other clearly "entertainment" sites, I don't fault management for asking IT to limit access.

Home banking, personal email, news and some social networking sites can be a gray area. I feel that employees work more effectively if they can access some personal conveniences from the office. I can quickly handle an urgent bill or respond to a family member online and then get back on my work task, instead of having to take out of office break time to visit the bank or run another errand that could be completed online faster. Also, many corporations now have identities on social networking sites that need to be maintained.

The big disconnects start to occur when managers start looking at internet usage as a way to determine employee productivity. Using amount of time an employee is online as a sole reason for a write-up, reprimand or worse is inappropriate. If an employee is not completing their required tasks, blaming internet usage shouldn't be necessary. There should be clear areas of suffering in that employee's work product that can be documented.

If an employee IS completing work tasks and still has time to surf the web, either a manager should look to assign additional tasks or examine ways to utilize that employee's efficiency methods. Controlling some of what flows from the public networks to a private network is a necessary component of good IT practices. However, when those same controls start hampering employee's ability to work or are used as poor indicator of productivity no one is gaining anything from the information available online.

The Cost of Kindle Content

I love having a Kindle and I don't mind paying for the content. Most of the time.

I enjoy the convenience of having several different types of reading material on hand without the bulk of carting around multiple books and magazines. The general lack of having something tangible to put on a bookshelf makes some people uncomfortable with the idea, but I'm willing to give up physical paper for the fast access to the variety published content that the Kindle provides.

The potential downside is the cost of the content. Of course it's cheaper to read other ways. I could be better about going to the library for books (especially fiction) but the reality of it is that I'm one of those people that would often buy a new book and then let it collect dust on the bookshelf once I finished. I admit it. So I don't mind paying for just the "bits". The author and distributors of such content deserve their cut regardless of medium and I reap the reward of getting that new hardcover novel at a discount, delivered in seconds.

I also subscribe to the local newspaper. It turns out I read more of the paper now than I did when we had it delivered to our house and I don't feel guilty about skipping a few days when it happens. No guilt about recycling the untouched pages when I don't have time and I'm financially supporting the news outlet in a way that works for me. I even read a larger variety of the articles than I would browsing the same news online.

The only problem I'm having with the Kindle at this point is collecting too many book samples. The Kindle has become the holder of all that I haven't had time to read. When I wander across a good book review, I pull out the Kindle and download the sample section. Sometimes the sample leads to an immediate purchase. Other times, its a placeholder for a future afternoon of reading.

The Kindle isn't for everyone, but I know it's working for me. So in a fit of shameless self-promotion, I setup this blog to be published in the Kindle Store. For a whole $.99 a month you can subscribe to Techbunny, as well as many others. However I'm not expecting to see the "pay for blog" model take off any time soon.

I do just about all of my blog reading online and it's certainly not cost effective to have them all sent to my Kindle, as even the smallest monthly fee available ($.99) would add up quickly. I understand Amazon's desire to offset the costs of "whispernet" for delivery, but I wish there was a free publishing option for some blogs, especially those with a niche topic or limited readership. I think that serving some blogs for free would give more people a reason to invest in a Kindle in the first place. Because once you are hooked it's hard to turn back.

The LearnIT! Tech Kickoff - A first look at what's new this fall

Last week, I had the opportunity to speak about some of the new features in Windows 7 at the LearnIT! Technology Kickoff. This fun evening event was a great way to gain some insight into what's exciting about some of the new software that has launched this fall. I'm almost disappointed I didn't get to attend a session myself.
I've taken several classes at LearnIT! through the years, so it was exciting to have the chance to return the favor. If you happened to catch my session and are looking for the slide deck I used, look no further.