Yahoo Logo

Saturday 07 September 2013 at 8:13 pm Getting back into the swing of posting again. Its been awhile.

In fact its been so long I'd completely forgotten Yahoo still existed.

As a design and typography nerd (I'm not claiming to be any good at it but I certainly appreciate it) I enjoyed these two articles on the new Yahoo logo -

Logo Reveals Worst Aspects of Engineering Mindset

Logo Bullshit

Both great reads.

A reminder that just because 'design' looks easy, don't be mistaken into believing it actually is.

Microsoft Internet Explorer (IE) Enhanced Security

Sunday 29 June 2008 at 10:25 am This one pissed me off mightily so I thought I'd put something together on the offchance someone else finds this useful:

I created a new Virtual Machine Template to use on our ESX cluster with all the latest patches including IE7 - normally I'm pretty conservative when it comes to browser versions on servers but I figured I'd make sure I'd update everything I could. Just this once I'd give Microsoft the benefit of the doubt and update the browser on the server.

I used the excellent ctupdate patch tool to minimise load on our WSUS server and allow me to have an up-to-date patch ISO I could also use on our DMZ systems. Downloading the patches and creating the ISO took about an hour - patching the template took about 30min. All was well.

I deployed about 15 new systems from the template.

Then one of our DBA's popped by with an error when he went to install SQL on one of the new VM's. In true Microsoft style the error was particularly helpful -

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them"

This error prevented him from installing anything via UNC path and also locally (if he unzipped files no .exe files would unzip; everything else was fine). He had local admin rights - when I logged in as Domain Admin it worked fine; when I logged in as myself with Domain Admin rights I got the same error.

Nasty. I thought all the VM's I'd stamped out were borked. People had already started to deploy to them so I *really* didn't want to have to remove them and redo the VM's from scratch.

Some digging on the interweb revealed the culprit - Internet Explorer Enhanced Security in IE7. What Microsoft dont make very clear is that IE7 includes fancy new Security features to prevent arbitrary code execution (great!) which stops you running .exe/.msi executables locally or from a UNC path even if youre a local admin (aaarggghh!). And it provides all this extra protection while masking the cause behind the cryptic error message. Running filemon or regmon doesn't help debug the issue because everything is working just the way it should from a Microsoft perspective - no file access or registry errors at all to point the way.

Thank god for google. The third hit set me off looking at IE7 related issues which led me to this WindowsITPro article.

After more digging - it appears you can do one of two things to fix this -

1. Right click the exe/msi and select Properties and at the bottom of the General tab select 'Unblock'. Do this everytime you need to run a new executable.

or

2. Disable IE7 enhanced security (as per the WindowsITPro article) via Add/Remove Programs -> Windows Components -> Internet Explorer Enhanced Security Configuration -> best to select 'For Administrators groups' only

or (I left this out originally)

3. Don't patch your browser in the first place !

Sigh.

DST 2008

Thursday 13 March 2008 at 2:39 pm Make sure your EA's & PA's are well briefed - Daylight Savings is upon us again and this week there could well be two weeks of aggravation instead of just the one.

Interesting thatMicrosoft have released updated DST patches

Vista SP1

Wednesday 27 February 2008 at 7:45 pm I installed Vista SP1 today - it took a couple of hours and three reboots. Awesome.

This is on a quad-core Xeon workstation with 4Gb of RAM.

After the reboot I didn't notice any immediate differences - AnandTech cover whats fixed and performance improvements (if any) in SP1.

After all that it still won't pick up my Creative Zen Plus . . . Sigh. Apparently its a standard MTP with native XP/Vista support so it should 'just work'. It doesn't in Vista 64bit which is a little aggravating - especially after two hours and three reboots

WTF ?! - DCPROMO on W2K3 R2

Wednesday 12 December 2007 at 2:31 pm I'm sure other Windows admins have already come across this but its new to me - promoting a Windows 2003 R2 server into a Windows 2003 domain requires you to prep the forest on the schema master !

Whichever bright-spark at Microsoft came up with that gem should have been shot.

Sigh.

Windows 2008 + Windows Data Protection Server

Tuesday 16 October 2007 at 3:29 pm A must read for Windows admins - First Look at w2k8. Looks good - w2k3 was a nice incremental improvement over w2k and this looks to be another steady improvement. Five years between releases is a little extreme . . . will the next server OS appear in 2013 ?

Microsoft are aggressively kicking into new markets - Data Protection Manager is their backup solution. In other words they're moving into NetBackup, Legato, ArcServe territory. Be afraid.

Microsoft Tech Briefing

Friday 23 March 2007 at 10:28 am I attended a Microsoft Technical Briefing last week. I'd never been to one of these types of things before. Being crammed into a hall with a thousand other IT people was certainly interesting if not slightly depressing (wheres the gender balance and why doesn't anyone buck the 'geek' stereotype?).

It was an all day event - most of the sessions were good although the uncomfortable chairs definitely made me lose focus about 2/3 of the way through each presentation. Microsoft could learn a little something from Apple when it comes to holding peoples interest over an extended period of time ('more demo less talky' and 'squinty fonts bad' spring immediately to mind).

The take away from the event was that Microsoft really are moving to slay the opposition in the next layer of applications and services. If Microsofts offerings are like a cake - the Operating System is the base, Office suite is the cream and then Integrated Services is the next layer of sponge. Essentially they're looking to do value-add almost everywhere - as with everything Microsoft do version 1.0 might not be that great but by the time they get to version 3.0 they'll definitely be hurting the competition.

Its also interesting that a lot of the exciting new stuff has been acquired by corporate acquisition rather than developed in house (which seems to just be going through improved iterations).

Interesting stuff included

Virtualisation

* SoftGrid is application level virtualisation - for example you can sandbox multiple Java versions or Access versions so they run on the same machine. Looks like a great way to handle application conflicts and deployment of legacy apps.

* Virtual Server is still has a long road to topple VMWare but the new versions certainly look like they'll give ESX a good run. Particular at the high-end - it looks like their Data-center version will give you the right to unlimited Virtualised servers. If you're a Windows-only shop the licensing implications alone are pretty huge.

Security

* Forefront seems to be the new catch-all for Microsofts Security stuff. Their presentation had about 16 different products in the 'Forefront' bucket - given the range of systems they need to protect this isn't a surprising figure but it does make their over-all offering a little confusing. What I liked were the hosted Exchange, mail archiving and mail scanning facilities (backed by stringent SLA's and penalty payouts for passing through known malware/viruses). They also have a new Internet Access Gateway (IAG) which is SSL VPN with endpoint security - lots of VPN vendors are going to struggle.

* As well as the anti-competitive aspect (if you write the OS & application it gives you bit of an edge in securing them) it does raise the spectre of putting all your bags into a single basket which many people will weigh up against ease of use and integration with all their other Microsoft apps.

Management

* They've put all their management stuff under the - System Center banner SMS is probably the most well known tool but they have MOM (a monitoring solution), Data Protection among others in this category. Most of these have had multiple revisions under various different product names - Microsoft admits they've been remiss in improving the management aspects of their products so they've been beefing up their resources to greatly improve this line. I've tried the new MOM & SMS and they seem straightforward to install and deploy but getting them to do more seems to require some serious specialist knowledge (ie its counter-intuitive and quirky).

Deployment

* Lots of Vista goodness on show - given Microsoft have done an about-face and are now promoting image-based deployment you'd think they'd make the process foolproof. They've come up with some good tools but they seem to be a bit tricky to use - Windows Deployment Services (which supercedes RIS) and Business Desktop Deployment. At least now a single image can go onto a variety of hardware. The license and activation stuff looks straightforward (you need to setup your own internal license server if you want to get a volume key).

So it looks like interesting times ahead in IT land.

Vista Deployment

Tuesday 13 February 2007 at 11:33 am Looks like all the stuff you used to know and love about NT4, 2000 and XP deployment is out the window. Better start reading - 10 Things You Need to Know about Deploying Windows Vista.

Simple Way to Find Which Role is on Which Domain Controller

Thursday 01 February 2007 at 11:58 am I'm sure there's a better way to do this but this works for me -

If you need to find which FSMO roles are held by which Domain Controllers, install the Server Support Tools from the Server CD.

Then run replmon.exe, add in your DC's and you can check replication status on various Active Directory objects. If you select the Properties for a DC you can view which DC in the domain holds a particular FSMO role.

Some more info on replmon.exe:

* Microsoft's Replmon Reference

* Replmon How-to

Project 2003 Pro Annoyance(s)

Wednesday 20 September 2006 at 11:51 am Like many organisations looking to consolidate their workflows via a PMO (Project Management Office) - we're looking into tools which enable collaboration of the various projects and workstreams underway.

Microsoft have a number of tools to facilitate this - primarily SharePoint and Project Server.

I ran up a Project Server for a Pilot program and ran into a few annoying glitches that I thought I'd document for anyone else that came across them -

* First if you install and run Project 2003 Pro and get a "The command is attempting to use a webpage from the site gbui://blank.htm/" error which loops endlessly then you need to check this Microsoft kbase article (ID 887028). Methinks they rushed this product out the door a little quick.

* Second if you try to talk to a Project Server you end up with a blank login screen - because MS Project 2k3 Pro doesn't use a standard MS authentication system - it uses security libraries from Internet Explorer. Nice. There seem to be several reasons why this happens - many people suspect it is due to security restrictions enforced by McAfee VirusScan. In a nice bit of buck-passing McAfee point to this Micrisoft kbase article (ID 899341) - note that the hotfix didn't fix the problem and the fix is only available if you call Microsoft who will send you the details to download it anyway. Even if you uninstall the McAfee product it doesn't make any difference. Sigh.

* A clean PC build worked OK though which got me thinking it had to be a build problem. We got a consultant in to investigate and between us we came up with two fixes - (a) try installing IE7 (or repairing IE6) - this seems to replace a corrupted or old version of a critical IE dll that only seems to be important to Project authentication and a better fix is (b) on the server set server side policy - 'Impersonate a client after authentication' and add in the domain account used to run the Project Server service.

Other than that Project Server looks like an interesting tool - all configuration and data gets stored in SQL so you can run up multiple app servers and point them at the database and they just work. Kind of cool.

We installed in a fairly minimalist mode - just using IIS - instead of SharePoint which would have been overkill (and it broke other apps on the server).

In terms of usage - the idea is that a PM (Project Manager) uploads a project to the server and his 'resources' can update their individual task progress via a web interface (does require an Active X control so its IE only). Updates, approvals and task assignment trigger notification emails to both PM's and Resources.

The catch is of course that you need to have business buy-in and you'll also need a specialist Project-guru or Business Analyst to actually manage the server based projects and do basic administration (eg IT maintain it and the Business administer it). Like most back-end Microsoft products you need specialist skills to administer the product as well as some good domain knowledge to actually make use of it.

There are a few good resource for anyone looking into implementing a Project Server -

* Microsofts Project 2003 Site

* Project Server Experts

* Project MVP FAQ's