Category: Uncategorized

I’ve just completed the backup setup for my lab network.  My lab network used to consist of a bunch of PC’s of various ages and processors.  I’d gone the traditional route of one physical machine per role.  So I had a domain controller, mail server, web server and a PC, 3 of which were running all of the time for internet services.

I decided to do my bit for the environment.  I also wanted to reduce my electricity bills and stop my lab room from being the warmest place in the county.  So I decided to eat some of my own medicine and consolidate my network via virtualistion.  I had a choice of which platform to take but I settled on VMware’s free VMware Server product.  I really like the snapshot feature of the VMware products for lab work and the machines are pretty portable, e.g  they are portable between Server, Workstation and Player.

I built an AMD 2800 with 2GB of RAM.  It would be a domain controller (with all FSMO’s) and my file server.  I installed VMware Server onto it.  The disk was getting pretty full so I installed a 180GB USB 2.0 external hard drive which physically hosts my 3 VM’s:

• Another DC: it will give my virtual network the ability to be mobile.  If I lose the physical host, I can recover the VM’s elsewhere and sieze the FSMO roles.  Instant DR site on a shoestring 🙂
• EMail
• Web (doubles as WSUS)

I wanted to backup these machines.  I am using the Windows Server NTBACKUP on the host machine so I’ve got no fancy VMware agents.  My solution was to script a way of backing up my machines with minimal downtime.  The script pauses/suspends my VM’s, backs them up, and then restarts them.  The backups are to a file on a USB 2.0 300GB external disk.  I also backup the shares on teh host server.  Here is what the VM backup script looks like:

REM SUSPEND ———————

REM WEB
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" suspend

REM DC
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" suspend

REM MAIL
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" suspend

REM BACKUP ———————

<BACKUP COMMAND>

REM START ———————

REM WEB
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" start

REM DC
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" start

REM MAIL
call "C:Program FilesVMwareVMware Servervmware-cmd.bat" "<path to VM VMX file>" start

REM EXIT ———————

:EXIT

• Window Vista WIC (Windows Integrity Controls).
• Kerberos Token Bloat: how your Token can fill up with SIDs and break Kerberos authentication.
• DNS testing with DCDIAG.

This consise and easy to understand newletter is well worth subscribing to.  And you don’t have to worry about appearing on a spam list either.  You can subscribe for here: http://www.minasi.com/nwsreg.htm.

VMware announced on their 64bit blog that VMware ESX 3.0.1 will offer full support for a range of 64 bit gues operating systems.  64 bit computing is set to gain wider acceptance and in some cases become a requirement.  The following operating systems will have 64 bit support:

• Microsoft Windows Server 2003 (Standard and Enterprise Server R2)
• Red Hat Enterprise Linux 3 64-bit (UP7, UP8)
• Red Hat Enterprise Linux 4 64-bit (UP2, UP3)
• SuSE Linux Server (SLES) 10 64-bit
• Sun Solaris 10 (U2)

Hardware requirements will be as follows:

• AMD: Athlon64 or Opteron Rev E or later
• Intel: must include support for Intel’s Virtualization Technology (needs to be enabled in the BIOS)

64 bit computing will be especially important in the Microsoft world.  Microsoft has decided to only release a 64bit edition of Exchange 2007.

WMware ESX is the market leader in enterprise level virtualisation.  ESX offers the ability to deploy many virtual machines across a farm of servers with load balancing and disaster recovery while providing a near physical machine level of performance.  ESX is a key technology for consolidating servers and making full use of the processing power that otherwise would be underutilised by many of the business applications that are typically deployed.

Microsoft has recently claimed that businesses will adopt Windows Vista like nothing else before it.  Well, Houston, there may be a problem.

Anyone who sets out a clear mass deployment plan for XP desktops will be familiar with the difficulties of deploying and troubleshooting PC’s.  The growing trend in the market is to treat the PC as a dumb appliance that you rebuild when it breaks with a major problem that you can’t fix in a few minutes.  Applications are psuhed to the PC as required by Group Policy, Terminal Services, SMS or even Softgrid for Desktops.  This rebuilding process can’t be easily done with OEM licensing because you only get 2 builds activations for an OEM key without having to speak to someone in Lord knows what country to clear your license key.  Because of this, large business who want to save administration costs have ponied up for Volume Licenses, often in the form of a desktop core CAL.  This OEM upgrade provides a Volume License Key that does not require activation.  Microsoft had to resort to using the honour code with their VLK customers.

But change is on the way.  Microsoft is planning to change the way VLK customers have been able to deploy and rebuild without having to bother with activations.  The process of just rebuilding as required will be taking a serious administrative effort hit.

Microsoft plans to include Volume Activation in WIndows Vista volume license editions (Windows Vista Enteprise, Windows Vista Business and Longhorn Server).  The short story is that you will have to activate your installation within 30 days or it shuts down like an OEM installation of XP.

ZDNet has some more details.

Some detailed information is here.

If you don’t like this then I would suggest you pass your feedback to your Microsoft partner solution providers and presales representatives.

A blank page has appeared on Connect that informs us a Beta for Virtual PC 2007 is on the way.  It will be publicly available on the 11th of October.  No other details are available.

Virtual PC 2004 is now a free product and one that any self respecting sys admin should aim to use.  VMware’s excellent alternative still requires a purchase, giving Microsoft an advantage.  VPC allows you to run virtual machines just like you can with Virtual Server 2005 R2.  In fact, the machines are compatible.

I’ve used VPC before for lab work and for testing.  Where I also see it being useful is where you want administrators to use non-admin accounts for day-to-day office work such as email and browsing and a dedicated account for admin work.  Run-As is painful to use (who wants to keep banging in the password?) so an alternative is to run a VM with only the admin tools installed.  The administrator can log into their physical machine with a non-admin account and into a VM with their admin account.  This isolates their email and internet activity from their administrative rights and provides a layer of defense against viable threats.

Windows Vista Enterprise (requires software assurance) will include a virtualisation solution built into the OS.  I’m guessing now that VPC 2007 will be a solution for those who do not buy Vista with software assurance.

The October edition of TechNet Magazine is out.  You can read the free web edition online.  This months theme is "Connect".  In it you’ll find articles on:

• Mirosoft Office Groove and Sharepoint.
• Small Business Server.
• Automated Deployment Services.
• Using Windows PE

Microsoft has just launched the beta for Forefron Security for Sharepoint.  It’s Microsoft’s antivirus solution for this key Office System product.  Microsoft aims to launch it at the same time as Microsoft Office Sharepoint Server 2007 and Sharepoint Services 3.0.  This could be relatively soon, i.e. early 2007.  Microsoft says this new product will deliver the following:

• Protection against the latest threats. Forefront Security for SharePoint simultaneously utilizes up to five antivirus engines from leading security vendors to provide customers with increased protection against malware threats, inappropriate content and dangerous files types. This latest release includes the new Microsoft Antivirus engine.
• Integration to help optimize server performance.: Integration with Microsoft Office SharePoint Server 2007 and Windows SharePoint Services 3.0, as well as scanning innovations and performance controls, help ensure optimal collaboration server performance.
• Simplified management control.: Forefront Security for SharePoint provides centralized management control to help ensure organizations can simply and cost-effectively deploy, manage and maintain the security of their collaboration servers.

You can register for the beta on Microsoft’s Connect website.

I’ve just added a whitepaper on WSUS 3.0 to my website.  I go into the reasons for automated patching, the options, an overview os WSUS 3.0, deploying it and configuring/using it.

Note: the document is based on Beta 1. 

When people think about IT security, they think about firewalls and antivirus. Firewalls are important but only go so far as to protect your network against a direct attack. A firewall will only prevent illegitimate forms of traffic from the internet. It doesn’t stop traffic on legitimate ports or downloads. Firewall defences have been compared to eggs: hard on the outside but soft on the inside. Anti-virus will only protect you against known threats. Many organisations have made the mistake of thinking that firewalls combined with antivirus will give them a complete defence against threats. That’s a nice wish but it’s not true.

Consider the SQL Slammer virus that hit the Internet in early 2003. Within minutes of its release it crippled networks worldwide. How did this work? Surely people had firewalls in place? Yes they did. Was the antivirus up to date? Yes it was. The problem was that once it could easily get past the firewall and it was unknown to antivirus vendors. It also took advantage of a known flaw in Microsoft’s products that Microsoft had previously released a patch for. In fact they released the patch several months before hand and those organisations that had deployed it were protected against the virus. Microsoft had already released a free to use product called SUS that serviced the Windows product range but few had heard of it. In fact, few had any implemented process for regularly testing and deploying Microsoft updates.

In late 2003 a new virus started to cripple networks. Microsoft Blaster took advantage of a flaw in the RPC service. Surely in the time that had passed people had learned their lessons about keeping their machines up to date? It appeared that most had not. Microsoft had previously released an update to protect their products but few had deployed it.

Since this time Microsoft has spent much time campaigning and trying to raise customer awareness about the need to regularly test and deploy updates. A replacement for SUS called WSUS (2.0) was released. WSUS, again a free to use product, services all of the Microsoft product range and makes it easier for administrators or security officers to test and deploy updates on a production network.

My experience working on client sites and speaking with administrators is that both the awareness of this problem/solution and adoption of WSUS have been minimal. Many large organisation and government agencies do not maintain patch updates. This is either because they are not aware the solution exists, despites Microsoft’s efforts, or because they do not sufficiently understand the problem.

With this document I aim to show how you can manage updating your entire Microsoft network with minimal manual effort by using WSUS 3.0.

The document continues …