The transformation is almost complete – Part 2

This is the second part of my story of attempting to migrate all my machines (servers and workstations) into virtual machines actually housed on one physical piece of hardware (you know to stop global warming and save the whales man).

If you can remember our last episode I had managed to finally migrate my web server into Microsoft Virtual PC using Shadowprotect, that wasn’t exactly the way that I’d planned to do it but at least it was done and I had removed one piece of hardware from my network. Next on the agenda was my SBS server.

SBS Server

So having failed with my initial attempt to convert to a virtual machines using Storagecraft and VMware I decided to try again, since this time I didn’t have dynamic disks on my SBS server. So I imaged the SBS server and attempted to convert it in Vmware. Unfortunately, once again the conversion failed with some obscure error. Damm, not again. Ok, abandon the VMware option, roll on Virtual PC. So I started to do a Storagecraft hardware independent restore of my SBS image to a clean Virtual PC. Problem was it was excruciatingly slow, too slow for me. So scratch that idea since I had a lot of data on my SBS box.

At this point I was beginning to question the whole migration process, it was worse than having teeth pulled. Time to take a deep breath and have a think about this for a while. After some peppermint tea and a nice lie down I deiced that perhaps the best method was to migrate my SBS 2003 installation to SBS 2003 R2. Sorry not migrate but S.W.I.N.G. using Jeff Middleton’s method. That would keep the active directory but I’d get a nice new cleanly upgraded server. Yeah baby, let’s do it.

So Jeff’s method is basically to introduce a temporary domain controller into your existing domain and replicate the existing active directory to that machine. You then detach it from the production network and build a new network around this copied active directory. There are a few critical steps with Jeff’s migration, firstly like turning off the Windows 2003 firewall (forgot about that the first time since it re-enables itself on a reboot – bugger) and secondly to ensure that during the migration you make the domain control a global catalogue server (forgot that the second time – again, bugger). Both of these oversights meant that I had to go back and do the swing migration again (why am I so stupid? I should have really concentrated on what I was doing rather than just doing it off the cuff, which you always pay the price for!).

Finally, I had a good copy of my active directory and I installed SBS 2003 R2 onto the virtual machine. Typically you know the swing migration has had a problem during replication if the Exchange Server component of SBS won’t install. At last, a clean SBS box. I copied over the data that I wanted and the Exchange mail stores (which took a little while) but the great thing is that with the swing migration the Exchange databases simply load. After a little more fiddling (adding customized ISA 2004 rules, installing anti-virus and tweaking Exchange to keep the spammers out) I was done – phew.

Once again, one of the biggest advantage of virtual machines is the ability to switch the network cards in and out of the real network. In this way I could work on my migrated SBS server with it clashing the existing production server. When I was ready I simply shut down the production SBS server and brought the virtual SBS server up in its place (with the virtual network cards actually connect to the real network). Another big advantage of virtual machines is the ability to adjust the amount of memory that each server uses. So after a while I actually adjusted the RAM used by both migrated servers down to give me the ability to host more virtual PC’s on this one piece of hardware.

Other benefits of ‘swinging’ on to a new SBS server? Bye, bye CRM 1.2. Yeah!! Why? Because it wouldn’t uninstall. The ability to create a bigger boot partition (to handle those upcoming Windows Server 2003 service packs – really had to scramble to get SP2 on my machine). The opportunity to remove all the other crap that I had accumulated on my server over the years from testing this and that. Now I have a simple but extremely functional SBS server.

Two servers down, maybe this will work after all! Tune in to the next episode to get the the low down on my migration of a stand alone ISA 2004 box.

The transformation is almost complete – Part 1

Over the Christmas / New Year period I planned to undertake the biggest change to my network structure so far. I decided that I wanted to reduce the total amount of hardware in my shop by using virtualization technology. This basically meant migrating 5 physical machines (4 servers and 1 workstation) onto a single piece of hardware. As they say we have the technology to build it but here is my story of the experience.

Prior

Ok, so the first thing I needed was decent machine to host all these virtual machines on and one with plenty of RAM. So I started with a name brand server, RAID 5 with 4GB of RAM. I install Windows Server 2003 Enterprise Server to allow access to RAM above 4GB (which I don’t have initially but I do want to be able to scale up to more virtual machines should I want to). After installing Windows, applying updates and installing the suppliers monitoring software I was ready to do my first my migration.

Now, the plan was to make this as simple as possible and from what I could tell the easiest way was to use Storagecraft Shadowprotect to take an image of the whole server and then simply convert this image into a VMware machine, which it does support. So, in theory, image, convert, run, nothing could be simpler eh? Here’s what actually happened next.

Stage 1 – Web Server

After imaging the server using Shadowprotect I attempted to convert the image into VMware. Half way through the process I received an error about a disk driver  (scsiport.sys) but I chose to continue thinking that I could deal with this afterwards. Problem was a little further down the conversion process the whole thing crapped out. Bugger, what’s the issue? A little bit of investigation pointed to the fact that I had (stupidly) converted the basic disks to dynamic disks on the original server. Why the hell did I do that all those years ago? Now sure, I could “unconvert” them but I already had an image so I thought I’d try option two. You know onwards and upwards (to infinity and beyond is the catch cry isn’t it?).

Option two was to do a hardware independent restore using Storagecraft. So I booted the Storagecraft CD in a clean VMware machine and had issues. Damm. Not being a real Vmware expert I decided it was time for option three – Microsoft Virtual PC 2007, as my failures were beginning to REALLY PISS ME OFF. Storagecraft booted fine in Virtual PC and I did a TCP/IP mapping to my saved server image and commenced the restore. Lesson 1 – Storagecraft restores to Virtual PC are slow! But they do work.

So with the image restored to a new Virtual PC I rebooted the Virtual PC expecting everything to work just fine – WRONG. For starters, for some reason, all the drives were outta whack (ie C: was D: and D: was C: and so on). so the system booted but I couldn’t even run Computer Manager in Administrative tools to restore the correct drives letters (the server had a C: which held Windows and D: that held everything else). Damm. After some more fiddling around with the boot record I got C: drive in the right place, after which I could run Computer Manager and get D: correctly assigned.

Finally, the web server was back in operation with no major errors in the logs. (Ahhh, That’s better). So I now shut down the actual web server and bring the new virtual web server on line and it works! One of the really good things about virtual technology is that you can redirect the network cards to actual or virtual network cards. Thus, I could work on the web server with the same IP address as the original one but with the virtual network card not actually connected to the real network. When I was ready, all I did was shutdown the real server and change the virtual PC’s network card to connect to the actual physical network card so it can now be seen on the network.

As I basked in glow of the first “successful” migration I mulled over the challenge of the next migration, my SBS server. Surely, that won’t take as long as now I know what to look for and this server DOESN”T have dynamic disks!

As they say boys and girls, be sure to stay tuned to the next episode to see what actually happened.

Sharepoint as a replacement for Facebook?

I have uploaded the following into a document on the main Supportweb document library, but since people like to read blogs I’ll also put in here for your perusal.

Even wondered why Facebook is so popular? I certainly have and one of the major reasons for its popularity is the fact that it allows people (who aren’t geeks) to create their own page on the Internet. They can fill it with everything about themselves and then invite others to link to it. Perhaps the reason that geeks don’t understand its draw is that geeks have been creating web pages for years. What they perhaps forget is that it takes a while for the technology to filter down to the average user, who by and large constitutes the largest group of technology users. So something that seems so 1980’s to geeks is really only just coming of age to the average user.

Now the popularity of Facebook has proven a challenge to many business owners because many Facebook addicts are far more interested in updating their web page rather than actually doing what they are paid to do during business hours. The typical reaction by management is simply to block all access to Facebook to force users back to what they should be doing during business hours, normal boring work. However, in these times of low unemployment, when companies are struggling to find good quality applicants such a policy may need to be carefully considered because potential employee may choose NOT to work at a business unless they have access to Facebook. In the current environment they certainly have the power to make this choice.

Maybe what is needed is a fresh look at the issue from a slightly different perspective. What if it was possible to encourage an employee to develop a web site to which they feel a personal attachment and yet have that web site related to the business? I propose that just such a situation is possible with Sharepoint. How? Well, Sharepoint is flexible enough to allow people to create, modify, and update their own area within Sharepoint. This could be something as simple as a single page or something as complex as a whole sub site. Best of all you can add rich content like colours, fonts and pictures yet you don’t need any special software, it can all be accomplished via a web browser. Don’t forget that Windows Sharepoint Services is also a FREE download for all Windows 2003 and better servers, so no upfront software costs there either.

If each employee was allocated their own page in Sharepoint and then encouraged to place information about themselves there what benefit would that have for a business? Well, they could be encouraged to detail information about their emergency contacts, what their personal vision is, what sort of activities they attend outside business and so on. It would provide them their own person area, which they control, and yet make it available for others in the business to examine and become more familiar with that person. I think this would perhaps foster a more positive business culture for starters since it makes it easier to learn about your colleagues but I think that it would also have an additional benefit. It would familiarize the employee with Sharepoint as a tool and remove much of the fear that is so associated to technology these days. Generally the rule is, the more I use something the more familiar I become with it and the more likely I am to use it. Think of when you learnt to drive. Never thought that you’d master guiding a lumbering metallic beast around the black tarmac did you? Look at you today! Zipping in and out of traffic without even stopping to think about how you are doing it. The difference is practice and lots of it.

Once people have the ability to maintain their own pages on the corporate Sharepoint site I’m sure you’re going to find employees who are really excited by what they can do and want to do more. Well, you can put those people to work helping others with their pages (if they aren’t already) but now you can put them to work creating something of direct use to the business using Sharepoint. Best of all, they are pretty much trained up on the product and can start being productive immediately.

So now you have a motivated and experienced Sharepoint designer on your team. Give them a project to create a subsite to focus on a specific part of the business and you’ll be amazed at what they are able to do. Maybe something that focuses on helping the marketing team. Sharepoint allows the creation of separate calendar, contacts, lists and so on that can be used to focus on that specific requirement. Best of all Sharepoint is flexible enough to be able to create exactly what you or your team requires. Better yet you now have an in house developer who is chuffed at the opportunity to showcase their talents.

The end result is that the business gets something that helps them run their operations better or more efficiently. Other employees get a tool that is customized to their exact needs and developed by someone who knows the business not some random outside consultant. Finally, you get a much more motivated employee because they have developed new skills and been given an opportunity to apply these new skills all within the same business. How could this be anything but a win – win situation for all those involved?

So perhaps rather than trying to take draconian steps of blocking and banning new web developments like Facebook a little time spend considering how they can be harnessed within your business may in fact help you make the younger members of your staff into the most productive members of your business.

Here’s a thought

I’ve been pondering the ramifications of Facebook of late and have come up with something novel I believe.

Let’s say that everyone in the future has a Facebook style site/portal on the Internet. This site contains all their personal and business details. For arguments sake I’m going to skip over the security and privacy ramifications because I’m only considering a “perfect” world here. (Mine is isn’t yours?). So much like Facebook each user determines who else has access to their information and to what level they have access. So let’s say your family has access to you home and mobile numbers, while your friends only have access to your mobile number.

Now let’s say that in your personal profile you subscribe to a number of online software applications (in the future I don’t think we’ll be accessing anything locally, it will all come from the net). So let’s say you have access to online versions of Microsoft Office all the time but maybe you need access to Adobe Photoshop in a weeks time for 5 days so you simply pay a fee for the required access time. Once the application access time is up the application no longer appears on your space. The great thing about online applications is they are always up to date and always work, since you don’t need to maintain them. Your personal profile also has all your personal contacts, emails, bookmarks and what not.

Ok, now lets say that you go to work. When you log into the terminal at the office you still access your own profile but now it knows you are at work and allows you access to the business applications of the company where you work. Also, it restricts you from going to certain web sites and running “non-business” personal related applications. This policy depends on the settings that your employer has decided on and they are applied to each employee as they logon. Some companies may not have any restrictions but by simply logging in at the office the network knows who you are what you can access. You can still get access to your personal stuff at all times, just as you do now.

If you change jobs then the business you were at just tells the network you no longer work there and when you log into to your profile page at the new business all the old applications have been removed and all the new business applications and policies are applied.

When you login from home after work you get access to all your personal stuff as usual but unless you are approved for after hours business work then the business applications are no longer available in your profile. When you return to work tomorrow they are back again, so you can’t use the office copy of Photoshop to edit your images (unless the business approves you to do that).

There are lots of advantages for businesses and user here. Businesses get a central location to manage all their employees and applications. All the software is up to date and adding new staff members is a breeze. If they want access to other software applications the business simply subscribes and allocates them  out to employees. For an individual, all your stuff is stored in one place, backed up and you can access it whenever you need. You are able to choose what you want to share and with whom and like the business if you need access to a specialized piece of software you simply subscribe for as long as you need access.

I think most of what I’m talking about here could be easily accomplished already. It all sounds good in theory doesn’t it?

Latest news on new version of SBS

Here’s some more information about what is coming down the pipeline with SBS Cougar. Seems like the Premium edition will allow the installation of 2 server to split applications like SQL and terminal services.

On that score David Mackie raises some interesting questions and issues with the Premium installation in his blog, especially given the new virtualization technology that will be available in Windows Server 2008.

I’m sure that we’ll hear more about all this as the product near launch (June 2008 time frame) and I’m sure things will change and I wouldn’t be surprised if some MAJOR things change! Time will tell.

Outlook Business Contact Manager and detached network user

Strange to find someone wanting to remove a server from their network these days but in our times of downsizing it does happen. Everything was going swimmingly, I had removed all the workstations except for the last one which had Outlook Business Contact Manager installed. I didn’t expect any issues but received a nasty surprise when the user tried to fire up Outlook Business Contact Manager as a stand alone user.

When Outlook loaded it said that the login to the Business Contact Manager database was incorrect and that I had to attach to an existing database or create a new database. Hmmm…ok so I’ll try and attached to the existing database – no go, so I elect to create a new database. Problem is that the client uses Business Contact Manager extensively so they needed the old database back. With a new Business Contact Database Outlook loads but there is no Contact Manager data.

Thinking, thinking, thinking….why would the login details be wrong? Ah ha, because the previous login was on the network (ie domain\user) and the login now is just user (ie localmachine\user). This would still be the case even if the user names and passwords were identical – different privileges between a domain and a workgroup. So now I knew why the login was failing, trick was how do I fix it?

The first thing was to check that the original Business Contact Manager database files were still on the system. By default the database is installed in c:\documents and settings\\local settings\application data\microsoft\business contact manager. The database is probably called msbusinesscontactmanager.ldf and msbusinesscontactmanager.mdf. In this directory I clearly had 2 sets of databases an old (prior to removal from network) and a new (after removal from network).

Next step was to go into services.msc and locate the local SQL service called MSSQL$MICROSOFTSMLBIZ and right mouse click on it and select stop. With that done I returned to the directory and renamed the existing business contact manager out and the old database to what the name of the existing database had been. so existing -> save then old -> existing. I then returned to the services.msc screen and started the MSSQL$MICROSOFTSMLBIZ service, then I restarted Outlook.

When Outlook started I saw a dialogue box saying that the Business Contact Manager was initialising after which Outlook loaded. When the client checked all the information he had stored using Business Contact Manager was back. Phew.

It would have been nice if Business Contact Manager would have warned me that I might have an issue logging into the database if I detached from the network but you can’t cover every eventuality can you? At least it wasn’t too hard to fix but I certainly had to do some testing beforehand since I couldn’t find much on the web. Sometimes it is quicker to run up a Virtual machine and try it for yourself.

When a blue screen of death can be helpful

Got a call from a client who was having regular BSOD (the dreaded Windows Blue Screen of Death), basically meaning they had no option but to reboot their system. Did a quick Windows Update and virus scan remotely but the problem persisted, so an onsite visit was the next option.
The next step was to do some analysis of the actual memory.dmp file that is created when Windows crashes. So I copy this file onto my laptop and run The Windows debugger that you can download from Microsoft to analyse these files. The results did produce something interesting :

Now the lines that I’ve highlighted are errors with files kallenylab4-4db6.sys, kirkjtkkd174f-3545.sys and ortyeras37cd.sys. The final line of the debugger says that the crash was probably cause by kallenylab4-4db6.sys.
Now I don’t know about you but when I see files likes these I sorta know that it is a virus/trojan/malware. So I went searching for the files but couldn’t find them using a normal file search (and yes I had display the hidden and system files options turned on). I know the files are there so I did a bit of googling and found some information that indeed confirmed the files were trojans and had to be removed in safe mode. Even better, this trojan had implemented some cloaking or root kit technology so the files weren’t displayed under normal Windows, but the good old crash dump told me they were there.
Seems like this trojan comes from an “greeting card” email that asks the user to download a file happynewyear2008.exe from a web site. Once the user has downloaded the file the trojan installs. Now I go back to the user and query them about downloading this file from a web site and they confirm they did that because it looked like something fun. Ah, ok, that little bit of fun has just cost you a few hours of my time.
When will users realise that they SHOULDN’T download something they don’t know about? You have the most sophisticated security software in the world installed but if the user overrides this then it is all to no avail. The people who write these trojans know that and that’s why this sorta stuff is always going to be a problem. It is a human problem, not a technology problem.
However, the moral of the story is that sometimes a Windows Blue Screen of Death can be of benefit, especially when it indicates you have a trojan on your system!

Russian Roulette

Seems that everywhere I go these days I hear users saying that they are going to convert to a Mac because Windows is such a pain. Even scarier is that they believe that with a Mac they won’t need anti-virus or patching! Ah, hello, who told you that? Ah those Apple ads is their reply.

Firstly, those Apples ads are exactly that, advertisements to get you to buy the product. They are paid for by the people supplying the stuff not some independent third party. Of course they are going to tell you want you want to hear. They want you to buy the product. So even before we start credibility from these ads = 0! (but they are funny – see the latest ones here. Especially check out the one called Podium in light of my previous post on Vista)

Next, all hardware and software is developed by human beings. Yes, they are generally smart than the average human being but they are still humans. They can’t foresee every ramification and variation that their product will be exposed to. So no matter what is that is developed by humans, it is subject to flaws and these flaws need to be addressed with updates and patches (Mac included).

Next, the bigger the market share the bigger the target. If you only have 10% of the market why, as a bad guy, would I bother writing something to attack you? I get much greater chances of return if I attack the other 90% of the market. However, as that market share increases then I begin to reevaluate my strategy. This is even truer if you propose that the more uninitiated users are moving towards something like the Mac. As a bad guy if more uninitiated users are there then my potential return is even greater so I am going to devote more time to attacking that segment.

I could go on and on. I also acknowledge that in many ways Macs are better for users BUT don’t believe for a second that they are not vulnerable and shouldn’t be protected in a way a PC is protected. If you don’t believe that then you are playing Russian roulette, because it is only a matter of time before you get hit.

For a good article on the overall issues of Mac security click here.