Network Activity Tool

I get calls from people all the time about "funny" stuff happening on their computers.

Many times it's due to adware, malware or viruses hiding out.  Heck even stuff down in the systray phoning home (Acrobat, Java, etc.) can load a system temporarily causing things to slow and studder.  So how can you tell what's happening?  Well I use netstat.  It's an old tool both on Windows and Linux that can reveal quite a bit about what's happening.  So let's to this Q & A style....just like I get on the phone. :)

Q:How can I tell who my computers talking to?

A: netstat -a
This will list all listening ports and established connections.

Q: What program is using that port shown as listening?

A: netstat -b   or   netstat -bv (windows)
    netstat -p  (Linux...but you gotta be root)
This will show the windows executable holding the port open or with the -v switch the .dll's used as well.  The linux switch -p shows the process, not necessarily the executable but hey....that's really what you want anyhow right?!??

That covers the basic topic I think.  There are a slew of tools for stuff like this if you look around a little. I'll try and point some out and how they are used as questions arise.

Lenovo Thinkpad RANT

<Begin Rant>
Lenovo laptops require way too many complicated drivers.  We are adding the T400 to our supported models on our MDS server for automated builds and man...what a pain Thinkpads are.  Not only does it require like 25 separate installations (many of which are .exe's), most require a reboot and probably shouldn't be chained together with silent switches.  Plus, once you get them all up and running on an image, your processor gets dinged with a performance hit booting and shutting down.  Heck, there's more icons in my systray then there is illegitimate babies in the Palin family.

Note to Lenovo:   Please make it easier to use unattended installations with your drivers.  Good Lord what ever you do separate the driver from the handy dandy (and utterly useless) apps in the control panel. 
<End Rant>

Dell 910 - Awesome mini computer

So I've spent the last 2 days in the hospital with my oldest son.  Seems he has viral meningitis.  Thankfully he will be just fine and we hope to leave tomorrow. This of course was really really bad timing because I'm supposed to be in Denver setting up the computer room for our new office.  I'm blessed that my network administrator still was able to make the trip and he's been doing a great job getting it all up and running.  I've been able to jump on the wireless connection here at the hospital and VPN in to help out.  This is the first time I've used our Dell 910 mini laptop and it's been working great.  What a lifesaver. 

Now I didn't over load the box at all because I've followed the kiss principle setting up the box.  It's XP Home Edition SP3 with watered down Word, Excel, PowerPoint and Skype.  Most of the time I'm remoted into my desktop at work over our SonicWall VPN4000...another awesome device.  The keyboard is my biggest complaint because it's so cramped but hey...it works.  I think I'll trade my Thinkpad in for one of these.

Blackberry Confirmations

So popping around the web today I came across this little tidbit.  If you send a someone with a Blackberry a message with the subject line containing the <confirm> tag, you will get a confirmation of the delivery when the message is delivered.  Here's my test and confirmation:

and here is the confirmation:

I'd love to credit the blog I just took this from...but I kinda lost my place in the excitement!  Sorry man.

Enjoy the tasty messaging goodness!

Driftnet

This cool little open source app (shown to me by Lance of the ILTA OSS group...thanks Lance) will let you monitor traffic streams passing by your nic. It reaches in, grabs valid graphic files passing by and tosses them up on your screen.  Cool stuff....albeit a bit "big brotherish" but still cool.

It runs on Linux so you Windose-only guys won't have much luck with it, however another similar project called EtherPEG runs on the MAC.

NetWitness Investigator

NetWitness has released a free version of their Investigator product. This tool reads and parses a capture file and lets you slice and dice the data in all kinds of interesting ways.  Basically, it can read a WireShark or tcpdump file as a source and give you the ability to analyze it in great detail.  Here is the link:

http://download.netwitness.com/

Here’s a quick and dirty youtube vid on how it works:

http://www.youtube.com/watch?v=QDxTPYn2O2g

In fact, they’ve even got training vids on a youtube channel dedicated to the Investigator product:

http://www.youtube.com/netwitness

Good Stuff.

Cool Tool of the Week

Ever see Net Tools? 

 

This cool little freeware app is packed with all kinds of crazy network troubleshooting goodness.  From ip scanning, port scanning, timesync, sniffing, spoofing to email bombs.  In fact it's got so much stuff I haven't even had a chance to find out all it can do!  My only complaint is that the menu structure to call each individual tool is a little cumbersome to work with, but hey...it's free so I can't say much.  Check it out..it's worth the effort.

ShoreTel Server Backup

 

So I wrote a little script to backup the mysql database.  Here it is (with appreciation to the manuals and help I got from our Integrator):

rem ----------------------------------------------------------------------------------------------------------------------

-------
rem backupshoretel.bat
rem
rem Author - Scott Rolf
rem Version - 1.0
rem Description - This script automatically backs up the shoretel mysql database
rem -----------------------------------------------------------------------------------------------------------------------------

rem Create Archive folder if it does not exist
if exist c:\shoretelbackup goto Label1
echo creating shoretelbackup
md c:\shoretelbackup

:Label1
rem Parse out the current date to a system variable
for /f "tokens= 1,2,3,4 delims=/ " %%I in ('date /t') do Call :MakeString %%J %%K %%L

rem Make new folder based on date in archive folder
md c:\shoretelbackup\%DateString%

rem Backup mysql
c:
cd \Program Files\Shoreline Communications\ShoreWare Server\MySQL\MySQL Server 5.0\bin
mysqldump.exe --add-drop-table --routines --user=root --password=yourpass --database shoreware > c:\\shoretelBackup\%DateString%\ShoretelBackup.sql

goto :Cleanup

:Cleanup
rem CLEANUP..dump dir of c:\shoretelbackup to a text file and delete old
set T=0
dir c:\shoretelbackup /b /o:-n > c:\scripts\edir.txt
for /F %%I in (c:\scripts\edir.txt) do Call :Killold %%I
goto END1

rem Function that set the environment variable DateString
:MakeString
Set DateString=%1%2%3
goto :EOF

:Killold - this subroutine kills logs older then 30 days
set /a T = 1+%T%
if %T% LEQ 30 goto :Killold_exit
rd /S /Q c:\shoretelbackup\%1
:Killold_exit
goto :EOF

:END1
goto :EOF
rem -------------------
rem End of Script
rem -------------------

Watch out for line breaks in this as a simple cut and paste may not work correctly.  I've scheduled it to run every morning and it only keeps the last 30 days worth of backups. Also change "yourpass" above to your mysql password. (The default password is in the manual.) 

Enjoy the scripty goodness...

Local Prefixes

As part of setting up the ShoreTel phone system, you need to load the local area codes and prefixes for calls that are not long distance.  It took me awhile to find out where to get these lists on the net so I thought I'd share the info.  You can find the codes here. Go for the spreadsheet at the bottom as they are easier to work with.  Then cut paste and replace the - with a comma and you're good to go.  Enjoy.

Understanding ShoreTel Phones Boot up Process

So I was answering a friend who had inquired about how the boot up process works on a ShoreTel phone when I thought....hummmm...this would make a great blog entry because I'll forget iit n a few months. :)
So assuming we have the network configured as I have shown in the last blog entry (VOIP vlan 19, user vlan 14), we plug a brand spanking new phone into the switch on port A1.  Assuming you have your DHCP server set up correctly (which we will cover in just a minute) the phone will be into the untagged vlan 14 and request a DHCP address.  It gets one, but it also get the DHCP Option 156.  This option is used by the ShoreTel phone to determine where it's vmail server is as well as where it should live in the network. It see's that it should live in vlan 19 and reboots.  Now it uses tagged info on vlan 19 to request a new  DHCP address.  This time it gets one in the 10.3.9.x range and goes about its business.  One thing I fail to mention here is the first time this happens it's reboot city for the phone.  New phones, even out of the box seem to need an upgrade when the connect to the ShoreTel server.  On my gig network this first boot and config of the phone takes like 10 minutes.
Ok, on the DHCP server we have to set up option 156.  First right click on the DHCP server in the DHCP Server Manager tool and select "Set pre-defined options".  Here you need to add option 156 so it appears as an option at the vlan scope level. Set the data type to string.  Once the item is created go to vlan 14 (which the phone first boots looking for the info) and add scope option 156.    The string format should be something like:
ftpservers=10.3.19.99, country=1, language=1, layer2tagging=1, vlanid=19
10.3.19.99 is the address of the ShoreTel server, country is set to USA, language is set to english, layer2tagging is set to 1 or yes and vlanid is the vlan id of the vlan for voip.
Cool stuff.

ProCurve 5412zl and ShoreTel

So we've got the ProCurve set up for the ShoreTel system and phones now.  Here is the code snippet from the ProCurve:

interface A1
   name "Phone and PC Office 100"
   power-over-ethernet high
exit
interface A2
   name "Phone and PC Office 101"
   power-over-ethernet high
exit
interface D7 
   name "ShoreTel Voicemail Server"
   no power-over-ethernet
exit
interface D14
   name "ShoreTel 50"
   no power-over-ethernet
exit
interface D15
  name "ShoreTel T1"
   no power-over-ethernet
exit

vlan 14
   name "USER_VLAN14"
   untagged A1-A2
   ip address 10.3.14.1 255.255.255.0
   exit
vlan 19
   name "VOIP_Phone_VLAN"
   untagged D7, D14-D15 
   qos priority 7
   ip address 10.3.19.1 255.255.255.0
   tagged A1-A2 
   exit


qos udp-port 4102 priority 6
qos udp-port 1718 priority 6
qos udp-port 1719 priority 6
qos udp-port 1720 priority 6
qos udp-port 25 priority 6
qos udp-port 37 priority 6
qos udp-port 69 priority 6
qos udp-port 162 priority 6
qos udp-port 520 priority 6
qos udp-port 8089 priority 6
qos udp-port 8888 priority 6

You also need to configure your DHCP server so that when the phone boots up, it can determine the VOIP VLAN that you want to use.  To do this you need to set up the following DHCP options on your DHCP server in the untagged VLAN that the phones will first see when booting (VLAN 14 above):

042 = NTP Servers = NTP.Server.IP.Address1,  NTP.Server.IP.Address2
066 = Boot Server Host Name = ShoreTel Server IP address
067 = Bootfile Name = ShoreTel Server IP address

So far this ShoreTel stuff is pretty kick ass. I'm not regretting my decision at all.

HP ProCurve 5412zl and Equallogic PS5000E

So we finally got everything configured on the ProCurve 5412zl for the Equallogic today.  According to the documentation you need to configure the following:

• a separate iScsi VLAN
• turn on flowcontrol
• enable jumbo frames on the VLAN
• turn off spanning-tree on iScsi ports
• disable unicast storm control

Here is the snippet of the switch config for the Equallogic and server connected to it:

interface C19  
   name "ESX Server connection to iScsi VLAN"
   flow-control
   no power-over-ethernet
exit
interface D9  
   name "Equallogic NIC1"
   flow-control
   no power-over-ethernet
exit
interface D10 
   name "Equallogic NIC2"
   flow-control
   no power-over-ethernet
exit

vlan 25
   name "iScsi_VLAN"
   untagged C19, D9-D10
   ip address 10.3.25.1 255.255.255.0
   jumbo
   exit

spanning-tree
spanning-tree C19 bpdu-filter
spanning-tree D9 bpdu-filter
spanning-tree D10 bpdu-filter
spanning-tree C19 admin-edge-port
spanning-tree D9 admin-edge-port
spanning-tree D10 admin-edge-port
spanning-tree config-name "Calamazo"
spanning-tree force-version RSTP-operation

On the ProCurve, I couldn't find a setting for unicast storm control.  If you know how to do this hit me up in the comments.

Internet Access in Amerituckey

So from time to time I get requests for Internet access out of some back woods countrified hotel.  As anyone that has ever traveled anywhere in the U.S. knows...hotel Internet access is like a box of shitty chocolates.  You know it's gonna be horrible, but you're just not sure how horrible it's gonna be.  So I ran into this cellphone based router called Proxicast.

 You can use any basic cell card you want. I chose the Alltel Huawei EC360 because...well....the Proxicast guy said it was the best!  Alltel, unlike other carriers, has not yet limited their unlimited Internet access  (gotta love telco providers).

The card needs to be activated by a PC first, but once that's done it plugs in and comes up pretty quickly in the Proxicast router.

Performance has been pretty decent..about what you would expect. If you've got occasional users an only a few (1-2) people driving it hard you'll be ok.

We offer remote access through an SSL VPN box and we were able to get about 2-3 people running through the router successfully without constant complaining.  The big thing I noticed was that latency was pretty high.  I experienced latency in the range of 207ms all the way up and over a second. This is probably just the Alltel 3G network, but that's still pretty horrible. I wouldn't try and run Skype over this connection and expect not have to shout out "OVER" each time I finished a sentence.  In case you're curious here my speedtest.net results:

The nice thing about the Proxicast is you can plug it into the wall at the hotel and use the cell line as a backup.   If the hotel Internet goes down then you can swap over to cell access.  The fact that it's got a wireless access point baked in (a,b/g) makes it a nice piece of gear for a litigation lunchbox.

Data Forensics

It looks like Helix, a data forensics tool baked in a Live CD has been updated.  This is a cool tool that I've used in the past to analyze some images at work that we were given.  Rather then spending thousands of dollar on EnCase and other tools, I've used this tool to scour and search hard drive images.  As I'm not a forensic investigator, we generally pay for a licensed investigator to obtain the image and then we use our own tools to find the data.  There's also a forensic's wiki full of open source goodness.

VOIP

So we are moving to VOIP in our Denver office.  This will be a new area for us as we are  a long time Siemen's PBX customer.  After much consideration we've decided to go with ShoreTel

The decision was based on price, performance and ease of use.  Once again Cisco lost out on two of those issues...price and ease of use.  The performance metric was difficult to get a handle on (I'm not sure I ever did) because you'd almost have to do a bake off to tell the difference.  In the end, ease of use was the real motivation to go with ShoreTel.  We don't have a full time telcom person so I need my network admins to be able to configure and support the gear.  Cisco once again is just too complicated to deal with.  I'll let you know how it goes but so far I'm really excited.

Note to my open source homies: I did think about SwitchVox and given more time I may have decided to go with them.  However, in the interest of time (we go live 01/01/2009) and given the fact that there will be no IT support people in our Denver office I wanted a known, tested system.  So basically I whimped out.  Sometimes you gotta pick you battles.

Done Paying Ransom

We are opening a new office in Denver in January.  After doing some soul searching and research I've decided that I'm done paying Cisco ransom.  I'll be implementing HP ProCurve switches in the new office.  This is huge for me.  For many years I was a Cisco bigot.  I even sat in on the CCIE lab back in 2000. (Yep..I missed it by a few points but it was a cool experience.)  Now that I'm actually responsible for paying for the gear as well as configuring it, I can't justify Cisco anymore.  Here are the points on my reasoning:

• These days, layer 2 & 3 switching is commodity.  There are few gains found between different vendors gear.
• HP ProCurve gear has a lifetime warranty and free software updates.  Smartnet has always been painful to deal with because it's true extortion.  You are paying for them to fix things that were broken when you purchased the product.  Beyond that you are paying for insurance on the best made gear in the world.   Seems to me if it's the best gear it shouldn't need insurance...or at least cheaper insurance.
• The long life of a Cisco box is stifled by it's Smartnet price rising at every renewal and the fact that in 6 months the box that will work for years becomes End of Sale...then End of Life.  What's the use of buying high end gear and then swapping it out every 3 years just so Cisco has a better bottom line? 
• Cisco gear is a chain saw. It's really powerful to those who use it every day, but for those of us that want to set it and forget it....that's exactly what happens.  You spend hours researching a topic...figure out how to implement it..and then you forget about it.  When something breaks or needs adjusted the CLI forces you to "relearn" everything to get back to where you were.  They need to dumb some of this stuff down.
• eBay.  So you buy a used box and you have to "re-certify" it just to pay the ransom of Smartnet?!?!?!   You'd think they'd be happy just to get the support contract as expensive as it is.

So that's it.  As far as switches are concerned I'm done with Cisco.  Once I find a replacement router I feel good about, I'll jump ship there too.  As for firewalls...I just received a SonicWall NSA5500 that's waiting for me to play with.

So long Cisco....you were good to me once....but you've priced yourself out of the market.

Scripting tool for Windows

So there are a ton of ways to script stuff in Windows...batch files, VBScript, PowerShell, etc...   My favorite is AutoIT.  AutoIT is a freeware (unfortunately not Open Source) tool that is very similar to the old basic language and can be used to do a wide variety of things in Windows.  All your typical stuff like registry access and file access is available and because it can tap into Windows components you can do things like ftp.  I was first attracted to the tool because it lets you script "button pushing".  I was working on automating a standard image and we had a few applications that had poorly designed installation routines which you couldn't automate from the command line.  AutoIt will let  you wait for windows to pop up and then you can instruct it to press buttons in the window so you can have a "hands-off" installation.  Take a look...it's well worth the effort.

Remote Support Tool

I'm often asked to "jump in" to someone's PC and generally I  use a Terminal Services client, Remote Assistance (check out sora.exe to make this easier), Ultravnc or Ultravnc SC.  These solutions all have different benefits, but I've recently found another tool called CrossLoop that is pretty good too.  It's a bit deceiving because it look like you have to register the tool, but you really don't.  So, IMHO here is the low down on these tools:

Terminal Services - Great for remote control, but you're gonna knock off the local user at the box and there's no good way to shadow them and see what they are doing.  Best used for remote access to servers.  This is a very efficient tool from a bandwidth standpoint.

Remote Assistance - A decent tool, but it has to be enabled on the client and to take control of the mouse and keyboard the user has to first allow you in (meaning they have to be sitting at the machine waiting for you) and then they have to also let you remotely control their machine.  This two step process is a pain.  Also there's no easy way to get into a the client tool because it's buried in the Help and Support nonsense.  I did find a tool called SORA.EXE which acts as a client helper making it easier to connect, but the users still needs to accept twice.

UltraVNC - A great tool with lots of options, but you have to load the tool which requires a reboot.  It's pretty fast and seems to work well but walking a low tech user through loading the tool is a bit cumbersome.   Adding it to a standard image is great for helpdesk folks.  The benefit to this tool for helpdesk personnel is that the user need not be present to remotely control their PC.  This is big brother...you can easily spy on users so make sure you include a remote policy on what is and what isn't acceptable behavior.

UltraVNC SC - This is an extension to UltraVNC...think of it as a mini-ultravnc setup.  You edit and ini file and then create a .exe file which you can post on your website.  Anybody can then download and run the tool.  The install is seamless and it uninstall's when you disconnect so there is no permanent footprint.  Because you prepopulate the ini file with your Internet IP address the user can simply click on a "connect to Fred" link in the tool to give you remote access.   It supports encryption and can run on any port you want.  Downside is if you are on the road and need to help someone it's difficult because you've tied your IP address into the ini file. (I haven't played with PCHelpware yet, but I'll look into it.)

CrossLoop - This tool does require installation on both sides of the connection but it's pretty simple and doesn't require a reboot.  You can pass control both ways so they can see your screen or you can see theirs.  So far it's been great for me when I'm out of the office and someone needs help.  The one thing to note is that you can skip the registration during installation by clicking a little "skip" shortcut on the bottom right of the registration page.  Good stuff.

So lots of tools and lots of options...no one tool is perfect for every situation but a between these tools I've been able to do everything I've needed to.  If you've got a tool you think is better, drop me a comment.

I love me some WireShark!

I put on a session at this year's ILTA on WireShark.  I got pretty good feedback and this month for the Open Source call-in I was asked to share some links to info on the net that I used for preparation of the talk.  He are a few of them:

http://www.wireshark.org/  - The main WireShark Page

http://wiki.wireshark.org/ - The Wiki for WireShark

http://www.novell.com/connectionmagazine/laurachappell.html - Some old presentations by Laura Chappell gave at past Novell events.

http://laurachappell.blogspot.com/ - Laura Chappell's Blog

http://www.wireshark.org/news/20060714.html - A Beginning Tutorial and Podcast on WireShark from Chris Sanders

http://home.insight.rr.com/procana/ - Dated, but still relevant info on designing capture filters

http://thenetworkguy.typepad.com/nau/tips/index.html - Good general packet info site

http://www.linuxjournal.com/article/9398 - VOIP and WireShark article

http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html - Nice little article on TAPS and Span Port use when sniffing

http://wiki.wireshark.org/SampleCaptures#head-6f6128a524888c86ee322aa7cbf0d7b7a8fdf353 - Sample Captures

http://www.techtraces.com/ - Another site with sample captures

http://gaia.cs.umass.edu/ethereal-labs/ - Even more sample captures (at the bottom of the page)

http://packetlife.net/ - a nice networking blog

Have Fun!

Cheap, Simple, websites

So I committed myself to help develop a web site for my son's Cub Scout pack.  I did a smallish site last year for his Den just to keep track of Calendar items and it worked pretty well. I hosted it at the time with 1and1.com which ended up costing about $3/month.  At the end of the year, they wanted to jack up the rates so I didn't want to renew or start over with them this year.  After a bit of searching I found a site called AirSet. (www.airset.com).  It looks pretty cool. We can use it to manage documentation, calendars, photos...all kinds of stuff.  The basic usage is free but once you use some decent amount of storage you need to pay a small fee. (5GB is $2/month) It looks like it might be a great way to collaborate...I'll let you know how it goes.

CentOS is now my favorite distro

After messing around with many different distros over the last few years, I've come to the conclusion that CentOS is my favorite.  I cut my teeth in Linux on Red Hat back when it was free and have always struggled with other Debian based or BSD based ditros because of the differences.  As CentOS is basically Red Hat without the invoice, it's nice to come home again.  I still have a few Ubuntu boxes around, mostly because Wireless and Media Codecs seem to be better on that platform, but my production stuff is all going to CentOS.

What's you favorite flavor?

Bye Bye Trustix

Crapity crap crap.  Another decent distro bites the dust.  I really like the idea of a small, security specific linux distro for Internet applications.  Years ago I used OpenNA for both FTP and HTTP stuff. It was great. Then it died and I went to Trustix.  Now that's dead.  With all the great distros out there I haven't found a solid, stable, smallish, security specific distro as a replacement. I'll probably go to CentOS at this point because it's free.  The problem is backing out all the crap to get so a small footprint.

So long Trustix...we hardly even knew ya....

Helpdesk, schmelpdesk

We've been running our IT Department without a helpdesk software package for way too long.  Initially, we only had one full time support person so it was pretty easy to just use email to track stuff.  Over time we've grown an distributed some responsibilities so it was time to get a decent package put in so nobody dropped the ball on anything.  I took a look at HelpStar, Cerberus, OSTicket, OTRS and SupportSuite.  Each has an interesting take on how it handles tickets, but I ended up going with SupportSuite.  My reasons were based on price; features we'd actually use, something that runs on Linux (CentOS), email ticket submission, visibility on a PDA (some type of decent web interface), unlimited users and techs (without having to pay ransom per tech) and ease of use. 

We are still in the configuration stage, but all looks good so far. I really like the LiveSupport piece which is kind of an IM client for the techs that are on-line. I also like the escalation, SLA, and Teamwork features.  All this for under $700.  Some of the solutions I looked at were almost $1000/tech.  That's just way too much spend on something like this.  Heck, if all goes well the users won't even see it.  Hard to justify something at $1000 per tech when there's little direct visibility for the users.

I'll let you know how it goes but so far so good.

Cheap Disk

My buddy was talking about a low cost SAN like solution based on Linux called CORAID.  Looks like good stuff.  Basically you buy the1U, 3U or tower shell and add your own SATA(I or II) disks.  It used a layer 2 protocol called AoE (ATA over Ethernet) which they claim is better then iSCSI because it doesn't have to deal with the overhead of TCP/IP.  At 64 cents/GB it sure looks like something I'm gonna have to try at some point.  Looks like it would make a great target for secondary storage for disk to disk backups or an imaging project.  The OS is based on Linux and all recent Linux kernels already support AoE so that's cool.  Good Stuff.

SR421                SR1521

 

                  

 

"Scotty, I need more power!"

Ok...maybe I don't need more power I just need to know what I'm using.  That's always a pain in the butt.  Even with a degree in Electrical Engineering I don't get too excited about monitoring what each device uses for power but it really needs to be done if you wanna get an understanding over your overall consumption needs.

I found this little dealio on the web and bought one:

It's the Kill-A--WattEZ  power monitor.  What makes this gadget dope is that it will spit out all the normal stuff (volts, amps, etc.) but it also tells you Watts, VA, Power Factor and KWH.  If you drop in what your  pay rate is for electricity it will even calculate how much it costs per hour, day, week and year to keep a device running.  Good stuff.  Only limitation I've seen is that it's strictly a 120VAC device so big honking stuff you need to do the old fashioned way with a volt meter, calculator and cursing.

Newsletter Rant

<begin Rant>
Vendors that send newsletters marked as Important emails should be shot. I say this because I have all critical/important emails automatically forwarded to my phone as a text message. Yes I have a Blackberry (actually a Samsung BlackJack with Goodlink), but to separate the wheat from the chaff I use Exchange Rules to forward specific messages as text messages to my phone....messages from the boss, the managing partner, loss of Internet access, etc.  As I pay for only 200 text messages a month, having newsletters forwarded is a real costly pain. 

Newsletters are bathroom reading people...they are not and have never been important reading. 
<end Rant>

WSUS that's not such a wuss

So Windows XP update management during an MD/BDD build is a pain in the butt.  The built in tools force you to identify, by hand, and download, one at a time, all the updates needed.  There is a nice step in the rules to allow you to run all the updates but come on..we're talking at least 2 days of work to get all this set up correctly and then tested.  Then. BAM. A service pack comes out and now you gotta go clean it all up and start over again.  Not a good thing.  So how did I handle this problem?  Open Source of course.  A little gem called CTUpdate.  Good stuff.  It even downloads updates for Microsoft Office if you want.

So here is how it works. Download the code, run the .exe and it will go out and get all "security" updates for you.  Yeah...not all the updates as it uses the Security Baseline Analyzer as it's database to know what to pull..but hey it's better then the alternative.  Now I just create a custom step to dump the "client" folder down to each client and start the install process.  Then a quick uninstall routine deletes the source.   This was done as a hands off process and added just a little time to the build process.

Lenovo T61 Sysprep bluescreen fun

I hit a nasty error today sysprepin' a T61 Lenovo laptop.  Basically, one single line in the sysprep.inf screwed me.  The line was

extendoempartition=1

Seems like this would use the whole disk for the image right?!?!?  Sounds like a good idea right?!?!?  Hey they document the setting right in the sysprep help file so it's gotta work right?!?!?!!?  Ah, no...but thank you for playing.

Basically, you sysprep the box on and on the first boot you get the "Windows XP" loading screen.  Then BAM...faster then a Brittany Spear's drug rehab visit it bluescreens with a 0x000000ED error.  Change that setting to 0 and it all works.  Details can be found here:

http://support.microsoft.com/kb/329826

 

...where'd I put that damn Ubuntu DVD's........ :)

ntop - network monitoring coolness

So this I've talked a lot in this blog so far about BDD/MD simply because that's the project I've been working on lately.  However, I'm a huge open source fan and you'll probably hear more and more about my open source favorites as time goes on.  Well, I finally got ntop (www.ntop.org) working on Ubuntu 8.04 the other day and man it is cool.  I haven't looked at this product in a few years but it's really a good tool.  Wanna catch file sharing, music download, porno watching network hoggers?!?!  ntop can do that for you.

Installing on Ubuntu takes a little effort because you won't see it in Add/Remove programs. I used apt-get to pull mine down.  It went something like this:

apt-get install ntop

Then I just run ntop from the command line and it comes up.  It defaults to port 3000 so to see the web interface on the same box open FireFox and go to http://localhost:3000   I had to reconfigure it for my second nic (because I have a regular nic and a monitoring nic) so once it was up I went through the web interface to Admin->Configure->Preferences and set the item called ntop.devices to eth1.  Then I did a Admin->Shutdown, waited 30 seconds and restarted it from the command line.  Good stuff.

Get Computer Make & Model for BDD

If you use the BDD database or if you script the variables to pick up the appropriate /Drivers folder (which is blogged about all over and well worth the effort) you need to determine what BDD thinks the computer name and model are.  You can certainly start a BDD build and hack through the logs to get this info or you can run the following under an OS and let it tell you:

Open a Command Prompt
type "wmic"  at the command prompt
type "csproduct get vendor"  <- This will spit out the vendor name
type "csproduct get name"  <- This will spit out the machine name

Now, on my drivers share I have folders for each machine name (for example, a Lenovo T61 is 888901U) which contains all the drivers for that model.  Point to this in sysprep.inf and unattend.inf and it will make your life a lot easier. If I can find the link to the full description of this I'll post it.

Microsoft Deployment from a USB drive

This is a shameless cut and paste from another blog, but here are the instructions for formatting and then creating a USB stick with a copy of the LiteTouch iso files on it:

1 Open admin cmd prompt.
2 Run "diskpart".
3 Run diskpart command "list disk".
4 Make note of the disk number your flash drive is.
5 Run diskpart command "select disk (drive number)".
6 Run diskpart command "clean".
7 Run diskpart command "create partition primary".
8 Run diskpart command "select partition 1".
9 Run diskpart command "active".
10 Run diskpart command "format fs=fat32".
11 Run diskpart command "assign"
12 Run diskpart command "exit"

From there just copy the contents of the Litetouch ISO directly to the USB drive and you're all set.  I bought a few 4GB sticks (Kingston 4GB DataTraveler 100's) and they worked just fine.

Mini-setup has issues adding machine to the domain

So I was struggling with this issue for quite awhile.  During our BDD process (I gotta start calling it MD for Microsoft Deployment, but that's a hard habit to break.) everything was roses until the machine image dropped down as a .wim starting running the mini-setup after being sysprepped.  I kept getting the error "An unexpected error has occurred while changing your computer's network identification.  Would you like to proceed for now and try joining the domain later?"  Of course, you enter yes and it completes and then adding manually works every time.  So why can't it do this automatically?  Well it turns our the old MachineOU="Computers" was stuck in my sysprep.inf.  Not by me, mind you, by BDD. I had removed this line, but it appeared in the default customsetting.ini file (aka the Rules tab under the deployment point) and BDD was adding this line as well as a few others during the build process.  Removing it from the sysprep.inf and from customsettings.ini finally did the trick and the machine was added just fine.  The shift-F10 trick I posted about before really helped in figuring this out as I was able to "preview" in sysprep.inf file right before mini-setup ran.  On to the next issue.....

Command line during mini-setup

After messing with an error during our sysprep/mini-setup routine, I found an obscure reference on the net about hitting Shift-F10 to bring up a command window during mini-setup so that you can troubleshoot what's going on.  I'll be damned...it works.  This little trick helped us better understand what was going on and gave us the ability to try different settings in the sysprep.inf until we got one that worked.

Packaging UltraVNC

So we use UltraVNC on all our desktops for remote support.  Being well intentioned IT folk, we want to force encryption...well just because.  So it turns out this is a pain in the rear to package.  Basically, the latest version of UltraVNC 1.02 requires a system variable be set if you want to use a key file named anything other then rc4.key.  So after a few hours of fighting this...here is my procedure to package UltraVNC with Prism Deploy, our packaging tool:

1. Perform a standard UltraVNC install.
2. Add the system variable msrc4pluginkey and set it equal to the path of the custom key file (i.e. c:\program files\ultravnc\mykey.key) I did this for both user and system variables because in  user mode it seems to use the user variable.
3. Copy mykey.key to c:\program files\ultravnc
4. Copy msrc3plugin4_noreg.dsm to c:\program files\ultravnc
5. Setup mslogin 2 and the default password
6. Install hook driver
7. Install service
8. Start service
9. Install service helper

Well anyhow, that's what worked for me. 

UltraVNC SC

For those of you looking to remotely support users on over the web, this is a handy open source tool that gets the job done.  I'm not talking about the familiar VNC where the client needs to be preloaded either.  This tool is a mini-executable that downloads an extremely thin client with very little effort that connects back to you, running as a VNC server.  When the session is done, the client removes itself so there is no permanent footprint left.  So far, I've only seen this as a Windows tool.  The main website for Ultravnc SC is here.  I have a post on our main webpage at work called PC Support.  We direct users to it to pull down the client.  After the client loads, they simply double click on the name of the person on my staff that they want to remotely control their machine.  It's all driven by an ini file setup.  You feed that file and a few others in a zip file to a web app at Ultravnc's site and it returns a compiled, custom version for you to use. I was a little leary about the whole "let us create the .exe for you" part, but I can say I've had no issues in the last 3 years that we have been using it.  Definitely good stuff and in my Top Ten favorite Open Source apps.

Bootstrap.ini

This little gem can be found in MD under your deployment point settings. Just click on the Properties of your distribution point and go to the Rules Tab. At the bottom you'll see a link for bootstrap.ini. Here's mine (well almost I changed the username and password.):

[Settings]
Priority=Default

[Default]
DeployRoot=\\SRV-BDD01\Distribution$
SkipBDDWelcome=YES
UserID=deployadmin
UserDomain=mydomain
UserPassword=GoIndians!


What is it used for? Well, somehow WinPE grabs this file and uses it for authentication to the MD server when it boots up. Without this, WinPE runs but can't get at any of the MD stuff on the distribution share. It's probably used somewhere else in the build process, but so far that's all I know about it.

Microsoft Deployment (AKA BDD)

Well. I've been working with the Microsoft Deployment tool for over two months now trying to get back up to speed on how all this new deployment stuff works. I've got a ton to say on this topic so you will see frequent posts for awhile as I vent and work to document some of my findings. Let me begin with my Top Ten Things I wish they'd have written down somewhere in the documentation.

10. BDD and WDS don't play well together. Use WDS (aka RIS) to send out the Litetouch wim file and that's it. If you were planning on building images with BDD and then distributing them via WDS think again. Basically, there's a ton of power built into BDD beyond what WDS has and you really need it. Trust me.

9. Only use Out of Box drivers for nic and mass storage drivers. With Microsoft Deployment (let's just agree to call this MD now for ease) 2008, all these drivers will be gathered up and built inside your WinPE wim and ISO's automagically.

8. Mass storage drivers suck. They are a pain to deal with, but once you get it down it seems to work well. I'll post more in depth on this topic later. For now just realize that WinPE, unattend.txt and sysprep.inf will all need to be hacked to get them to work.

7. You need at least 512MB of RAM for a MD client to run and setup a box. OK this isn't a rule I read it's what I've found during testing.

6. The documentation is horrible. Read Ben Hunter's Blog, The Deployment Guys Blog, Michael Neihaus' Blog and Richard Smith's Blog if you really want to learn how it all works.

5. The database part of Litetouch is nice, but not a requirement to setup a simple deployment system. I find it overly complicates things until you understand exactly what's going on.

4. If you edit anything that's contained in WinPE (including Out of Box Drivers) or in the deployment point be sure to right click on the deployment point and rebuild it. Yes it takes awhile...smoke'em if you got'em.

3. For a client to PXE boot from the MD/WDS server make sure you've set your vlans with an IP helper pointing to the IP of the MD/WDS server. Also there's a scope option that will need to be set. More on this later.

2. ImageX grabs the files on an image only, it's not a byte by byte replica of the drive. If you are grabbing a users old hard drive to store, understand that you can't depend on any forensic recovery of deleted data from inside a wim file.

1. Don't use Out of Box drivers for all of your drivers. Create a separate share called "Drivers" and put into it a folder for each make/model of machine you have. Then create a folder structure underneath it for audio, nic, display, chipset, etc... Now edit your unattend.txt and point to that folder structure...all the inf files will be found during the build process automagically. More on this later.

Welcome to my blog 2.0. My first attempt wasn't cutting the mustard so I figured I'd start again.

Expect to see content on Microsoft Products (specifically Microsoft Deployment (BDD), Windows Server, etc..), Linux Distro's (Ubuntu, DSL, CentOS, Red Hat, etc.), a little Cisco (mostly R&S) and whatever else is bothering me on any specific day. :)