Technically Speaking

I was looking through some email today and saw a newsletter from ZDNet at the top of my inbox.  Normally these don’t get my immediate attention, but for some reason, today… it did.  There was a post from Mary Jo Foley (linked below) looking at the upcoming file system in Windows Server 8, ReFS.

I am anxious to get my hands on this file system and play with the features that it will bring to the table.  I do have the Windows 8 preview and will get into it further soon, but from what I have read and previous discussions with Microsoft this seems very very interesting.

Things I like so far:

Live.  Microsoft is working to engineer ReFS to handle corruption and corrections live, without the need to offline the file system.  This will reduce the time needed to maintain the filesystem.

Better data integrity as a whole.  Because the file system can manage and mitigate corrupt files and handle much of the repair process online, there will be less need to reboot to take care of maintenance tasks, like following check disk runs.

Checksums on metadata.  Being able to ensure a file integrity has not been compromised at will without a process run by the user is great.

Shared Storage Pooling.  This will allow storage across servers to be pooled and shared amongst them creating a load balanced configuration to allow for better resource an file availability.

I cannot say that I am surprised these changes are coming and this makes up for the Metro UI a bit for me, but I do want to see more of that is planned for ReFS and get my hands on it a bit more.  One of these days I will get another Windows laptop and get Windows 8 running on it to get a closer look at the file system and its tools.

For more information on ReFS check out these links:

http://www.zdnet.com/blog/hardware/microsofts-killer-windows-server-8-feature-refs/17757

http://www.zdnet.com/blog/microsoft/microsoft-goes-public-with-plans-for-its-new-windows-8-file-system/11666

http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx

I have been trying to talk myself into learning Microsoft PowerShell for quite some time.  It was always cool for a little while and then, like many other things, it just got dull and lost its shine. Until recently it was something I knew I would need to learn someday because Microsoft would eventually put it into products as the core means of administration.

Note: I realize that they are doing this already, but until recently I hadn’t been close enough to a product that used it to worry much about it.

Then I started getting into Exchange 2010.  PowerShell for managing E-mail from almost all aspects of the process is a damn fine idea.  Now I have a reason to learn more than a few simple commands, because I might actually put them to use.

Where I have been

I signed up for an account at PowerShell.com to get my feet wet and hopefully participate in a community. I have found this to be somewhat useful in the past and am hoping that it allows me an outlet to go dig around in other peoples scripts to see if I can comprehend just what they are doing.

I am on the fence about ISE… I know at some point notepad will become a burden to use, but just starting out, I don’t think I need to worry about that just yet.  If anyone has any suggestions for things to look at in terms of ISE or just good resources for learning PowerShell, please post them in the comments.  I am anxious to get a jump on this thing in the hopes that it will be worth the effort to understand.

Tons to learn

I have tried a few things that I found while binging my way around the web and it has been interesting to see what is out there, surely I haven’t even scratched the surface yet.  I would think a PowerShell magazine or some newsletter type offering would be a huge benefit to the PowerShell community.  Maybe the guys at Redmond Magazine would consider getting something wild like that off the ground??

For now, I will begin re-perusing the books I have on PowerShell and dig into the Internet on the subject further.  Maybe there will be an event near me in the future that will help me learn… I will keep my eyes peeled for that for sure.

Recently we had an issue with a dead battery in a vehicle.  It was a larger vehicle and attempts to jump start it with our super fuel efficient Saturn ion went nowhere.  Fortunately, my wife has a friend at work who was able to come over and help us out with their also larger vehicle.

Upon jumping the battery we took the car to Auto Zone and everything checked out ok.  The point is not to point out my rather lacking skills with automobiles, but rather to point out that it is ok to lean on or ask for help with things that you do not know much about.

This is certainly the case with IT.  There are just far too many technologies to allow one person to know them all.  When you are unsure, it is ok to make an effort to learn, but at some point asking someone with the knowledge is likely the safest bet.  Not only will it help solve the problem in a quicker fashion, but will allow you to learn from those who help you out.

Remember though to help when others need it

Once you have asked for help with something you do not understand, do not forget or suddenly become too busy to help those you have leaned on with the things you do understand.  In the case of the less than starting SUV, if asked, my computer skills are available if needed. It is the least I could do.

Be nice (and helpful) to those around you as you never know when you may need their help.

As an aside, I did get to drive a Cadillac SRX (if only to move it into the garage).

This week has been interesting, mainly in that I was reminded about the simple things in Active Directory and how much harder they become when you dont pay them enough attention.  Replication is much like Ron Burgundy – kind of a big deal.  If you do not pay enough attention to replication between domain controllers in Active Directory, bad things happen.

Sure they seem like small things, but over time, these small things like change in the couch cushions can add up to a big ticket problem.  For me, the issue wasn’t all that bad, but it did take some head scratching (outside the scope of the actual issue) and a brief conversation with someone wiser than I about the symptoms of my issue.

We don’t trust you anymore, go away

Windows 7 is a rather finicky OS (moreso that Windows XP, and probably a bit less so than the OS between XP and 7).  Because computers are still objects within Active Directory that access other secured resources within the directory, they too authenticate.  In reality, this means that computers have accounts equivalent to User objects within the AD environment. These accounts allow computers to tell Active Directory that they belong within the environment and should be allowed to access resources.  Just like when I logon to the domain and request access to resources by providing credentials, computers in the environment do the same.

If for some reason, the Domain Controller cannot match the credentials presented by the computer to what is stored in its database, the Domain Controller refuses authentication and presents a message about trust relationships.

I didn’t create credentials for the computer, what the heck do I do now?

When a computer is added to an Active Directory domain its account is established and the password set.  Then the password is managed by the computer and AD and changed automatically about every 30 days or so.  If the computer is no longer trusted by the domain, it is likely that the password is incorrect or has gotten lost in translation causing authentication to fail.

My issue was a replication issue which caused the computer accounts of a few workstations to fail authentication.  Because it is not the best idea to maintain only one domain controller in any Active Directory environment, and because of the way that AD manages information about objects, replication happens.

Perhaps an example will work here.  Suppose I create a user object for John Smith using Active Directory Users and Computers (ADUC) on a Domain Controller named creatively DC1 at my office.  John will be starting his new career as a data entry specialist in my company’s Houston office in a week or so.  Adding the user account for John to a DC in my office works just as well as if I had flown to Houston (or remoted into the DC there) and added the account.  Because replication sends all objects created, maintained, or deleted to all other replication partners within the domain, a user account created in my office on DC1 can be replicated to Houston on DC2 and when John gets to work, he can logon and all is well.

Replication happens in the background and is pretty much out of site when things are going smoothly, but from experience I can tell you that you should check in on your friend replication regularly.  Maybe not daily, but weekly for sure.  Just to make sure that objects in the directory are being moved around without errors.

What might cause replication problems?

There are any number of settings and configurations that can cause problems with replication.  Surely more than I have seen or have time to list here, but some of the basic things are:

• Improperly configured links
• Unmanaged Replication configurations
• Misconfigured Firewalls
• Equipment failure

Improperly configured links

When you establish replication between two (or more) Active Directory domain controllers, you create links between them that allow these DCs to exchange information.  The links are one way which means that each domain controller has two links to each replication partner.  The links can be configured to handle high speed links (fast connections, like you might see between domain controllers in the same site) and slow links (which may be used to link two remote locations).  When the links are configured correctly things work really well, but if you neglect to consider the speed of your Internet connection (on both ends) replication may suffer as a result.

Replicating information across a slow link that is configured to behave like a fast one might be a little less dire to watch than downloading a blu-ray quality video over a dial up connection, but missing information can have rather large repercussions in your environment which may be seen as inability to login, latent access or no access to resources and other things.

Unmanaged replication configurations

By this I am not suggesting that you check on replication statuses every day (depending of course on the size of your environment) but you should be looking at it regularly enough to know what is going on and that replications in all directions are happening as you need them to.

Because Active Directory is a multi-master beast, meaning that any machine configured as a domain controller carries just as much weight as any other machine configured as a domain controller, information for an object that has not yet replicated throughout the environment could be a problem.  As in my earlier example, if I created the user object for John Smith, and it failed to replicate to the domain controller in Houston by the time he needed to log in, we might have a problem.

The login would likely happen, but would take a significant amount of time because the most local domain controller didn’t have the information needed to handle the request.

Misconfigured Firewalls (and other Network issues)

Windows includes a firewall to help keep things out of your environment that shouldnt be there.  I would recommend disabling the firewall on all your Windows computers and servers because it will likely be a bigger headache than you are ready for.  Also because all organizations should use dedicated firewalls to protect their corporate assets from the outside world.

My issue with replication came at the hands of a misconfigured firewall.  The firewall was enabled for a good period of time which caused hiccups in the replication of information throughout my Active Directory environment. The symptoms displayed were the previously mentioned domain trust errors that popped up when logging on or trying to unlock a PC.

In my research and previous experience the best fix for the trust problem is to disjoin the affected system from the domain and delete the computer account from Active Directory.  Then rejoin the system to AD.  Normally this will take care of the symptom.  Not necessarily the problem.

Outages and Equipment Failures

There is the obvious replication issue with failures and downed equipment.  If the replication is scheduled to occur between two systems and one of those systems is down, obviously replication cannot happen.

Working on these issues is an interesting scenario as well.  For the sake of troubleshooting, the usual steps must be followed and checked out even if the steps do not solve the problem, they will likely help you down the path to correcting the problem.

The moral?

Do not be afraid to check out the functionality of your Active Directory environment, being proactive and working to pay attention to things like replication and group policy settings.  Keeping up with those tasks before the problem strikes and requires many late nights to correct.  You will still have some long nights working with Active Directory, but they can be worth it, without all the fires.

I learned recently that everybody starts somewhere and helping those interested in starting somewhere seems to me to be something those of us who’ve been doing this for a while should be a little more than interested in.

Sure there is a need for the experience of IT, rebuilding Windows systems (or the OS of your choice) for family and friends will get you started and maybe taking some classes at the community college to get an idea of what all the funky acronyms mean (and finding out that they are all different when you know them) might be something to consider as well.  But what does the new to IT talent need to understand to be comfortable in this business?  This post is going to try and point some of that out, maybe some of the things I wish I would have known when I started out too, just for good measure.

Be careful what you wish for
In any new career path there are bells and whistles that you see from the outside that get you very interested in what might be going on.  Sure there may be some IT pros making gobs of money and doing all kinds of fun things, but you need to be realistic about your own expectations.  Sure you need to get paid, everyone has to eat, but be careful about the amount of work you tackle for the money coming in.  If you set your own rate, be fair but not too cheap.  Sure you can get a lot of potential clients  with a low rate, but you need to evaluate them just like they evaluate you. Making sure the customers are worth your time is a good idea.

Find things you like

Maybe there is a technology that you just like to work with, regardless of how much you use it at a particular organization.  If this is the case, continue to do what you can to learn the technology. Maybe these things become a hobby, but having something that keeps you motivated to keep learning is a great way to start.

For me, at least lately, Windows NT Permissions and Privileges are that thing… this week.  Next week it will likely be something different.

Most of the IT Pros I know live, eat, and breathe some portion of their career.  A particular area they excel in or just plain like is something they cannot get enough of.  I am not sure I have found that specific of an area (other than technology in general).  Maybe being a generalist isn’t quite as bad as it seems, but having some piece of tech that you find fun is always good.

Ask for help if you need it

You cannot know everything there is to know about technology.  Sure you can know a lot about a few technologies.  If you encounter something that you don’t quite understand or need clarification, ASK!  With all of the communication tools available on the Internet, finding someone who can help you is really not as hard as you might think.  Twitter and Linked in are great places to start.

The trouble is knowing when to step back and understand that your brain is not going to produce the knowledge that you don’t have.  I am not trying to imply that these things cannot be learned, but this comes from studying, mentoring, trial and error (of which, hopefully there will be a good amount).

One other thing

Another thing that seems to help me learn things, teaching others.  Sure it takes practice and can be a bit of work, but having the guts to help others is a step in the right direction.  Maybe there are people in the room who have more knowledge than you might, but there is something about getting up in front of the room is good for both sides.  The person on the stage wins just for being up there.  Not to mention there are tons of networking opportunities with those who attend your session(s).

The bottom line is to experiment with technologies and try to learn something new and interesting to you. It will pay off likely in more ways than one.

I finally got the data migrated to new storage at my organization. The information moved very quickly and went off without a hitch (and minimal yelling/frustration). The one area I found that was not so friendly is the Share Permissions on the destination storage.

I understand that the basic rule of permissions is least privilege, where the most restrictive setting wins. However I apparently missed this idea when configuring the shares where the data would land. As soon as the copy was completed, the email went out to alert the users that the new storage was all set and shortly thereafter, the emails came in that it wasn’t working.

Everyone had readonly access to the newly moved information. Read only is no good. And I proceeded to review all the NTFS permissions and look over all of the items that were copied because there was a problem with the NTFS permissions or how the copy was done (you know, the hard stuff has to be where the problem is).

After several looks at the completed project, and getting nowhere fast, I removed one of the shares using Share and storage manager. The removal was to prevent use of the share while I was troubleshooting the problem. When I decided that it was not the problem and that the read access was ok I rebuilt the share… In the wizard to read the share I found the options for Share permissions.

Then the light bulb went off…

If the Admins group has full control and everyone else has read only access to the share… the read only problem was right out front. The share was disallowing it. Changing these settings got the problem solved right away.

The lesson here is to think simple. Sure you need to think about the NTFS and more complex items as well, but most certainly do not leave out the easy upfront items because they are simple and likely shouldn’t be the problem. Many times these things will bring headaches that are not worth it… just check one more time. Had I looked into that one more time during prep, the entire migration would have been completed with the scheduled job… no weekend work required (by me at least).

Active Directory is a huge environment and infrastructure to manage, regardless of the size of your environment.  ManageEngine has put together a great tool to help administrators keep their organizations moving.  Check the link below to TechRepublic for the details.

Because of the popularity of Sysinternals, I discovered a few more of their utilities that were more than useful in my job.  This post on TechRepublic highlights a few more Sysinternals utilities.

Sysinternals has a great set of tools available to make working with Windows easier for administrators.  In a post at TechRepublic.com I took a look at some of the utilities available from Sysinternals.

My plans for reviewing/playing around in Windows Storage Server 2008 R2 have been quite up in the air lately, but may finally be coming to fruition, although differently than I originally planned.  Since I have installed an EMC Celerra as my organizations primary storage, I thought testing a WSS front end to that system might be appropriate.  In a previous post, I was planning to test this in my home lab, but given the considerations I am looking at for my organization, testing there makes loads more sense.

Initially, I was going to create CIFS shares on the EMC and push those out to the users, purely for the ease of use that comes with CIFS.  Then I got to thinking, in our previous/current environment the WSS 2003 server is providing much the same access to files and other tools allow for the monitoring of files and folders on the shares.

With this additional monitoring capability, which we already own, and more robust storage on the back end, maybe Windows Storage Server 2008 R2 is something to consider.  The only caveat here, at least for me, is that once the testing is over and the pony up phase begins, I will not reduce the footprint in the closet because there will need to be an appliance running Storage Server.

Since I am going to test things first using a virtual machine, I will leave the worrying about footprint and power and all of that until I get closer to knowing what makes the most sense.  In a decent sized virtual environment, with the right hosts I do think a virtual appliance version of WSS would be a nice thing to consider, but we’ll see how the testing goes.