Technically Speaking

Microsoft is making license activation and the subsequent management of these licenses much less aggrivating. The key management server (KMS) affords a single point of activation for volume license clients that lives within their network. This helps organizations in a few ways, the biggest of which, in my opinion, is ease of management. The service works like this:

An administrator for the organization purchases some volume license agreements and receives both the KMS key and it’s old school counterpart the Multiple Activation Key (MAK). Instead of using several different MAK keys to activate all of these client licenses, the KMS server gets configured on one or two servers in the environment. This way the clients can validate against the KMS servers and not decrement any sort of activation count.

The way this works is really not too difficult. The clients that are using KMS keys (the default method in Windows 7 and Office 2010) check in continuously with the KMS Server(s) on the network. Licensing is validated approximately every 30 days to ensure the client can find the license server. If the client leaves the environment and cannot connect, the missing or failed activation notifications start appearing. Once the license has been revalidated against a KMS server, the balloons go away again for at least 30 days.

At first the constant check in method of licensing seemed very confusing, since I am used to the previous method of volume licensing, one key for all (or a good number of) your clients. When using Key Management Servers, the host machine gets the key installed for KMS, which is included with volume licenses. Once this key is installed for each product, the server can begin pushing out licensing to those clients. There is one caveat to this idea, each product that is going to use KMS requires different client counts to be discovered before it will issue a key.

For example, for Office 2010 Professional Plus the minimum count for KMS is 5 clients. When configuring it, you must install 5 clients before keys will be issued. Until this happens, the banner in each application will alert the user that it is not activated. Once five or more clients check in with the KMS server, Office on these clients will receive keys and the alerts will go away.

For Windows Server 2008 R2, the number of clients is also five. Windows 7 Enterprise clients however, require 25 clients to check in with KMS for keys to be issued. This is done to prevent people from installing extra clients to allow KMS licensing to work with fewer actual users.

Because the KMS server communicates with Microsoft licensing via the Internet, it determines if the host key licensing is active. Then your local server handles licensing and key distribution for clients. Each client will check in with a KMS server every 30 days to request a key. The keys are valid for 90 days, which will allow for the occasional traveller to continue using the products if they are out of the office when normal re-activation would occur. If you are in an environment with a great deal of road warriors who do not check in at the home office (physically or via VPN) regularly, using a key provided by KMS doesn’t make too much sense. There are keys included with Volume Licensing agreements for these users, they are called MAK keys and are covered next.

Multiple Activation Keys – MAK

These keys more closely resemble the old method of volume licensing, the one key for many clients scenario. You will not receive one key for all of your clients if the number of licenses you purchase is large and you still need to purchase a license for every instance of an application. The MAK key only provides you additional activations for the key, not additional licenses.

In large licensing runs, MAK keys might be split into thirds to prevent one key from being used for all of the clients. This is done to cut down on piracy of license keys. When licensing for most clients can be done by KMS this idea makes a lot of sense, especially when fewer MAK keys will be used in that scenario

Additional KMS benefits
Once you have gotten the Key Management Server setup in your environment, licensing is handled locally. This server will check in with Microsoft initially, but once that is completed, the clients obtain licensing from the server on your network. KMS servers will provide keys to any clients who request them in an environment which is also a plus.

Suppose I am traveling to a client office and my laptop, which is usually on my desk, uses KMS. If the client runs into its 30 day window while I am onsite at a client, it will look for a KMS server. If the office I am working in has a KMS server, it will issue the key and no functionality will be lost (or lovely warning messages presented).

Any KMS server found can accommodate a request from any client it can communicate with. Since there is no limit on the number of keys provided by KMS this is a great plus, less activation worries and work for administrators. The key provided by the other KMS server will keep my laptop happy for up to 90 days, even though it will start requesting a key after 30 days.

The benefit here is less management of licensing and activation. Sure you still have to purchase, record, and understand where licenses get used, but with KMS licensing servers, for most of your clients (at least where Microsoft licenses are concerned) the work is done through software with a little work on the front end, but not too much at all after that.

Hopefully this brief look at Microsoft’s Key Management Server licensing configuration will provide enough information for you to consider configuring a KMS server or two in your environment. At the time of this writing, KMS only works with products acquired through volume licensing.

This morning I read a great post by Ed Bott about what PC and Mac viruses or malware are and how they land on the same PCs or Macs.  This had to come from the idea that “Macs don’t get viruses” that has been floating around since forever.  Because as Bott points out:

“And categories don’t matter. These days, actual viruses are almost unheard of “

Bad software is bad software and platform or label makes no difference.

Of course there are those who see the Mac and the PC differently.  The only thing different is in reality the vendor and user experience.  Underneath the Mac OS lies Unix… a PC operating system if you take away the cute Mac GUI.  I know there might be some fall out or comments for that Mac comment, but that’s OK, as the point is to enforce what Ed Bott has pointed out, any computing device can get bad software and that all users (or IT Pros who help users) should take steps to keep their compute device safe.

If you are in the IT arena, I encourage you to share his post with others you know.  Click here to read the whole thing.

As someone who has tried more than once to keep up with the Getting Things Done school of thought I have been looking for a list keeping tool that works for me.  It would have to be something that was easy to use and would be “trusted” so that the use keeps up.  Thus far, nothing has really gotten it done.  I am currently testing OmniFocus from OmniGroup and so far, it is quite the application.

What should OmniFocus be used for?

The idea behind OmniFocus, is to manage your lists of actions, projects, and reviewable items.  Because of the portability of it, I prefer the version for iPad.  It allows an easy way to see what is coming up and what I should be working on wherever I may be.

OmniFocus for iPad does a great job of allowing access to lists but there are features within the Mac application that aren’t natively available on the iPad.

Get some Perspective

Perspectives, on the Mac, are ways to see your lists in a new light.  Suppose you want to see tasks with an estimated time of 30 minutes that you might complete while waiting for an appointment.  You can create a perspective that will show only tasks that meet a given criteria, other than a context or project.

These are great for getting other looks at what you should be doing, but you cannot use them natively on the iPad.  To use perspectives on the iPad, it will need to sync with your Mac.  In addition, the perspective must be based on a context rather than a project.

Once synced, this new way to look at action lists might help the focus shift to a set of actions that can be accomplished in 30 minutes or less.

I have been an on again off again user of OmniFocus for quite some time, but the discovery of the perspectives feature and using the application on the iPad I might be able to keep it up this time.  I certainly hope so.

Earlier this year I was asked to participate in a customer trial of Microsoft Online Services including Exchange and SharePoint and I decided to give it a go. The biggest piece of the puzzle for me was Exchange 2010.

Being a new Mac owner and getting my feet wet with Office 2011, its connectivity with Exchange 2010 was ideal.  My use for the Microsoft Online Services is for testing and not for everyday business use and/or connectivity.  Overall the configuration of Outlook 2011 for Mac and Exchange 2010 was alright, but I will need to give it another go to feel good about it.

I am glad that those at Apptix and Ivy Worldwide allowed me to participate in the study.  It has been interesting but I feel there is still more testing to be done.  As I get more time I hope to publish more about my findings.

For more information, check out this link: http://mailstreet.communications-services.com/

Recently we had an issue with a dead battery in a vehicle.  It was a larger vehicle and attempts to jump start it with our super fuel efficient Saturn ion went nowhere.  Fortunately, my wife has a friend at work who was able to come over and help us out with their also larger vehicle.

Upon jumping the battery we took the car to Auto Zone and everything checked out ok.  The point is not to point out my rather lacking skills with automobiles, but rather to point out that it is ok to lean on or ask for help with things that you do not know much about.

This is certainly the case with IT.  There are just far too many technologies to allow one person to know them all.  When you are unsure, it is ok to make an effort to learn, but at some point asking someone with the knowledge is likely the safest bet.  Not only will it help solve the problem in a quicker fashion, but will allow you to learn from those who help you out.

Remember though to help when others need it

Once you have asked for help with something you do not understand, do not forget or suddenly become too busy to help those you have leaned on with the things you do understand.  In the case of the less than starting SUV, if asked, my computer skills are available if needed. It is the least I could do.

Be nice (and helpful) to those around you as you never know when you may need their help.

As an aside, I did get to drive a Cadillac SRX (if only to move it into the garage).

KineticExtend is a remote desktop management app for the iPad that works with the KineticSecure backup client.  It allows you to manage other machines from your iPad… check it out below:

This week has been interesting, mainly in that I was reminded about the simple things in Active Directory and how much harder they become when you dont pay them enough attention.  Replication is much like Ron Burgundy – kind of a big deal.  If you do not pay enough attention to replication between domain controllers in Active Directory, bad things happen.

Sure they seem like small things, but over time, these small things like change in the couch cushions can add up to a big ticket problem.  For me, the issue wasn’t all that bad, but it did take some head scratching (outside the scope of the actual issue) and a brief conversation with someone wiser than I about the symptoms of my issue.

We don’t trust you anymore, go away

Windows 7 is a rather finicky OS (moreso that Windows XP, and probably a bit less so than the OS between XP and 7).  Because computers are still objects within Active Directory that access other secured resources within the directory, they too authenticate.  In reality, this means that computers have accounts equivalent to User objects within the AD environment. These accounts allow computers to tell Active Directory that they belong within the environment and should be allowed to access resources.  Just like when I logon to the domain and request access to resources by providing credentials, computers in the environment do the same.

If for some reason, the Domain Controller cannot match the credentials presented by the computer to what is stored in its database, the Domain Controller refuses authentication and presents a message about trust relationships.

I didn’t create credentials for the computer, what the heck do I do now?

When a computer is added to an Active Directory domain its account is established and the password set.  Then the password is managed by the computer and AD and changed automatically about every 30 days or so.  If the computer is no longer trusted by the domain, it is likely that the password is incorrect or has gotten lost in translation causing authentication to fail.

My issue was a replication issue which caused the computer accounts of a few workstations to fail authentication.  Because it is not the best idea to maintain only one domain controller in any Active Directory environment, and because of the way that AD manages information about objects, replication happens.

Perhaps an example will work here.  Suppose I create a user object for John Smith using Active Directory Users and Computers (ADUC) on a Domain Controller named creatively DC1 at my office.  John will be starting his new career as a data entry specialist in my company’s Houston office in a week or so.  Adding the user account for John to a DC in my office works just as well as if I had flown to Houston (or remoted into the DC there) and added the account.  Because replication sends all objects created, maintained, or deleted to all other replication partners within the domain, a user account created in my office on DC1 can be replicated to Houston on DC2 and when John gets to work, he can logon and all is well.

Replication happens in the background and is pretty much out of site when things are going smoothly, but from experience I can tell you that you should check in on your friend replication regularly.  Maybe not daily, but weekly for sure.  Just to make sure that objects in the directory are being moved around without errors.

What might cause replication problems?

There are any number of settings and configurations that can cause problems with replication.  Surely more than I have seen or have time to list here, but some of the basic things are:

• Improperly configured links
• Unmanaged Replication configurations
• Misconfigured Firewalls
• Equipment failure

Improperly configured links

When you establish replication between two (or more) Active Directory domain controllers, you create links between them that allow these DCs to exchange information.  The links are one way which means that each domain controller has two links to each replication partner.  The links can be configured to handle high speed links (fast connections, like you might see between domain controllers in the same site) and slow links (which may be used to link two remote locations).  When the links are configured correctly things work really well, but if you neglect to consider the speed of your Internet connection (on both ends) replication may suffer as a result.

Replicating information across a slow link that is configured to behave like a fast one might be a little less dire to watch than downloading a blu-ray quality video over a dial up connection, but missing information can have rather large repercussions in your environment which may be seen as inability to login, latent access or no access to resources and other things.

Unmanaged replication configurations

By this I am not suggesting that you check on replication statuses every day (depending of course on the size of your environment) but you should be looking at it regularly enough to know what is going on and that replications in all directions are happening as you need them to.

Because Active Directory is a multi-master beast, meaning that any machine configured as a domain controller carries just as much weight as any other machine configured as a domain controller, information for an object that has not yet replicated throughout the environment could be a problem.  As in my earlier example, if I created the user object for John Smith, and it failed to replicate to the domain controller in Houston by the time he needed to log in, we might have a problem.

The login would likely happen, but would take a significant amount of time because the most local domain controller didn’t have the information needed to handle the request.

Misconfigured Firewalls (and other Network issues)

Windows includes a firewall to help keep things out of your environment that shouldnt be there.  I would recommend disabling the firewall on all your Windows computers and servers because it will likely be a bigger headache than you are ready for.  Also because all organizations should use dedicated firewalls to protect their corporate assets from the outside world.

My issue with replication came at the hands of a misconfigured firewall.  The firewall was enabled for a good period of time which caused hiccups in the replication of information throughout my Active Directory environment. The symptoms displayed were the previously mentioned domain trust errors that popped up when logging on or trying to unlock a PC.

In my research and previous experience the best fix for the trust problem is to disjoin the affected system from the domain and delete the computer account from Active Directory.  Then rejoin the system to AD.  Normally this will take care of the symptom.  Not necessarily the problem.

Outages and Equipment Failures

There is the obvious replication issue with failures and downed equipment.  If the replication is scheduled to occur between two systems and one of those systems is down, obviously replication cannot happen.

Working on these issues is an interesting scenario as well.  For the sake of troubleshooting, the usual steps must be followed and checked out even if the steps do not solve the problem, they will likely help you down the path to correcting the problem.

The moral?

Do not be afraid to check out the functionality of your Active Directory environment, being proactive and working to pay attention to things like replication and group policy settings.  Keeping up with those tasks before the problem strikes and requires many late nights to correct.  You will still have some long nights working with Active Directory, but they can be worth it, without all the fires.

RemoteExec is a task scheduling powerhouse for Windows environments that works quite well on remote PCs.  Check out the details by clicking below:

I learned recently that everybody starts somewhere and helping those interested in starting somewhere seems to me to be something those of us who’ve been doing this for a while should be a little more than interested in.

Sure there is a need for the experience of IT, rebuilding Windows systems (or the OS of your choice) for family and friends will get you started and maybe taking some classes at the community college to get an idea of what all the funky acronyms mean (and finding out that they are all different when you know them) might be something to consider as well.  But what does the new to IT talent need to understand to be comfortable in this business?  This post is going to try and point some of that out, maybe some of the things I wish I would have known when I started out too, just for good measure.

Be careful what you wish for
In any new career path there are bells and whistles that you see from the outside that get you very interested in what might be going on.  Sure there may be some IT pros making gobs of money and doing all kinds of fun things, but you need to be realistic about your own expectations.  Sure you need to get paid, everyone has to eat, but be careful about the amount of work you tackle for the money coming in.  If you set your own rate, be fair but not too cheap.  Sure you can get a lot of potential clients  with a low rate, but you need to evaluate them just like they evaluate you. Making sure the customers are worth your time is a good idea.

Find things you like

Maybe there is a technology that you just like to work with, regardless of how much you use it at a particular organization.  If this is the case, continue to do what you can to learn the technology. Maybe these things become a hobby, but having something that keeps you motivated to keep learning is a great way to start.

For me, at least lately, Windows NT Permissions and Privileges are that thing… this week.  Next week it will likely be something different.

Most of the IT Pros I know live, eat, and breathe some portion of their career.  A particular area they excel in or just plain like is something they cannot get enough of.  I am not sure I have found that specific of an area (other than technology in general).  Maybe being a generalist isn’t quite as bad as it seems, but having some piece of tech that you find fun is always good.

Ask for help if you need it

You cannot know everything there is to know about technology.  Sure you can know a lot about a few technologies.  If you encounter something that you don’t quite understand or need clarification, ASK!  With all of the communication tools available on the Internet, finding someone who can help you is really not as hard as you might think.  Twitter and Linked in are great places to start.

The trouble is knowing when to step back and understand that your brain is not going to produce the knowledge that you don’t have.  I am not trying to imply that these things cannot be learned, but this comes from studying, mentoring, trial and error (of which, hopefully there will be a good amount).

One other thing

Another thing that seems to help me learn things, teaching others.  Sure it takes practice and can be a bit of work, but having the guts to help others is a step in the right direction.  Maybe there are people in the room who have more knowledge than you might, but there is something about getting up in front of the room is good for both sides.  The person on the stage wins just for being up there.  Not to mention there are tons of networking opportunities with those who attend your session(s).

The bottom line is to experiment with technologies and try to learn something new and interesting to you. It will pay off likely in more ways than one.

In a previous post at TechRepublic, I looked at ADManage Plus from ManageEngine and was impressed overall with the product.  Here their auditor tool is under the gun.  Click the link to check out the details.