Lessons Learned

There are a lot of changes happening in the backup industry as the space begins to move away from tape as the primary backup medium and starts using hard disks or network storage instead. Several vendors are now offering backup tools that rely on imaging technologies instead of file-based backups. I have started migrating many of my clients over to image-based backup tools, in fact.

But there’s still one thing that you really, really need to do when working with image backups - System State Backup. This is a special backup process that backs up Active Directory and other key server information such as the registry and other Windows configuration settings. I can’t count the times I’ve run across a situation that would have been easily resolved by restoring a system state backup. AD corruption, GPO corruption, etc. Sure, you could restore the entire C: image with your imaging tool, but then you lose any other data that was added to the drive following the backup.

But there are also some cases where an image-based backup fails to do its job. I spoke briefly with someone today who was having trouble because the image-based backup tool he was using was not correctly restoring the data to the system partition and the system was not bootable. He had gone around and around with the vendor of the backup software, and they could not get it to work. My first question to him was “do you have a system state backup?” Unfortunately, no. If he’d had a system state backup, he could have done a core install of the server OS, restored the system state, then gone into the backup software and done a file-based restore of the remaining contents of the system partition.

A system state backup can be captured very easily from ntbackup on a server, and can be saved to a file on local disk or on a share to another machine on the network. Either way, the backup file should be stored someplace that it can be easily accessed in case a restore is needed.

Some lessons are learned once, some you learn over and over and over again. Case in point:

A client needed assistance installing an SBS 2003 server into an existing Windows 2003 domain. He had looked at the documentation in the Microsoft KB 884453 but decided he wanted my assistance with the process. So I get to the site and start going through the process.

There’s one key piece of information missing from the KB, however, when you use the SPS 2003 SP1 integrated installation media. When installing the server portion, the setup enables the Windows firewall on the NICs in the server so that no bad stuff can get in. This is a wonderful change from the original install media where you really had to disconnect the NICs from any live network when doing the install to make sure that the box didn’t get hammered by Blaster of Slammer or any other other threat that was protected against with SP1. But I overlooked it. So when I did the dcpromo, the box came up into the network correctly. When I installed DNS, it installed correctly. But I could not get the two DCs to replicate.

Fortunately my friend Wayne helped me find what should have been an obvious step in the process for me - can you ping both machines by FQDN from each other? I could ping the existing server from the new server, but the old server could not ping the new server. When I went in and disabled the Windows Firewall on the NIC in the new server, replication started happening immediately and the remainder of the installation process finished successfully.

So add this one to your hat - when you follow MS KB884453 and you’re using SBS 2003 SP1 integrated installation media, you need to turn off the Windows Firewall on the NICs to let replication complete.

I fielded a call recently from someone who was having trouble joining a set of Macintosh workstations to the domain in his SBS-based network. He had followed the instructions on this blog as well as in the SBS 2003 Unleashed book, but was still having issues.

We went through the usual suspects: DNS (configured correctly, got lookups from AD just fine), SMB signing (able to access shares on the server with no hccups), and the Directory Access configuration. No matter what he tried, when he clicked the Bind button in Directory Access to join the domain and entered the administrator username and password, Directory Access would get to step 3 of the process and give a password error.

I asked if he was using any special characters in the Administrator password, and that’s when he told me that the Administrator password was blank. As soon as we set the Administrator password to something other than blank, the Mac joined the domain immediately.

This is not the first time I’ve run across network encounters that break when there is no password on the Administrator account. I didn’t ask if he was using a blank password while setting up the system, or if they use a blank Administrator password as normal practice. Bottom line, the password on your Administrator account shoudl be the most complex and most secure password on the network. This is the account that hackers will try first when attempting to compromise security on your network, and an empty password is one of the first that they will attempt to use.

I’ve been a little out of pocket this week with the holidays and family in from out of town, but I went through several mailing lists this morning and saw several messages asking for clarifications about the Microsoft Small Business Server 2003 Unleashed book. In this post, I’ll briefly discuss some of the structure and thought processes behind the book, which will hopefully address most of the questions that have been asked.
Read the rest of this entry »

Another relatvely useful technology goes “boom.”
Read the rest of this entry »

My earlier post on the outbound mail woes I’ve had was delayed a couple of hours because I had to completely rebuild my blog site. Completely. Reinstalling the blog software and everything. Fortunately, Movable Type has a nice little import/export feature that I was able to use to back up (export) my blog contents to a text file before I blew away the installation and started over. And, after I got Movable Type reinstalled and reconfigured, I was able to restore (import) my blog posts in one step and it was as if the site never had a hiccup.

But it got me to thinking about my web space provider and what type of backups they provide for the site. In this case, since this is dynamic content generated by Movable Type and not by Dreamweaver, I don’t have a local set of files I could re-upload in case of server drive failure. so I’m off to explore the backup/restore options my web host provides should there be a catastrophic error someday. In the meantime, I’m doing an export of my blog contents before every blog post for the time being, just to make sure.

If I were to ask you where your biggest computer security threat was for your organization, what would your answer be? Viruses? Spyware? Internet attacks? Spam? Weak passwords?

All of these items are valid security threats to your organization, but you may be surprised to know that even though you have protected yourself at your server and your connection to the internet, you are still vulnerable to each of these threats. Your biggest risk comes not from external attacks, but from within - at the internal desktop or laptop PC.
Read the rest of this entry »

I’ve had several electronic discussions with people of late about GPO use and editing. One of the mailing lists I’m on had a discussion about where to get information or books on GPOs. I’ll include those links at the end of this post for reference. In another forum, I’ve been following the discussion of someone who is currently denied access to edit GPOs, likely because he made changes to the Default Domain Policy but is not sure what he changed or how to change it back.
Read the rest of this entry »

I really haven’t kept up with hardware over the last 7 or so years like I used to. So the big move to Serial ATA (SATA) went past without my noticing. Honestly, I really don’t know much about SATA other than it’s supposed to be a cross between SCSI and IDE - more robust and RAID-able like SCSI but lower cost like IDE. Really, it’s probably a pretty cool technology, and I should look into it and become more knowledgable about it. Could have some interesting home applications.
Read the rest of this entry »

My latest blog effort, Lessons Learned, will chronicle the different tidbits of knowledge that I pick up daily as I go through my new life as an independent consultant. Some tidbits will be technical, some business, some random, etc. Some may be of interest to the general public, some not. All will be flavored with a heavy seasoning of “Q” to boot.

Here we go…