Archive for Technology
Just when you thought you weren’t going to get any updates from Microsoft in March of 2007 (some speculated this was a result of the DST fiasco, but maybe not), Microsoft announced on March 13 that Windows 2003 Server SP2 was available. Not only is it available on Windows Update, but two other updates are present as well.
For more information about the SP2 release, see my post on my business blog. There are some interesting gotchas related to SP2, and not just on the SBS platform…
For those who have heard the rumblings in the ether, it’s nearly time for the world to be introduced to a new server product codenamed Centro. Not to be confused with Cerebro, Centro is being positioned as a “mid market” server similar to SBS. Or at least that’s what the scuttlebutt is. If you are really dying to know what Centro is all about, you can head on over to Kevin Beares’ blog and sign up for the techbeta for the product. Be warned, though. The product requirements are hefty – 3 64-bit servers are needed to participate in the techbeta. So if you really want to know what’s going on well ahead of the rest of the universe, pop on over and accept Kevin’s invitation. You can also see the MS Press release about Centro to get more info without committing to the techbeta.
I originally posted this on my business-focus blog, but though it would be of interest to readers of this blog as well. This is the first post in a series on the new Intel-based Macs.
I have to admit that when I heard Apple was releasing a new series of Macs based on the Intel chip, I was a little befuddled. For years, one of the claims to fame of the PPC and G-series CPUs is that they ran circles around the Intel equivalents in terms of performance. Soon enough, I started hearing about how Apple had, once again, done a fabulous job of porting their entire solution to a completely different hardware structure (ala Motorola 68000 CPU architecture to PPC architecture) in a way that was seamless to the end user. Then there were reports that you could actually install Windows XP and run it on one of the Intel-based Macs, some reports indicating that Windows even ran better on an Intel-based Mac than on your average name-brand Windows-only PC.
Then two announcements caught my attention. The first came from Apple, introducing a public beta of a software known as Boot Camp. The second came from a company I had previously not heard of called Parallels, announcing a solution that would allow you to run non-Mac operating systems in a virtual environment on Intel-based Macs.
Needless to say, my curiosity was piqued, and I started my research. That, combined with several queries from my mixed environment clients, prompted me to acquire an Intel-based Mac and do my own research. What follows are my initial observations of the solutions.
Here’s a list of tools I use to do malware analysis and cleanup:
Trend Micro Sysclean package (command-line tool, scroll down to the Sysclean Package link) –
Virus pattern files for TM command-line tool: http://www.trendmicro.com/download/viruspattern.asp
XP Bootable CD – BartPE+XPE (reatogo build) http://www.reatogo.de
Spybot Search and Destroy – http://www.safer-networking.org/
Microsoft Anti-spyware (now called Windows Defender) – http://www.microsoft.com/athome/security/spyware/software/default.mspx
RootKit Revealer from Sysinternals – http://www.sysinternals.com/Utilities/RootkitRevealer.html
I was called in to work with a client this week who was having some trouble with employees who were connecting to the network via VPN. The basic problem was this: when the employees made a VPN connection and tried to load the companyweb web site, they got directed to someplace else altogether. When they tried to connect to companyweb from machines on the internal network, no problems.
The core problem boiled down to the internal domain name space. It was the same as their public DNS name. I.e., their internal domain was smallbizco.net (not their real domain) and their public domain was smallbizco.net.
I was able to give them a workaround ( use the URL https://SBSserverIPaddress:444/ ) since they couldn’t implement the real solution, which is to rename the internal domain with a private, non-routable namespace (such as smallbizco.local or smallbizco.lan).
Every SBS consultant worth his or her salt will tell you that you never, EVER use a public domain name for your internal domain name. DNS lookup failures, like the ones experienced here, are the reason why. And had this client set up the internal domain name correctly, they could have avoided this problem.
However, the real reason WHY it was failing was because of what I now believe is a flaw in the way Windows handles VPN connections, not only because they used a public DNS namespace for their internal domain. What follows is how I determined that the problem lies with Windows and not solely with the client.
If I were to ask you where your biggest computer security threat was for your organization, what would your answer be? Viruses? Spyware? Internet attacks? Spam? Weak passwords?
All of these items are valid security threats to your organization, but you may be surprised to know that even though you have protected yourself at your server and your connection to the internet, you are still vulnerable to each of these threats. Your biggest risk comes not from external attacks, but from within – at the internal desktop or laptop PC.
I’ve had several electronic discussions with people of late about GPO use and editing. One of the mailing lists I’m on had a discussion about where to get information or books on GPOs. I’ll include those links at the end of this post for reference. In another forum, I’ve been following the discussion of someone who is currently denied access to edit GPOs, likely because he made changes to the Default Domain Policy but is not sure what he changed or how to change it back.
When Apple implemented Rendezvous in OS X, they chose to use a non-public domain naming scheme to keep Rendezvous traffic local. Unfortunately,”.local” is exactly the naming scheme they chose, which happens to be the very domain structure Microsoft recommends for naming internal networks. No problem, right? Except that Rendezvous uses a multicast DNS lookup, and Microsoft DNS servers don’t know how to respond to multicast requests. Hence, if you have a Windows “.local” domain with Macs, the Macs cannot use DNS to look up internal DNS resources.
In Mac OS X 10.4, Apple changed Rendezvous to Bonjour, and while it still uses the .local namespace, it is smarter about DNS lookups than Rendezvous. Chances are that if you’re running OS 10.4 and getting your IP configuration from the DHCP server of the SBS box (or other Active Directory DNS server that’s properly configured), you won’t need the steps in this document.
There are a number of ways to work around this, but the best solution, short of renaming your Windows internal domain to somethin other than “.local”, is to disable multicast DNS for the .local domain on the Mac. Here’s how.
There is one really important aspect of modifying Group Policy that probably needs to go in the GPO 101 post, but it’s important enough that I’ll post about it here.
Never, EVER modify the Default policy objects. There’s a reason they’re called Default, and they should stay that way.
Group Policy Obects in Active Directory are a fabulously beneficial feature that can sometimes be ferociously frustrating as well. With great power comes great responsibility (someone please slap me for that) so before you plunge headlong into working with GPOs, you shoudl probably have a basic understanding of how GPOs work. The remainder of this entry is adapted from material I contributed to
MCSE Exam 70-294 Study Guide and DVD Training System: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure in Chapter 9, Working with Group Policy in an Active Directory Environment.