The other day I was finally able to get an ssh tunnel working that wrapped my remote desktop connection. Why bother with that you might ask, since the RDP is already secure with RC4? Well, because you can wrap your entire session in to ssh, ftp, telnet, or any other plain-text setup.
The trouble I initially had with the free SSH solution was configuring puTTy. Instead of choosing an arbritrary local port to run the remote desktop from, I was attempting to choose the default port of 3389. Duh, can't open two sides of a port to the same machine and expect to talk to another machine! So if you follow these two links, you too can have your very own SSH tunnel between two windows boxes:
http://pigtail.net/LRP/printsrv/cygwin-sshd.html
http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html
What you will be doing is installing Cygwin with ssh support on your host/server windows box (Or linux machine if that is what is desired, not for remote desktop then but vnc). Cygwin is a linux-like operating system that runs directly on top of windows. For the ssh client on the host machine, you can either setup another Cygwin setup, or use putty (at the above link). I say use puTTy unless you need to have ssh access to that machine. Putty is about 300KB, very small.
Saturday, December 17, 2005
Wednesday, November 30, 2005
Mambo or Joomla
I have recently started to roll out these CMS's to schools who want an up and running website that is easy to maintain. The nice thing about them is just that. The crap thing is that there doesn't seem to be an easy way "yet" to prevent the general public from registering as a user with your site, or setting various security levels to groups in the front-end/general public.
Of all the various Content Management Systems I have tried out, Joomla is by far the easiest to setup, operate, and give a crisp professional feel to it. If you are going to set up an interactive website, use Joomla.
Aside from that though, I will link to the two sites that have been cookie-cut with these solutions once they are completed.
Apparently over the last couple of months there was a shake down between Mambo programmers. This caused the birth of the Mambo foundation and Joomla. From what I gather, Mambo has been (or is going to be) completely rewritten and is now set out to make money from their efforts (nothing wrong with that). The programmers devoted to the OS ideologies have continued on as Joomla.
**Update 31/1/06
Some of what I wrote here is innacurate now. Here is a link to a more recent rundown of the dispute between Mambos parent company Miro International, and the old developers who have forked in to Joomla.
I know that as an implementor for low-budget organizations, I will continue to stay with the original code which has worked well in the past.
**Update 31/1/06
Hmmmm.... without the same sort of funding going to joomla, I wonder if they'll be able to keep up in terms of their rebuilding efforts and whether or not an ecommerce aspect will come of it etc.
http://www.joomla.org
This information may also be of use on Joomla's site:
http://www.joomla.org/index.php?Itemid=44&option=com_faq&catid=7
Lastly Everyone! If you find this software useful, please don't forget to donate!
Of all the various Content Management Systems I have tried out, Joomla is by far the easiest to setup, operate, and give a crisp professional feel to it. If you are going to set up an interactive website, use Joomla.
Aside from that though, I will link to the two sites that have been cookie-cut with these solutions once they are completed.
Apparently over the last couple of months there was a shake down between Mambo programmers. This caused the birth of the Mambo foundation and Joomla. From what I gather, Mambo has been (or is going to be) completely rewritten and is now set out to make money from their efforts (nothing wrong with that). The programmers devoted to the OS ideologies have continued on as Joomla.
**Update 31/1/06
Some of what I wrote here is innacurate now. Here is a link to a more recent rundown of the dispute between Mambos parent company Miro International, and the old developers who have forked in to Joomla.
I know that as an implementor for low-budget organizations, I will continue to stay with the original code which has worked well in the past.
**Update 31/1/06
Hmmmm.... without the same sort of funding going to joomla, I wonder if they'll be able to keep up in terms of their rebuilding efforts and whether or not an ecommerce aspect will come of it etc.
http://www.joomla.org
This information may also be of use on Joomla's site:
http://www.joomla.org/index.php?Itemid=44&option=com_faq&catid=7
Lastly Everyone! If you find this software useful, please don't forget to donate!
MDaemon & World Client
One of the schools I support chose MDaemon as their email solution not long ago. It closely tries to emulate Exchange Server with a couple nice extras that one would normally pay BIG $/£ for with a "Connector" License. However, if your organization utilizes any pdas, blackberries etc, do yourself an your organization a favour and get Exchange. The amount of synchronization issues and incompatibilities with MDaemon eats into support hours very quickly!
BUT, if you do decide to use MDaemon or you are already blessed with the responsibility of administering one, you will no doubt come across product activation. It tends to work the same as MS's activation, where it is done automatically through the internet. When that doesn't work, a phonecall or email gets you the help you need to activate (You have a 30 day limit) within a day or two. Why am I going in to all this? If your NIC dies out, or you swap in a new NIC because you are upgrading, you will HAVE TO reactivate. What a pain yes. What I discovered in the process were some events that begun to appear in my DNS Logs afterwards.
If you are swapping this out on a domain controller, uninstall the old nic first. If you want to make sure the new NIC works first like me, you didn't do that. You ended up with two nics on the same box. This gets a bit tricky with DNS events 6701/2, bindings and static ip addresses, so do yourself a favour and uninstall the old nic first.
Once I had both NICS on the domain controller/mail server, I simply shut the server down and removed the old nic. The problem with that is the old nic settings stay hidden in the operating system hardware configuration. Any time you go to view your TCP/IP properties a pop-up dialgoue box alerts you to having two NICs with the same ip. If you didn't uninstall the old nic like you should have, you can do this by going to add/remove hardware, and ticking the "hidden" checkbox. You will now be able to remove your old invisible nic card, and avoid potential DNS issues and such.
BUT, if you do decide to use MDaemon or you are already blessed with the responsibility of administering one, you will no doubt come across product activation. It tends to work the same as MS's activation, where it is done automatically through the internet. When that doesn't work, a phonecall or email gets you the help you need to activate (You have a 30 day limit) within a day or two. Why am I going in to all this? If your NIC dies out, or you swap in a new NIC because you are upgrading, you will HAVE TO reactivate. What a pain yes. What I discovered in the process were some events that begun to appear in my DNS Logs afterwards.
If you are swapping this out on a domain controller, uninstall the old nic first. If you want to make sure the new NIC works first like me, you didn't do that. You ended up with two nics on the same box. This gets a bit tricky with DNS events 6701/2, bindings and static ip addresses, so do yourself a favour and uninstall the old nic first.
Once I had both NICS on the domain controller/mail server, I simply shut the server down and removed the old nic. The problem with that is the old nic settings stay hidden in the operating system hardware configuration. Any time you go to view your TCP/IP properties a pop-up dialgoue box alerts you to having two NICs with the same ip. If you didn't uninstall the old nic like you should have, you can do this by going to add/remove hardware, and ticking the "hidden" checkbox. You will now be able to remove your old invisible nic card, and avoid potential DNS issues and such.
Tuesday, November 08, 2005
Linux the lonely island
At one of the schools I support we have a *nix box running our filtering proxy as well as an internal website. Having an AD setup, I realized a bit of work needs to be done in order to get people to login to the website with their AD account. I came across a link on how to do just this step-by-step with Yast but not Mandrake/driva or any other flav. It involves using either samba with winbind or the kerberos client. I have no experience yet with the kerberos client so I think I'll have to try that out. The most recent samba rpm I can get for mandrake just doesn't want to do anymore than share the top parent folder in network neighborhood. Even worse, it will show the files, but not share them!
About this time last year I was running a complete linux domain with xp clients and roaming profiles. Once set up it all worked a charm BUT it all came back to TCO and SSO (single-sign-on). Some hardcore peeps out there will put it down to not doing it right or being out of my depth. Silliness. Always do what you can with what you have. There is no way to survive as a tech in schools/non-profits without accepting the politics from above that enforcea hodge-podge approach because of their impatience. The time it took to setup network apps and a single-point of admin for antivirus took weeks instead of several hours. I found afterwards that when a question or problem arose, I was no longer racking my brain for what the correct man page was to make a tweak to samba or wine etc. What our linux box has done awesome though is our filtering and website (squid w/dans guardian and apache) . If you attempt to set something like that up with limited experience, give this distro karoshi a try. It's aimed towards schools but approaches networks with a corporate lockdown perspective. I still use peices of that distro in various network setups and it runs great.
About this time last year I was running a complete linux domain with xp clients and roaming profiles. Once set up it all worked a charm BUT it all came back to TCO and SSO (single-sign-on). Some hardcore peeps out there will put it down to not doing it right or being out of my depth. Silliness. Always do what you can with what you have. There is no way to survive as a tech in schools/non-profits without accepting the politics from above that enforcea hodge-podge approach because of their impatience. The time it took to setup network apps and a single-point of admin for antivirus took weeks instead of several hours. I found afterwards that when a question or problem arose, I was no longer racking my brain for what the correct man page was to make a tweak to samba or wine etc. What our linux box has done awesome though is our filtering and website (squid w/dans guardian and apache) . If you attempt to set something like that up with limited experience, give this distro karoshi a try. It's aimed towards schools but approaches networks with a corporate lockdown perspective. I still use peices of that distro in various network setups and it runs great.
Tuesday, October 18, 2005
Active Directory and Backups II
What a complete waste it became. The active directory was so thrashed that there was no way to recover it and make things useful.
That said, I am gong to put backups and secondary domain controllers on hold for a while until I've done some more self-educating on the subject.
The new network is in place however, and humming along quite well. There was a small glitch in getting the 98 machines printing again (had to add their computer name and users to the AD store) but that is now resolved. I ended up reinstalling the 98dsclient but I'm not sure if that was necessary. They don't login to the network.
One of the schools I'm supporting I hope will decide it's worth their money to invest in a backup solution aside from ntbackup. Basically with external drives on the cheap these days and the school's use of multimedia, using ntbackup to backup to DVDs each week is a bit tedious. More on that later and the solution that gets put in. I don't want to turn this blog into a bitch session (yet anyways).
That said, I am gong to put backups and secondary domain controllers on hold for a while until I've done some more self-educating on the subject.
The new network is in place however, and humming along quite well. There was a small glitch in getting the 98 machines printing again (had to add their computer name and users to the AD store) but that is now resolved. I ended up reinstalling the 98dsclient but I'm not sure if that was necessary. They don't login to the network.
One of the schools I'm supporting I hope will decide it's worth their money to invest in a backup solution aside from ntbackup. Basically with external drives on the cheap these days and the school's use of multimedia, using ntbackup to backup to DVDs each week is a bit tedious. More on that later and the solution that gets put in. I don't want to turn this blog into a bitch session (yet anyways).
MDaemon and Palm Synching with Outlook
Over the past six months one of the networks I support utilizes MDaemon as a groupware solution which works quite well. For our small organization it scales quite fine (just under 100 users). The only problem has been synching between a palm Tungsten T2 and Outlook.
At the time of this writing, the latest software for all is being used. I can't recall the palm software. MDaemon 8.1.3 and Connector 2.0.4 both of which run pretty smooth. There is one central shared calendar that is used as a "diary" for the entire school day. These events/entries are set to be editable by the owner, and two office administrators. Somewhere along the line, the synching of the palm seemed to be causing the wiping of any entered data. The first thought may be "Ah HA!, Your configuration is set to have the palm over-ride any settings!" but this is not the case. In fact, there doesn't seem to be any case for it. Very difficult to explain. The only thought I have is that the particular laptop these synchs were coming from ended up being on a computer in an old domain, and the mail server is in a new domain (with the same name).
Personally, I don't see how it could be anymore than operator error as there is nothing in the logs to suggest otherwise.
Tuesday, October 04, 2005
Active Directory and Backups
Whenever you develop a disaster recovery plan, make SURE you keep 3 backups especially if you are not experienced with developing (not maintaining) an enterprise-level backup system. I got bit by this in the past week. It has been experience well earned but at a price.
The main computer network I support has no test network. Nor do I have one (yet) at home. I consider this to be extremely important to have through the rest of my career. So soon as I get the chance, I'm going in the classified and getting three cheapy pIII boxes. That will give me the chance to get the majority effects of Active Directory replication I need as I shovel through my book kit
What happened is I have a two-server (and our web server linux box) domain setup. I have been performing disaster recovery/backup testing to ensure we don't go out of service because of a duff hard drive (which are now mirrored). The network is native 2000 domain, but there are still "main controller" roles filled by the first controller. I brought that controller offline while I pulled a different box and hardware up with the backup.
One of the mistakes I made was that I joined the domain and then performed a restore. Don't do this. Boot directly into Active directory restore mode and nowhere else. At this point I realized that things were not working as they should. The machine name was there and working BUT nothing was accessable from an Active Directory perspective (Roaming Profiles). Nor did the antivirus server software want to start its MS SQL engine, that I haven't spent enough time to figure out.
At this point after doing some digging and realized removing the master DC computer from the domain may get things going. I did not want to do this with a semi-functioning backup, so at this point I brought backup offline. When bringing the original master DC back online, the exact same problem for logins arose. The antivirus was fine, the DNS was resolving, and DHCP after a reauthorization was back in action. I removed the computer object from the active directory store and created a new one, gave it the same permissions, and voila, everything from userland is fully functional.
The problem is Active Directory. It is unhealthy at the moment. From box 1 (the master dc) I can no longer manage AD, I can manage box 2 AD however. A message appears about switching from domain . to domain contoso.com which then allows me to manipulate the AD from box 2. From box 2 I can manipulate both domain controllers.
Now in a real-world disaster recovery, I would have forced box 2 to become the master. Doing that though, means that box 1 may never be brought back into the network. That is not what I want to do because I was mearly "testing" disaster recovery. In the future, the proper steps to follow in order to test complete hardware failure recovery are to the best of my knowledge are here:
Some of the other nice links I have come across here, and here
At this point I will be seeking either help from MS or forums to get my AD back up to snuff.
It's all a work in progress...
What I've figured out I can do is because my most recent (only backup) of two weeks ago for our primary DC also holds a full backup of our secondary DC, I can perform a non-authoritive restore of the system state for each DC. Then, hopefully, that will fix the AD store. I am going to perform that this evening and post my results afterwards.
The main computer network I support has no test network. Nor do I have one (yet) at home. I consider this to be extremely important to have through the rest of my career. So soon as I get the chance, I'm going in the classified and getting three cheapy pIII boxes. That will give me the chance to get the majority effects of Active Directory replication I need as I shovel through my book kit
What happened is I have a two-server (and our web server linux box) domain setup. I have been performing disaster recovery/backup testing to ensure we don't go out of service because of a duff hard drive (which are now mirrored). The network is native 2000 domain, but there are still "main controller" roles filled by the first controller. I brought that controller offline while I pulled a different box and hardware up with the backup.
One of the mistakes I made was that I joined the domain and then performed a restore. Don't do this. Boot directly into Active directory restore mode and nowhere else. At this point I realized that things were not working as they should. The machine name was there and working BUT nothing was accessable from an Active Directory perspective (Roaming Profiles). Nor did the antivirus server software want to start its MS SQL engine, that I haven't spent enough time to figure out.
At this point after doing some digging and realized removing the master DC computer from the domain may get things going. I did not want to do this with a semi-functioning backup, so at this point I brought backup offline. When bringing the original master DC back online, the exact same problem for logins arose. The antivirus was fine, the DNS was resolving, and DHCP after a reauthorization was back in action. I removed the computer object from the active directory store and created a new one, gave it the same permissions, and voila, everything from userland is fully functional.
The problem is Active Directory. It is unhealthy at the moment. From box 1 (the master dc) I can no longer manage AD, I can manage box 2 AD however. A message appears about switching from domain . to domain contoso.com which then allows me to manipulate the AD from box 2. From box 2 I can manipulate both domain controllers.
Now in a real-world disaster recovery, I would have forced box 2 to become the master. Doing that though, means that box 1 may never be brought back into the network. That is not what I want to do because I was mearly "testing" disaster recovery. In the future, the proper steps to follow in order to test complete hardware failure recovery are to the best of my knowledge are here:
Some of the other nice links I have come across here, and here
At this point I will be seeking either help from MS or forums to get my AD back up to snuff.
It's all a work in progress...
What I've figured out I can do is because my most recent (only backup) of two weeks ago for our primary DC also holds a full backup of our secondary DC, I can perform a non-authoritive restore of the system state for each DC. Then, hopefully, that will fix the AD store. I am going to perform that this evening and post my results afterwards.
Thursday, September 29, 2005
Roaming Profiles and Printing
If I ever set up another domain with roaming profiles it will not be in a school that insists on being able to flop any peice of software they so wish on.
A school I support has basically three groups, an admin group, student/user group, and teacher/admin group (politics...)
For more than you ever cared to read about, have a peekhere
Basically, I have setup my application data, desktop, and My Documents to redirect invidually through group policy on a 2000 domain. It works quite nice really.
On a side note, if you don't setup a radius server and use wireless, make sure your users synch after login and not before logoff. The link in my experience dies before the synch, so you in essense never synch your data. This would make sense as the wireless link runs through an application/service rather than the actual hardware.
Except... PRINTING! Right now I'm looking for a setting to see if there is a way on the local workstation (XP SP2) to ensure that manually installed local printers stay available while a local domain user logs in. This doesn't seem to be happening at the moment with the student accounts. It could however, be that it takes up to 3 logins for all settings to propogate...
Follow-up... It was the damn permissions as usual. You would think taking a normal domain user and adding them to the local Print Operators group would suffice for printing permissions! Well not with this minolta 2300dl driver anyways (if the driver matters). Nope, it didn't even want power user on the local machine, that wasn't good enough either for my domain users. Only Admin rights... !!!!! Very frustrating to watch some security slip down the drain...
A school I support has basically three groups, an admin group, student/user group, and teacher/admin group (politics...)
For more than you ever cared to read about, have a peekhere
Basically, I have setup my application data, desktop, and My Documents to redirect invidually through group policy on a 2000 domain. It works quite nice really.
On a side note, if you don't setup a radius server and use wireless, make sure your users synch after login and not before logoff. The link in my experience dies before the synch, so you in essense never synch your data. This would make sense as the wireless link runs through an application/service rather than the actual hardware.
Except... PRINTING! Right now I'm looking for a setting to see if there is a way on the local workstation (XP SP2) to ensure that manually installed local printers stay available while a local domain user logs in. This doesn't seem to be happening at the moment with the student accounts. It could however, be that it takes up to 3 logins for all settings to propogate...
Follow-up... It was the damn permissions as usual. You would think taking a normal domain user and adding them to the local Print Operators group would suffice for printing permissions! Well not with this minolta 2300dl driver anyways (if the driver matters). Nope, it didn't even want power user on the local machine, that wasn't good enough either for my domain users. Only Admin rights... !!!!! Very frustrating to watch some security slip down the drain...
Tuesday, September 27, 2005
XP Pro SP2
This blog will be where I keep a history of what I feel are significant experiences while I become Microsoft Certified Systems Engineer.
Currently one of my main problems is running a 2000 domain with roaming profiles. The user accounts do not have consistent printer setup settings to both network and shared printers. The printers are shared either through XP Pro with Service Pack 2 or are installed independently of Active Directory.
I found out the long hard way that to have even lightweight terminal services can throw any printers shared through a server box nuts.
Currently the exam I will be studying for is 70-290. Managing and Maintaining a Microsoft Windows Server 2003 Environment
I already have passed 70-270 (xp professional) a few years back, so I have 5 exams to sit in the very near future.
Currently one of my main problems is running a 2000 domain with roaming profiles. The user accounts do not have consistent printer setup settings to both network and shared printers. The printers are shared either through XP Pro with Service Pack 2 or are installed independently of Active Directory.
I found out the long hard way that to have even lightweight terminal services can throw any printers shared through a server box nuts.
Currently the exam I will be studying for is 70-290. Managing and Maintaining a Microsoft Windows Server 2003 Environment
I already have passed 70-270 (xp professional) a few years back, so I have 5 exams to sit in the very near future.
Subscribe to:
Posts (Atom)