James D. Stallardblog

With the rising cost of fuel impacting everyone's bottom lines and the increasingly good PR to be had, one of my clients asked me to come up with a centrally controlled power management solution for their Windows XP estate of around 3500 machines.

According to a report prepared for the US Environmental Protection Agency "An organization can save $10 to $50 per computer annually by enabling power management features that place a computer monitor into a low-power “sleep” mode during periods of inactivity". In 2008, the US pays 5p per Kilowatt Hour on average, we pay almost double that at 9.5p (source: www.eia.doe.gov and www.uswitch.com), making the savings between £10 and £50 per monitor, per year give or take the exchange rate fluctuations.

Based on those figures, this represented savings of between £35,000 and £174,000 EVERY YEAR, just in power, just in monitors - not forgetting that those figures do not include the machines themselves and the savings in air-conditioning. Indeed, many businesses only require air conditioning to counter the heat created by all those machines and monitors being left fully powered up.

The big reason why Microsoft never implemented Power Management control via GPO is that GPOs are designed to deliver registry integer and string values and for some reason Power Management settings are held as binary values. This has meant that the only solution to date is a specialist application (and custom GPO template) that can perform the translation between GPO-based registry integer and string values, and the Operating System. It's a messy solution at best.

There is an application out there that does GPO based Power Management, but it requires the application to be installed on every machine and a poorly designed Group Policy template; and after testing it for my client I wasn't happy with the functionality or quality, or the number of times I had to reboot my machine after yet another a terminal Dr Watson failure. The only other solution I found is poorly written and requires a software deployment mechanism to get it beyond a limited pilot.

So, I designed and created a new solution.

The new solution is completely (and easily) centrally controllable by group membership and allows you to set as many different combinations of Power Management settings across your IT estate as you like (vastly more flexible than GPOs). The new solution allows you to centrally control Power Management on machines that are not logged on and for users after they log on. The new solution uses the built-in Windows XP APIs and applications to guarantee compatibility across all Windows XP Service Pack levels with no crashes or any unexpected behaviour. The new solution integrates totally into Active Directory on Windows 2000, 2003 and 2008 and is completely transparent to users. Although power management settings are, by default, only changeable by members of the local Administrators and Power Users Groups, a simple alteration can be made that allows this right for your non-priviledged users without further elevation or compromise of your security. A version that can handle Windows 2000 and Windows Vista will be available shortly.

How much is it?
. A one off consultancy fee to attend your site, install and configure it, and train your administrators. Two days is usually sufficient, more might be warranted in large enterprises with complex environments.
. A subscription fee based on a tiny percentage of the savings to be had, per seat, per year. Significant discounts are available for multi-year subscriptions and large numbers of users.

Please contact me at www.leafgrove.com or using the email link on this entry for more information and discounted pricing.

The fact that you're able to read this at all can be considered something of a success as I've just finished migrating my various web applications to new webservers running Windows Server 2008. IIS 7 is a whole new ball game, and I don't just mean the incomprehensible admin interface!

The first problem was working out what needed to be installed; in fact, I installed and uninstalled IIS so many times (OK, only 3) that eventually the web service refused to serve even HTML pages and I had to rebuild the server from scratch. Twice. Thank the Lord for unattended installations and VMware ESX 3.5 or I would have gone a little more insane

So, one working webserver later, I migrated the first of the apps, a basic HTML only site with authentication. So far so good on a few more apps - until I got to my main website www.leafgrove.com, where I "discovered" that CDONTS no longer works and the email contact page was broken as a result. Actually, I discovered this years ago when I moved this app to Windows 2003 Server, but back then all you had to do was find a copy of CDONTS.DLL on Windows 2000 Server SP4+, copy it over and register it. The new solution is CDOSYS and I felt better using that rather than the now very old code from W2K.

A couple of hours (I know, but my ASP is rusty ) with my favourite scripting tool (Sapien PrimalScript 2007) and I had written a spanking new email processor and even improved the old processor's functionality. Some testing followed, and we were finally up and away on that site too.

A couple of other sites making use of HTTP redirects had to be tweaked and I was left with the blog.

The blog was fine until you tried to edit or create entries, whereupon you got one of those useless HTTP500 errors. HTTP500 is a generic message that the server returns when it's sure something's broken but it's not prepared to tell you what. To get any sense out of it you have to switch off friendly messages in the browser and switch on client side errors on the server (not forgetting to switch them off again afterwards!). The problem turned out to be parent paths - which was exactly the same problem as it was a couple of years ago when I migrated this blog to Windows 2003 Server.. The disabling of parent paths was done by Microsoft as a security measure and the correct thing to do is fix the code to remove the ".." where proper paths should be. However, the original issue no longer exists and as this isn't my code and I don't fancy editing 30 odd ASP files looking for duff includes I chose to take the lazy route.

No worries there then, a click or two later to enable parent paths and all was operational.

Being as this is all new, I would appreciate feedback from those that notice any difference. If your feedback is particularly helpful, I might even come up with a prize or something for your efforts! Just click the email button below or drop me a line at the usual place.

Desktop Virtualisation is the replacement of the traditional desktop hardware with a thin or zero client device that presents only an interface to a Virtual Machine - running on VMWare ESX/VI3/Virtual Server, Microsoft Virtual Server or some other virtualisation platform (seriously, there are others ). You can do this with a PC and a software application, but although useful in a number of situations, that's not what's got me interested.

My experience is currently limited to the Pano Logic Pano Device and Pano Desktop Manager Software v1.1 and later, but I'm voraciously reading whatever I can find about their competitors. Pano is not the only way to skin this particular cat and the industry hasn't yet sorted out the winners and losers in the marketplace.

The Pano device itself is basically an X-Windows terminal that connects to the X Server running on the Pano Desktop Manager (DM). The DM is running Centos and some clever software that allows the Pano devices to be attributed to a pool of Virtual Machines hosted on (in this case) a VMWare Virtual Infrastucture running ESX v3.5. The Pano device is able to find the DM via one of a number of methods, but my favourite is by configuring a special option on the DHCP servers. Once found, the DM registers the device and allows you to 'manage' it from a web application.

When a user powers on the pano device, they are presented (almost instantly) with a customisable X-Windows logon, which accepts their Active Directory domain credentials. The DM then proxies these credentials to a "vacant" Desktop Virtual Machine (DVM) and logs them in to the terminal services connection provided with Windows 2000svr, XP, 2003, Vista and 2008. All the standard applications are available that were installed when the VM was built/cloned, and the user notices nothing different from then on. There is some necessary configuration to do with the Active Directory in terms of GPOs, redirected folders and the like to ensure a smooth and integrated user experience, but essentially that's your lot.

So simple, It's a wonder we weren't doing it years ago.

It's something I hear often these days from clients becoming increasingly frustrated at being unable to find decent quality and skilled IT staff and contractors. It's not at all surprising...

In the last 15 years (and probably long before then), the IT contractor market has gone through a number of cycles, alternating in average quality from "crap" to "excellent".

I started my IT career in 1990, working for a small offshore Merchant Bank. At the time, email systems were starting to gain ground and the PC-based network was replacing the mainframe system. The killer apps of the time were Lotus 123 and WordPerfect. The IT market was bowling along nicely and the people in the market were considered to be a pretty high quality lot.

By about 1992 everyone with 6 months experience in Novell Netware 2 and 3 was calling themselves a "Network Consultant" and running off contracting at £40 an hour. The market got saturated with crap and clients started to get a bit stroppy. The Novell CNE qualification was born out of a desire by Novell (the market leader) to reduce some of the complaints it was getting about its products that turned out to be faulty installs.

The recession bit hard in '92 and didn't really lift until '94. The jobs market for IT contracting shrank dramatically as everyone held their breath and IT projects were put on hold. This had the effect of driving the overpaid numpties back into permanent jobs at whichever company would hire them. Correspondingly, the average quality of those left in the market returned to its previous rating of "excellent".

By about 1996, the IT industry had regained some of it's former confidence and the market expanded again. Rates went back up accordingly and with the arrival on the scene of the dotcom game, demand for IT people worldwide exploded. The numpties raced out of their permanent jobs into the contracting market and waited for their new TVR sports cars to arrive. Average quality returned to "crap", and the labour government decided that IT contractors were far too well-off and introduced IR35; an unsuccessful tax diktat targeting a specific group of people in a decidedly divisive fashion.

All was well in the industry until an abrupt stall around the end of 2000. For those working in the dotcoms (myself included) it was nothing short of apocalyptic as companies imploded all around us. It was happening so fast that a now-famous ex-website was set up to try and keep track of the worst excesses of failure (www.fuckedcompany.com) by posting content from anonymous contributors. Entire staff were getting fired by text message (that really happened at British Amulet Group) and voicemail and jobs were evaporating almost as soon as they were advertised. IT contracting agencies started behaving incredibly badly and everyone suffered as a result. Worse still, big, established companies teetered on the edge of oblivion (Marconi, Lucent and ICL to name three) and some never recovered. The market shrank like an iceberg in the desert and sure enough, the numpties started looking for permanent jobs. Average quality miraculously rose!

This time, however, the clients got a little wise and contractors applying for permanent jobs got some tough questions ("Why do you want to leave contracting, are you having trouble finding work?"). Those of us that were left had to put up with unscrupulous clients (mostly the banks) demanding that rates be dropped or unpaid "holidays" taken. This never happened to me, but then I choose not to work for that type of client.

No thanks to the (still) labour governments' tax policies, the economy has recovered (probably due to the housing boom) and since late 2003 it has gradually expanded to its current point. We've never had it so good; large projects are being announced almost daily and there is so much work around that even the most incompetent numpty (hey Bob!) can get a job as a contractor. Average quality is dropping faster than a frenchman's trousers, and even the agencies are starting to complain!

So there we have it. There is indeed a lot of crap in the market, and so it will remain until the next economic slump. The trick to landing the best and most interesting roles is to differentiate one's self from the herd. I got myself Chartered, what are you doing?

There are three types of patching policy:

• Pro-active
• Re-active
• Ad-hoc

Pro-active patching is the process by which patches are applied as soon as possible after they become available (subject to testing or industry indicators) and the business benefits from the best possible protection while running the small risk that a patch may prove to be faulty.

Re-active patching is the process by which patches are only applied when a outbreak or failure actually occurs. The risk of an unpatched outbreak or failure is considered to be significantly higher (and growing) than the risk of a faulty patch. Re-active patching places the business at significant risk through loss of data or service, depending upon the nature of the outbreak or failure. A good example of such a risk is the Code-Red and Nimda worms, that caused vast damage among Corporate and private systems throughout the world, yet Microsoft release the patch to fix the vulnerability more than 5 months before either threat appeared.

Ad-hoc patching is the process by which patches are occasionally applied in batches to one or more servers. This process brings the disadvantage of re-active patching and at the same time, precluding certain knowledge of the current patching status for any individual machine. Further, none of the benefits of pro-active patching are realised, even when a single server is brought up to date. Ad-hoc patching typically relies on the will and diligence of a small number of individuals (typically, the server administrators) to patch servers when they have cause to visit them for other maintenance works, and convenience allows. Ad-hoc patching rarely follows recommended change control guidelines and is usually performed ‘under the radar’.

With the introduction of Sarbanes-Oxley, and equivalent UK and European Corporate Governance legislation, it falls to senior managers to be personally responsible for the business activities, or inactivities of any company with employees or shareholders. An outbreak as devastating as Code-Red, Melissa or ILoveYou (all industry firsts in their own right) could have a severe affect on the ability of a company to carry out its business, thus attracting the attention of the authorities. It is therefore clear that re-active and ad-hoc patching strategies are not suitable.

Using Microsoft and Microsoft Windows as an example...

Between 1998 and early 2007, Microsoft delivered in excess of 1800 security updates and a further several thousand other software patches, only 2 of which were found to be faulty enough to cause a serious problem. There has (to date) not been a patch released for the Windows Server 2003 Operating System that was deemed by the industry to cause severe problems.

One of the primary technology concerns of businesses today is the use of a new or as-yet undeclared/unknown vulnerability to extort funds by organised criminals. There is no defence against this type of attack from the authorities and it is down to the business to take steps to protect itself. Protection undoubtedly includes personal and perimeter firewalling, but must also include a pre-emptive patch management strategy. It is possible that a new vulnerability could be unknown to the vendor whose software is attacked, and the release of an exploit upon an unprepared public is known as a zero-day attack. Only a comprehensive defence in depth policy will provide any protection whatsoever.

As the number of vulnerabilities increases and the exploitation of these becomes more of a revenue stream for organised crime, it is clear that the business is at ever increasing risk of attack. While it is impossible to totally protect against the zero-day attack, the principle of defence-in-depth (IE multilayered security methods) dictates that agressive pro-active patching is by far the safest and the best course of action.

Over the last few years I have put in at least a dozen resilient DHCP solutions, search this blog for a few of my thoughts on the subject or take a look here for some design tips.

I recently had a strange error occurring when I tried to use the software I wrote years ago to programmatically configure MAC reservations on a new DHCP server.

When I tried to programmatically add the 146th reservation, it failed with a spurious message. When I tried to add it by hand with the GUI (successfully), the "Address Leases" and "Reservations" sub folders both acquired red crosses and the MMC reports that "snap-in failed to initialize". No amount of fiddling would get rid of the red cross on each sub folder, but the DHCP Server continued to correctly give out all the existing reservations.

Even using NETSH to list the reserved IPs failed (netsh dhcp server scope>show reservedip) with the message "DHCP Server Scope Show ReservedIP failed. Parameter(s) passed are either incomplete or invalid.".

Very little is available to Google on this subject, so I was left with Windows Update. The server in question was Windows Server 2003 R2 SP1, so the obvious solution was SP2.

Amazingly enough this fixed the problem. I say amazing as I have built dozens of DHCP servers using Windows 2000 and Windows Server 2003 and never come across this issue. I wonder if it's an SP1 specific issue?

As part of my ongoing general interest in the perfect branch-office infrastructure design, I recently decided to put in DFS-R at home. I created all the namespaces and began replication, only to have the CPU shoot to 100% on DFSR.EXE as soon as I enabled the last replication group.

After checking everything and googling for help, I eventually traced the problem to RDC - Remote Differential Compression.

RDC allows DFS-R to compress the changes to the files in the replication group and send them down the line. It's designed for lots of small files and low bandwidth connections, but not large files (some as large as 6Gb) over 1Gb ethernet where the whole file needs to be sent the first time.

Once I switched it off, the CPU dropped to an average 40% as it concentrated on shunting circa 700Gb from one server to another - rather than trying to compress 120 6Gb files before sending what is already compressed data anyway.

For a number of years I have run what I laughingly call "my server" out of my house.

I first decided I needed a server back in 1996, when two things happened. First, the amount of disk space I needed fit into my desktop machine exceeded the available real-estate for hard disks, and second, my then best friend (Jimmy) had just bought a computer and needed remote support.

The solution to both problems was the server, a copy of PCAnywhere, some new hard disks, a BNC ethernet strung out of my office window, and finally, getting Jimmy to take the recently vacated rental house next to our place.

Over the years, I acquired more servers and now we're here. The "server" now consists of 2 x multi processor HP Proliants (one of them x64), around 6Tb of storage (filling rapidly), a UPS that weighs more than me (I hope!) and assorted other machinery - so much so that I've had to move the whole out and get some aircon and proper power.

So, you get the picture.

Recently, I decided to move a number of virtual servers to 64bit and in the process rebuild some rather creaky Windows 2003 SP1 boxes to release 2. I wanted to replace my AV solution for Forefront Client Security and use the whole exercise as a proof of concept for a new infrastructure I've designed for Kew Gardens.

So, after a number of weekends and evenings, I'm nearly finished. We now have:

. 2 New x64 Domain Controllers.
. 2 Internally facing DNS Servers.
. 2 Externally facing DNS Servers.
. 2 Internet connections.
. MS Forefront Client Security (very cool indeed).
. New WSUS Solution.
. New MOM2005 Solution.
. New Backup Solution.
. New Database Solution.
. 3 DFS-R Servers (soon to be 2).
. 2 new Print Servers.
. New VPN.
. New VMWare ESX VI3 Solution in eval.
. New Aircon!
. Shiny HP Series 1000 Rack with new 40A power supply.

Sounds great? Not to Kelly, who is doesn’t like the password policy or the fact that her laptop gets logged out automatically so the patches can be applied!