Tuesday 31 August 2010

AOpen S145A Mini-ITX Chassis Power Supply Fans Failing

We purchased quite a number of the AOpen S145A Mini-ITX chassis a while back as they were part of a promo by Intel.

Now that they have been in production for a while at client sites, we are starting to hear complaints about a buzzing or rattling noise coming from the units.

The noise ends up being the power supply fan bearing, or lack thereof, giving way causing the fan blades to rattle about on their spindle.

We have spoken with AOpen but unfortunately we do not have an RMA option with our supplier nor with AOpen in Canada. Our supplier no longer carries the product.

So, what was originally a pretty good deal, is turning out to be not such a good one . . . at least for those of us in Canada.

We will probably end up getting a spec for the fan in the PSU and replace it with a better fan setup. Hopefully they will last a little longer than six months to a year.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Monday 30 August 2010

Client How-To Videos: Camtasia V7 Production and Rendering

We recently purchased some Camtasia licenses for our company to create videos of various user related tasks such as adding multiple mailboxes into Outlook 2010, connecting and using the Remote Web Workplace, RDP via TS Gateway, and others.

The use of Camtasia to create videos specific to each of our clients has had an amazing impact on them. So far, every single time we have created a new video to answer a specific question, or provided an overall guide for everyone in the client’s office, we received a 110% positive feedback.

Camtasia and creating these user oriented How-To videos has become a Killer App in our ability to build a business relationship with our clients.

After capturing the relevant video of the task, we edit the clips in Camtasia studio adding the relevant callouts.

This is the title of a video we just finished producing for a client that signed up for the OWN Hosted Exchange services we provide:

image

Using Camtasia Studio, we can zoom in on certain events that are taking place on the desktop we have recorded to help provide focus for the viewer:

image

Note that the callout provides feedback to the viewer and helps them to know what bits of information are needed for each of the fields. Of course, in the video those bits get filled out right before their eyes!

image

Once we have created the video that we are going to send to our client and upload to the Companyweb SharePoint site, we need to render that video.

In the Task Manager, this is what the rendering does to the Core 2 Extreme QX9650 series system with Windows 7 Enterprise x64 in Processes:

image

This is what the Performance tab looks like:

image

Once the rendering starts, Camtasia is quite capable of pushing this system to its limits. So, any Core i5 or Core i7 based system should be able to do a good job of rendering the project video quite efficiently.

Camtasia does look to take advantage of all 4 cores on this system, so having a quad core system will improve rendering times over a dual core system.

We have a pair of Intel X25-M series SSDs in RAID 0 for this system too. So, in effect the drive subsystem should not be a bottleneck in any way for the rendering process.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Promise VTrak E310sD Firmware Update

The Promise VTrak E310sD that we are deploying to add storage to a Hyper-V cluster running on an Intel Modular Server required a firmware update out of the box:

image

Firmware Version: 3.33.0000.00

Now, the best we can do for a link to the firmware download is twofold:

The reason for that is that Promise seems to change the links that lead directly to a product site, or the links do not seemingly work when copied and pasted from the browser address bar.

Once on the Download Center site, select:

  1. VTrak Ex10 Series
  2. VTrak E310sD (our model number)

We then have a selection of download links associated with the product come up:

image

As of this writing, firmware version 3.34 is the most up to date one.

image

Apple Promise VTrak Caveat

Note that we are working with the Promise OEM product and not the Apple OEM branded Promise VTrak products. There is a completely different firmware set for the Apple branded products.

VTrak Firmware Update

Once the download completes, we extract the contents of the ZIP archive.

In the WebPAM PROe console, we click on the Firmware Update link and “download” the file using the HTTP method there.

image

We then received a warning that once the flashing process starts it should not be interrupted in any way.

A set of progress bars (dual controller) will then show up:

image

Once the update process has completed:

image

The flash upgrade has completed successfully.

It will only take effect at next reboot.

Since we only have the VTrak unit installed, we used the Administrative Tools console to initiate a restart of the VTrak:

image

A warning will pop up indicating that the VTrak will be offline and require us to type “confirm” into a box before it will allow for a restart.

Once a reboot has completed, which took about 5 minutes, we logged on to the WebPAM PROe console and navigated to the Firmware Update tab to confirm that we now had the newest version:

image

Firmware Version: 3.34.000.00

Once our firmware update was complete, we were then ready to move on to the next step of configuring the drives into RAID arrays and logical drives.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Saturday 28 August 2010

Promise VTrak WebPAM PROe – Quick First Time Connection How To

Once we set up the Promise VTrak E310sD with all of the drives, installed into the rack enclosure, and powered it up we need to connect to the VTrak’s management GUI called the WebPAM PROe.

Now, the product manual indicates that we need to use the included serial cables to connect to one of the storage controllers, in this case we have a dual controller unit, and run through a series of command line steps in a terminal session.

VTrak Product Manual v3.2:

image

However, later on in the product manual we find this:

image

VTrak Default IP Address 

. . . The default virtual management port IP address is set to 10.0.0.1.

Thus, the quickest way to get things going without having to work with the serial connection is to use either a laptop or other system (physical or virtual) that can have its IP address changed without impacting the production environment.

We used a laptop for this procedure. We changed the IP address on the laptop to 10.0.0.5 and waited until the settings took.

We then opened a browser and navigated to https://10.0.0.1.

After a moment or two we were greeted by:

image

The defaults for the WebPAM PROe are:

  • Username: administrator
  • Password: password

Once into the console we can navigate to the Port Configuration Settings under Network Management and set the VTrak up for the correct subnet:

image

After clicking Submit the VTrak will reboot.

We then change the laptop back to obtaining its IP address via DHCP and were able to connect to the WebPAM PROe console and finish setting up the VTrak for our Hyper-V cluster at the new IP address.

Note that we keep a grid of all statically assigned IP addresses that includes the server/appliance/printer’s name, IP address, MAC address, and any other relevant information for quick reference.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Documenting a New Intel Modular Server

We have mentioned in a previous post or two that we were deploying a new Promise VTrak E310sD SAS RAID Storage System (blog category for Promise) to expand the available storage for a Hyper-V Server 2008 R2 cluster running on an Intel Modular Server (IMS).

We ran into a bit of a problem with that particular IMS in that the Modular Server Control (Web based GUI) that runs on the CMM decided to stop responding on us.

That led to a number of different troubleshooting steps along with component replacements before we managed to get to the root of the problem. We will leave that troubleshooting trek for another post as there were quite a few things we needed to do to get things working.

One of the most important steps when it comes to managing a client’s network is keeping an accurate set of audit notes on all aspects of the client’s network infrastructure from hardware through to software.

So, it is important to document things like service tags for client’s Tier 1 servers, the server’s management modules, and more.

Intel Part Number and Serials

For Intel product, the two most important pieces of information for _any_ Intel product purchased through distribution channels are the following:

  • PBA: Dxxxxx-xxx
  • Serial Number: ABCD1234567890

With those two numbers we are able to initiate an Advanced Warranty Replacement via the Intel Partner Portal after logging in with are Partner account ID and password.

In the case of the Intel Modular Server, there are a number of components that have the above two numbers, so, the simplest thing to do is to document them via the Modular Server Control GUI.

For example, when we are in the Chassis Back view we can click on the Chassis Management Module (CMM) and see:

image

Note that in this view, we are seeing the PBA and serial number for the actual Chassis Management Module. Click on the Midplane tab and we see:

image

The above two numbers are probably the most important numbers to record via Modular Server Control, as the physical PBA and serial number labels are here:

image

Yes, they are hidden behind that divider that resides in the middle of the IMS chassis.

The above picture was taken from the front of the IMS chassis with the compute modules removed. Note the large cooling fan duct work on the right hand side of the chassis that is used to pull fresh air through the compute modules.

Document Feature Activation Information

When it comes to running a cluster on the IMS, we always need to purchase at least the Shared LUN Key feature (P/N: MFSLUNKey).

With the key, we use the Feature Activation page in Modular Server Control to do just that:

image

When we order the feature’s part number through distribution we receive an envelope with a Paper Pack ID. That ID is used along with the Midplane serial number to generate the needed Feature Key by the Intel Modular Server License Key Activation Site. An Intel Partner ID and password is required to access the site.

IMS Components to Document

Documenting the following product numbers and serial numbers should be a part of any IMS deployment:

  • Chassis Rear View
    • Storage Controller Modules 1 & 2 (if present)
    • Ethernet Switch Modules 1 & 2 (if present)
    • Chassis Management Module
    • IMS Midplane
    • Fan Control Boards 1 & 2
    • Power Supplies 1 through 4
  • Chassis Front View
    • Compute Modules 1 through 6
    • Fan Control Module (bottom left)
Further Reading

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Thursday 26 August 2010

Intel CPU and Board Compatibility Tool

If there are ever any doubts on whether a particular CPU will work with a specific motherboard, the Intel Processors and Boards Compatibility Tool is the site to check with.

image

We are looking at updating the DX38BT based QX9650 Core 2 Extreme system here in the shop with an Intel Core I7-875K Processor.

And the results are:

image

Given that the I7-875K is unlocked so that we can change the bus and clock frequencies to tweak the CPU’s performance, it is our preference to look for an Extreme series board.

image

We end up with either the DP55SB or the KP55KG.

Now, we need to have two PCI-E x16 slots available for the dual ATI Sapphire 3870 x2 video cards (yeah, a little dated but they run 4 monitors really well).

Both boards have PCI-E 16x slots that share bandwidth with the primary PCI-E 8x slot if something gets plugged into them. Since we are not gaming, there is no real need for the extra bandwidth.

The catch for this situation though is that we also have a SoundBlaster X-Fi PCI series soundcard in this system. Thus, we need a legacy PCI slot to plug the sound card into. So, the DP55KG will fit the bill.

In the end, we will have replaced just the board and CPU and ended up with a good step up in overall system performance for a very reasonable cost.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Wednesday 25 August 2010

Professional Grade Notebooks/Laptops

For many years now we have been selling Acer TravelMate series notebooks as our main portable product line.

They come out of the box relatively clean, meaning that they come out of the box with very little third party software installed on them.

We have been so busy with server related sales and projects lately, that we have had very few notebook sales since late last year. Today, one of our clients is getting set to refresh some of their Acer units so we dropped into Acer’s site to see what was available.

image

Acer TravelMate 5740G-6765

Windows 7 Pro 32 bit, Core i5 520M, 4GB RAM, etc.

Now, the equivalent Acer TravelMate 6593G series notebook we sold at the beginning of this year was about $1,800. Any guesses on what the 5740G would sell for?

If you guessed that it was around $1,100 you would be about right.

How the manufacturer managed to shave close to $700 off the cost of the system is where we have cause for pause.

Since we have had the Toshiba Tecra S10 here in the shop, and a number of S10 series Tecras out with our clients, we are now quite sure that the best quality product for the money, in our opinion, would be the Tecra S11 series available to us at this time.

Yes, there are other manufacturer’s products out there. But, for now, we will see if we can suggest to our remaining Acer laptop based clients that they move over to Toshiba.

BTW, Toshiba (Canadian Web site) makes a Core i5 series tablet that can handle 8GB of RAM in it! The new Tecra S11-011 with an i7 620M and 8GB of RAM would be an ideal virtualization demo machine! Either machine with an Intel 160GB SSD would really step up in performance too.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Tuesday 24 August 2010

Office 2010 OPK is Now a Download

As a registered System Builder with the Microsoft OEM Partner Centre (sic), we gain access to reselling Microsoft’s OEM products.

In the case of Office 2007, we needed to obtain a kit from one of our Canadian distribution points that contained the necessary install media, licensing information, and the deployment toolkit.

Now, that kit is available as a download from the OEM System Partner Centre (sic).

image

After clicking the above link, we see:

image

We have had a few clients that have asked for French language versions of products in the past, but for the most part we deal with English speaking and writing clients.

Once we click on the English download, we are greeted with the following:

image

Answer any of these questions incorrectly, and a rubric shows up indicating that we cannot qualify. So, we went through and made sure we were in the right with the above answers.

Office Starter 2010 is a non-starter for us. ;)

We do not do a lot of OEM licensed products. Pretty much all of the OEM licensing are for one-off situations as is the case here.

Okay, so we go through and answer the above questions. We then have to sign the System Builder Download License Agreement. It is a bit of a read, so be prepared to either PDF it, or print it off to go through before signing it as the session will likely time out by the time we read it all.

image

Once through all of the above steps, we finally had our download on the way:

image

Once we have the OPK downloaded, we can load the software on a new system and also sell our client a Product Key Card.

From Microsoft:

Purchase a Product Key Card to activate preloaded Microsoft® Office 2010 software on this PC. Product Key Cards provide one installation for one preloaded PC only.

The Product Key Card part numbers for us in Canada are:

  • Office Home Standard 2010: 79G-02020
  • Office Home Business 2010: T5D-00295
  • Office Professional 2010: 269-14834

Now that we have all of that figured out, we can get a PKC for Office Home Business 2010 for our client.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Intel Resellers – Intel Real Server Hunt Contest Started This Week

We have entered these contests before as Intel runs them relatively frequently and they tend to hold a few “Oh, I did not know that” kind of gems.

image

The contest allows us to brush up on some key Intel server product features as well.

And, perhaps we will come away with some SWAG in the process. :)

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

More Hacked iTunes Stories – Remove That Payment Info

We don’t have any real solutions other than removing any credit cards, PayPal accounts, or other forms of automatic payment stored in the iTunes account.

The other piece of advice is to keep a close eye on those online banking statements and credit card statements to catch any anomalies as soon as possible.

While it may be a bit of a pain to have to enter those payment details _every time_ for those that make regular purchases, it is looking more and more like that little convenience may end up costing _a lot_ of money and pain.

As always, it is very important to weigh the pros and cons of saving any banking or credit card information with any online vendor’s site.

Hat tip:

A how-to remove payment details from iTunes by MowGreen:

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

In the Event of a Volcanic Eruption:

The following was seen hanging on the wall in a Microsoft Office room in downtown Redmond while helping out at the Puget Sound Small Business Server User Group (PSSBS) last week:

image

Volcanic Eruption

In the Event of a Volcanic Eruption:

. . .

Please note that the above image has been rotated counter clockwise.

Being a prairie boy, the above emergency procedure bulletin was a bit of an eye opener as there were no threats from volcanoes there.

In this case, the point to be made is that we need to be aware of any possible threats to our personal security and wellbeing while travelling outside our borders. A volcanic eruption certainly was not a consideration during my stay in Redmond last week.

Investigating some of the emergency response needs for an eruption has gone on my To Do list so that I can at least be aware of what may or may not be required if something indeed happens on my next trip there!

This type of investigation is not unlike the assessments we would do on behalf of our clients for disaster readiness.

It always pays to be prepared.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Monday 23 August 2010

Some Hyper-V Basics

Here is the answer to an inquiry about Hyper-V when starting from ground zero.

  • Overview
    • RAID 10 is your best friend (lots of I/O) but needs at least 4x drives.
    • 16GB of RAM is better.
      • Gives access to 8GB for SBS 2008+ and a couple of clients including RD RemoteApps on TS and a couple of 7s.
    • Register a domain, or set up a DNS A record for testsbs.yourdomain.com and purchase the GoDaddy cert for that URL.
      • Have an ISP IP handy for it so that one can test things from the Internet which is critical to understanding how things work.
  • Hyper-V
    • Hyper-V on Windows Server 2008 Full
      • GUI install means more updates.
      • GUI install means security openings not in Core.
    • Hyper-V on Windows Server 2008 Core
      • Command Line means less updates (There were about 8-12 in the last 6 months that were applicable).
      • Tougher to configure though we do have a guide.
      • Less OS load means more CPU cycles available for Hyper-V = better VM performance.
  • Hyper-V Server 2008 R2
    • Has a built-in “GUI” to eliminate much of the CL work.
      • SConfig on R2 Core with Hyper-V brings up the same.
    • Blog Category list of posts
      • Note the binding order post is important for both Core and H-V Server.
    • Clustering and all of its features are available in this free addition.
  • P2V
    • We have used StorageCraft for restores to H-V.
      • Only one vCPU can be assigned during the restore or performance suffers.
      • Legacy NIC required for initial restore if networking is critical.
      • Hardware clean-up steps same as Hardware Independent Restore clean-up steps.
    • We have used the built-in SBS 2008/v7 backup for restores to H-V.
    • We have used the built-in Windows Server 2008+ for restores to H-V.

The above is an overview or guideline that can be used to build out an understanding of how to work with Hyper-V in all of its iterations.

Other than more cores is always better for the host, the above should be a good start.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

SBS v7 – Multi-Monitor Goodness via RDS Gateway (TS Gateway)

One of the neat little advantages of the new RDP protocol version that comes built into Windows Server 2008 R2 and thus SBS v7 is the ability to serve remote desktops out to clients that have multiple monitors and have that remote desktop session _on_ those multiple monitors.

image

The above screenshot is of the remote desktop session from home that has a 22” wide LCD on the right and an older Acer 19” 4x3 standard aspect ratio LCD on the left.

The 22” is sitting on top of a Mini-ITX system, so it is actually quite a bit higher than the Acer thus the shift between the two screens.

The Remote Desktop Connection Setting

To get the multiple monitor setup to work, we need to enable the following setting in the Remote Desktop Connection client:

image

Use all my monitors for the remote session

One thing to keep in mind is that with the additional monitors comes the need for additional bandwidth. As a result, for offices with smaller upload speeds, one will need to keep in mind which users should be able to connect with multiple monitors and which ones should not.

Web Site Animation Caveat

It should also be noted that when connected to a remote desktop session and there is a need to browse the Web, that sites that have some sort of animation on them will cause the session to grind virtually to a stop. So, after clicking the next link on the site, be patient as it may take a few rounds of animation for that click to be registered remotely.

Hopefully the next page does not have any animation on it!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Monday 16 August 2010

Remote Desktop Services Web Access on Windows Server 2008 R2

In an e-mail list conversation a while back, my fellow MVP Dana Epp of Scorpion Software made mention of a new ability in Windows Server 2008 R2 that would give the SBS Remote Web Workplace a run for its money.

That new feature is called Remote Desktop Web Access.

This is what the logon page looks like:

image

Once logged in, we will see a list of applications that have been published via RDS RemoteApps:

image

The above applications are installed on our Windows Server 2008 R2 Remote Desktop Services server and are served to the Internet via our SBS v7 TS Gateway.

A neat aspect to this setup is that the page can be customized much like the Remote Web Workplace can . . . though with a little coding involved. So, besides the above applications, we can have links that connect users to their own office computers, or other internally based resources . . . not unlike the way we can customize the Remote Web Workplace on SBS 2008 and now SBS v7.

RD Web Access Publishing

First, we would need to create a new DNS A record for remotewebapps.mpecsinc.ca (example URI), and then purchase an SSL certificate using the IIS CSR on the RDS Web Access site.

Then, with our new Cisco SA 520 Security Appliance gateway we would bind (alias) an additional ISP IP to the WAN interface and create an HTTPS publishing rule to redirect HTTPS traffic on that IP to our RD Web Access server.

It would be pretty close to that simple.

Remote Web Workplace Links

Here are the hyperlinks to the RDP files we have configured for application access via the Remote Web Workplace:

image

RDP File Links

We used the RemoteApp Manager on the Remote Desktop Services server to first publish the applications.

image

Once the applications were published, we could then right click on each one and generate an RDP file. From there, we would copy the RDP file into a subfolder under the /Remote application folder on the SBS v7 server (can be done on SBS 2008 too).

Users can then click on the Outlook link, authenticate, and use the Outlook application on their remote system. All the while, Outlook is actually running on the Remote Desktop Services server.

Or, users can right click on the link and save the RDP file to their Desktop for later quick application access.

Note that we need to add the RDP extension to the MIME Types setting in IIS for the link to fire up the application as expected. Charlie Russel covers this in his book on SBS 2008:

AuthAnvil (AuthAnvil demo video), Scorpion Software’s two-factor authentication product, is an excellent way to provide additional security for both the Remote Web Workplace and RD Web Access.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Saturday 14 August 2010

Microsoft Word Error – There is insufficient memory or disk space. Word cannot display the requested font.

We just set up a Terminal Services (Remote Desktop Services TSRemote Apps) server with Microsoft Office 2010.

Whenever Word is fired up, it keeps throwing this error when first opened:

image

Microsoft Word

There is insufficient memory or disk space. Word cannot display the requested font.

There were a number of different search results for the error with this one having the key:

Checking the QuickStyles folder under the Office folder we see:

image

There is definitely no sign of the Normal.dotx file that should be there.

So, following the second set of instructions, we created Old.dotx in the above folder, rebooted the Remote Desktop server, and fired up Microsoft Word.

The error did not reappear, though there still was not a Normal.dotx in the folder.

In Word there is an option to Prompt to save to Normal. We enabled that setting and tweaked the defaults for a paragraph, saved the document, and were prompted to save the update to Normal.dotx.

After Word closed, we reopened it to verify that there was no error and indeed no error came up. The Normal.dotx file turns up in the user’s profile so all is good.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Friday 13 August 2010

Credit Card Fraud – MyLife *Reunion-Search 888-7041900

We had a strange charge go through one of our credit cards:

image

Aug 09, 2010 MYLIFE *REUNION-SEARCH 888-704190  75.26

No one in our family is looking for folks to “reunion” with.

The credit card company’s loss/fraud folks had called about this particular transaction as well as a few other transactions that were attempted against the card.

Needless to say, the card is now cancelled and a new one is on its way.

This card was actually one of the last cards in our possession that had its number longer than two to three years.

Because of issues with fraud attempts against our cards in the past, we tend to call in and ask to have the card number changed or if the credit card company does not like to do that, then have it cancelled outright and reissued once every 12 to 18 months.

By rotating the CC numbers, we help to mitigate our exposure to the folks that trade in CC numbers.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Thursday 12 August 2010

SQL Server Install Error: Rule “Restart Computer” failed.

So, we get this error when we go to install a new instance of SQL 2008 on a dedicated Windows Server 2008 Standard x64 box:

image

Rule Check Result

Rule “Restart computer” failed.

A computer restart is required. You must restart this computer before installing SQL Server.

But, we _just_ restarted it because of that error?!?

A quick search turned up the following:

The Forum post suggest that we look at the following registry key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Sure enough, when we look into the registry, we find the culprit:

image

We deleted the content in that key since whatever the HP driver was trying to do it was failing at it miserably.

image

Of course, we Exported the Session Manager key _before_ deleting the content!

When we click the Re-run button in the SQL Server 2008 Setup window we were greeted with:

image

Restart Computer: Passed

We were good to go on installing that needed instance.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Wednesday 11 August 2010

Cisco Small Business Pro SA 520 Start to Finish Configuration Time – 30-45 Minutes

Suffice it to say that we are very impressed with the Cisco SA 520 security appliance.

The start to finish configuration of the SA 520 was about 30-45 minutes including the firmware update process.

We set the box to Deny all outbound IPv4 packets by default with IPv6 being disabled for now.

image

We then built in a standard rule set for server based services and client Web access. That rule set was based on the ISA rule set in SBS 2003 as well as Eriq Neale’s and SmallBizServer.net’s articles on setting up an ISA 2006 server to work with SBS 2008.

Before we could create the inbound and outbound rule set, we needed to create a few custom services ports to cover our SBS needs:

image

  • NTP-(UDP) 123
    • Server uses to connect to pool.ntp.org to keep time sync.
  • SBS2K3-4125 TCP 4125
    • Outbound using this port for connecting to the SBS 2003 RDP proxy port.
  • RDP TCP 3389
    • RDP outbound only.
  • SBS_SharePoint-987 TCP 987
    • For publishing our internal Companyweb SharePoint site.
  • SBS2K3_SharePoint-444 TCP 444
    • Access to client’s SBS 2003 Companyweb SharePoint sites.

Once all of our rules are configured we end up with the following outbound and inbound set:

image

Note that the SBS services publishing rules are on the bottom with the ExchangeDefender services server’s subnets (ED Deployment Guide) being the only SMTP sources allowed to travel in to our SBS v7 setup.

BTW, we have slowly stopped paying attention to the SMTP inbound protocol in our previous ISA logging because the longer we have had our e-mail domains on the ExchangeDefender service, the less spammers have tried to connect directly to what was once our public SMTP IP.

And, also take note that the rules that have 192.168.Subnet – 192.168.Subnet are actually filters that only allow an internal IP subset to send those protocols out to the Internet. That subset contains the IP addresses of our internal servers.

This setup virtually eliminates any possible rogue SMTP traffic from a system that receives its IP via the SBS v7 DHCP service.

We had the SA 520 sitting on the bench with a laptop connected to it. We brought the firmware update over via USB flash drive using the URL set on the firmware update page to get to it fairly quickly.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Cisco Small Business Pro Security Appliance SA520-K9 Arrived

Our ailing ISA 2006 standalone server has been a source of pain once we started our migration from SBS 2003 R2 Premium to SBS v7.

We faithfully followed the following sources for setting ISA 2006 SP1 up for SBS 2008:

As much as we tried to get things working, we always seemed to run into some really strange roadblocks.

Since we are working with pre-release software, it was tough to troubleshoot problems if there is a third party product, in this case ISA, causing hiccups as well.

For example, the Outlook Address Book would download and update on all Outlook Anywhere connected Outlook clients. None of the internal network clients would update. It turned out that removing the proxy setting in IE, thus bypassing ISA, would allow the OAB to download. The catch though is that e-mail based images and Web content would no longer display within Outlook.

Now, there may very well be a reason for the issues, such as a configuration problem on our part (ID10T or PEBKEC), but after struggling with ISA related issues without discovering a solution for the problem, we threw in the towel on ISA working with SBS v7.

So, we ordered a couple Cisco Small Business Pro SA520-K9 security appliances. One will be for internal use and one is going to a small IT shop that has been sending us some significant collaboration based business over the last six months or so.

Out of the box, the SA520 has an IP address of 192.168.75.1 and its DHCP server service is on.

image

The default username and password:

  • Username: cisco
  • Password: cisco

Once we log onto the unit we are greeted with the following “Basic” interface:

image

Having worked with a number of different vendor’s security appliance/Internet gateway devices, the basic interface as show above is quite refreshing. It is simple and straight forward in its layout and configuration.

Clicking on the Advanced view brings up the following:

image

Again, a fairly straight forward navigation setup that is easy to follow and easy to use.

Change the Default IP Subnet

One of the first things we do with a new gateway appliance after it is first fired up is to change the internal subnet to the destination network’s subnet _before_ disabling the internal DHCP server service.

This way we can release and renew on the machine physically connected to the security appliance and not have to mess around with static IP settings on the laptop NIC.

image

After clicking Apply:

image

Once the appliance rebooted, which did not take very long at all, we released and renewed our IP address on the connected laptop.

When we connected to the SA520 after that we were greeted with:

image

An Active Session already exists for the User ‘cisco’.

If you want to close the other session, please click on the ‘Continue’ button.

Click ‘Cancel’ button to logout.

SA520 Firmware Update

Once we have the correct subnet set, we then need to check for the most current firmware for the device:

image

The above link requires a Cisco.com username and password. In our case we used our Cisco Partner ID which gave us access to the software updates folder after clicking through a few path links.

As of this writing, the most current firmware available for the device is:

  • Cisco SA520 Series Firmware: 1.1.42

image

Note that once we clicked through a couple more links to download the software we were presented with a Terms & Conditions page that required a “signature” before the download presented itself.

Then, we were required to accept another agreement, then we needed to click through a few more Download Now buttons to finally get the download moving.

image

Final Download Page

Ack! There may be a bit of work there to improve access to the firmware download as there had to be at least 20 or more clicks before it even started! :|

There is a feedback page after the download completed, so we made sure to mention that things may be a bit simpler to work with.

The firmware update process itself is straight forward:

image

After clicking OK:

image

Once the upload process completed, we saw a countdown timer:

image

The Diag LED on the front of the SA520 stayed lit yellow for a good portion of the countdown timer. With about 10 seconds left on the timer the Diag LED went out.

Firmware Update Caveat

Note that since we were updating the firmware on a newly powered up SA520, we did not take the time to save the settings using the Backup/Restore Settings process shown on the firmware update page.

When that countdown timer finished, we were no longer able to get into the SA520.

An IP release/renew showed why:

image

The settings changes we made for IP subnet and the SA520’s name were gone.

Make sure to backup the settings for the device _before_ running a firmware update or all of the customized inbound and outbound settings _will be lost_!

Note that this caveat is indicated in the firmware release notes to be found via the link below.

Firmware 1.1.42 Release Notes

Recommended Upgrade Steps

When upgrading from version 1.0.15, 1.0.17, or 1.0.39, the firmware will reset the router to its factory default and you will need to back up the configuration. When upgrading from 1.1.21, these steps are not required.

Of course, the firmware release notes were on the way down _after_ the firmware update download since there was no direct link to them on the actual download page. ;)

Once logged in after the update was applied, we checked the firmware page and saw:

image

We now had the ability to drop our Cisco username and password into the update page so that updates can be downloaded and installed automatically.

For those of us that work in SMB with SBS and other server hardware and software products, this setting is unlikely to be used. ;)

UPnP Status

With most consumer grade gateways, the UPnP feature comes enabled by default.

image

On the Cisco, we can see that UPnP is disabled by default. Since UPnP is a significant weakness in the overall security of a network, it should be disabled by default.

Conclusion

Now that we have the basics figured out, we are moving on to configuring the SA520 for our multiple ISP provided IP setup that includes a number of different services published to the Internet across those IPs.

We will be ordering in another unit to use as a tester that we can tear apart and work with without breaking our own connections soon!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer