So I've been out of the certification loop for a couple of years - mainly due to workload and time/cost vs gain just not being worth it to me once you hit a high enough level. I always try not to certify too far past the level I currently work at because a lot of that knowledge will just drain away when you're not using it.
On a whim I logged into the MCP page this week and noticed some changes since my last visit. I guess it was only a matter of time until Microsoft pushed out new 'cloudy' certifications. One bittersweet surprise was that I gained a new certification - Microsoft Certified Solutions Associate - apparently just for being a 2008 MSCA (back when it was 'administrator'). I guess I can't complain too much about a new free title, it's just that after all those bad years of hearing horror stories about paper MCSEs and fly by night Microsoft certs coupled with a few real life experiences with 'book smart, practical dumb' certification holders I'd already felt my certifications were being devalued. I guess it's time to get off my duff and get back to working on these again before I get left behind. So starting today I'll start studying for my "Microsoft Certified Solutions Expert" cert which will be available June 11th, 2012. If I find anything useful while brushing up I'll be sure to post.
Wednesday, April 18, 2012
Tuesday, April 17, 2012
MDT 2012
After spotting the release announcement on Aiden Finn's blog I went ahead and downloaded MDT 2012 so I could upgrade my old MDT 2010 Update 1 installation. That turned out to be a chore since TMG 2010 kept trying to eat the install file. Installation was a breeze afterward, just dumped it on top of the old one and once I got into the deployment manager it had an exclamation mark over my deployment share to remind me to upgrade my deployment share to the latest version. Running powershell scripts is now a built in task option and it now supports security compliance manager templates so there's some new stuff to play with. I also noticed several screens seemed a bit more polished and if I'm not mistaken a few new options in the default task sequence steps.
So far so good and no issues - currently got a LTI deployment running to test out the new monitoring console.
Monitoring console:
So far so good and no issues - currently got a LTI deployment running to test out the new monitoring console.
Monitoring console:
Tuesday, January 17, 2012
Galaxy Tab WiFi stops working every few days
Having finally gotten fed up with rebooting my galaxy tab every few days to get it to work with my home netgear router, I started trolling through forums for a solution. Suffice it to say, Android has a long way to go as far as dhcp and wifi if even half of what's posted on these forums is accurate. Fortunately I managed to stumble on a fix that worked for me. My wifi network was set up to accept Both WPA and WPA2. I removed WPA support and just left only WPA2 support on and I haven't had to reboot in the past few weeks. (There's some kind of rekey'ing issue with WPA version 1 every few days) I'd also had intermittent issues with my Cisco WAPs and I applied the same changes to them and am waiting to see if it helps.
Thursday, January 5, 2012
Android Exchange 2010 ActiveSync issue with Smart Forwarding
Ran into a real doozy of a bug this week with one of my user's DROID phones. Apparently there's a bug in the Smart Forwarding feature that causes an infinite loop for an outgoing message. After doing some digging I found a LOT of references to this rare bug on the forums. I'll post the links below but the short version is that the smart forwarding is supposed to just insert a marker when you forward an email with an attachment. That marker tells the server to insert the attachment so the client doesn't have to download the whole email to their phone first. In some cases this marker gets hosed royally and causes a loop between the client and server and it just repeatedly sends out the same email. The only way to break that loop is to kill the mail profile on the device or hard reset it.
So for now I've told my users that if they've got this feature to turn it off.
http://social.technet.microsoft.com/Forums/en-AU/exchangesvrmobility/thread/0e332aff-dc44-47d2-a294-36c68b56b04e
http://www.sharepointpanda.com/2011/08/motorola-atrix-with-gingerbread-update-triggers-infinite-loop-on-forwarded-emails/
http://www.atrixforums.com/forum/rescue-squad/5153-forwarded-emails-exchange-2010-get-sent-infinite-loop-after-gb-update.html
So for now I've told my users that if they've got this feature to turn it off.
settings -> battery and data manager ->data
delivery -
> Email and corporate sync -> smart forwarding
Email Settings-> SmartForwarding
http://social.technet.microsoft.com/Forums/en-AU/exchangesvrmobility/thread/0e332aff-dc44-47d2-a294-36c68b56b04e
http://www.sharepointpanda.com/2011/08/motorola-atrix-with-gingerbread-update-triggers-infinite-loop-on-forwarded-emails/
http://www.atrixforums.com/forum/rescue-squad/5153-forwarded-emails-exchange-2010-get-sent-infinite-loop-after-gb-update.html
Friday, October 14, 2011
I like the Cisco AP541N WAPs
So I've been resisting giving wireless access to my internal network for a long while. But over time the security options on wireless equipment have gotten better and frankly the cable clutter in the conference rooms has started resembling a brier patch. So I went to go look for a wireless router that could not only handle multiple VLANs but would also provide strong security and integrate my user's Active Directory accounts. Enter in the Cisco AP541N which can emulate up to 15 virtual APs, each can be configured with unique authentication options, VLAN tagging, and supports redirection to a URL. And it had good clustering support to boot which was a nice plus along with POE support to simplify deployment and it comes in just under $400.
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/ap_500/index.html
For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS. Good setup article here: http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration. Nice video at: http://www.youtube.com/watch?v=g-0MM_tK-Tk
Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters. Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account. I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/ap_500/index.html
For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS. Good setup article here: http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/
Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration. Nice video at: http://www.youtube.com/watch?v=g-0MM_tK-Tk
Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters. Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account. I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.
Monday, September 26, 2011
TMG 2010 and enabling TLS 1.2
With the impending demise of TLS 1.0 on the web I figured it was a good time to make sure all my servers had TLS 2.0 enabled on them. The normal IIS 7.x servers wouldn't be a problem since I'd found a powershell script for turning those on a while ago but I wasn't sure about the TMG 2010 servers. Since they also function as ssl termination endpoints they also needed to support TLS 1.2. After a bit of searching I found only a few mentions of TLS 1.2 and TMG 2010 and they seemed to imply that it would track with whatever the OS had enabled on it. So I went ahead and ran the script to enable it, rebooted, and then tested my servers out with the SSL labs tester (https://www.ssllabs.com/ssldb/index.html) which reported back to me that my servers were now supporting TLS 1.2.
But they also reported back that my server still supported Insecure Negotiation. So I dug around a bit more and found some registry keys that need to be set in order to turn off Insecure Negotiation at http://support.microsoft.com/kb/980436 . So I set these 3 DWORD values to zero:
AllowInsecureRenegoClients
AllowInsecureRenegoServers
UseScsvForTls
Updated: I started getting an supplied sspi channel bindings were incorrect on servers that were published behind the TMG server so I deleted those keys and that went away.
The powershell script that I used for TLS 1.2 enabling can be found here:
Monday, July 25, 2011
Custom Calendar permissions missing in Outlook on recovered calendar
After painfully recovering a Calendar last week for a user, they were no longer able to set 'Custom' permissions for their Calendar. All the Free/Busy options had disappeared from the panel completely. The solution turned out to be running outlook.exe /ResetFolders Only that fixed all the odd permission issues on the Calendar.
Wednesday, July 20, 2011
Silent installs and MDT 2010
The initial rollout of MDT was well received by the rest of my IT department but as with all things the new toy eventually led to new requests for changes. At the top of the list was to make the application installs silent or hands-free. It didn't take long to discover that there was no silver bullet to fix that problem. There are multiple installer programs, differences between .msi implementations, secret flags, and in some cases a matter of hunting down hidden alternate downloads of application installers. In this post I'm going to describe how I streamlined my testing and at the bottom I'll list all the install flags that I'm using currently.
The first you'll need a good testing platform. I recommend either a Hyper-V or VMWare VM so you can just do snapshots and then restore the state back after each test.
Next you'll want to create a Custom Task in MDT 2010 that will just run 1 application. You'll be able to manually run this task from your virtual machine while inside windows. Otherwise you'd have wait for the whole OS install, etc each time you want to test a new command line syntax. To get to the Task you just go to your deployment share, Scripts folder and run litetouch.vbs.
"\\yourservername\deployment$\Scripts\LiteTouch.vbs"
Third, go to www.appdeploy.com and search their knowledgebage for your application. Their package knowledgebase has a good user contribution database made from the blood, sweat, and tears of your colleagues in the field. Take for instance Adobe Reader X. The package KB article is linked here: http://www.appdeploy.com/packages/detail.asp?id=1976Once there, click the Command Line section and you'll see what options you have for non-interactive or silent installs. There are multiple entries for most of them as the method sometimes changes with newer versions of the software or some users just like different options to be selected instead. If you make good use of virtual machine snapshots you'll save yourself tons of time testing these out.
WHENEVER possible, use the noreboot or suppress reboot. MDT hates it when apps reboot by themselves. Just set the reboot flag under the application properties in MDT instead.
For some applications you'll have to download special versions of the installer and for others you may have to do an msi extraction first. Below you'll find my list of applications that I use and what flags work for me.
7-zip 64 bit
msiexec /i 7z465-x64.msi /quiet
windirstat
windirstat1_1_2_setup.exe /S
CutePDF (made a batch file)
ECHO Installing converter
converter.exe /auto
ECHO Installing cutepdf
cutewriter.exe /silent
Malware Bytes
mbam-setup.exe /SP- /SILENT /NOCANCEL
Symantec Endpoint protection 11.0.6
Just create a self-installing image using the Centralized admin console
Microsoft Windows Live Messenger
WLSetup-web.exe /q /NOToolbarCEIP /NOhomepage /Nolaunch /nosearch /AppSelect:Photo,Mail,Messenger
Microsoft .net 4.0 framework
dotNetFx40_Full_x86_x64.exe /passive /norestart
Microsoft Office 2007/2010
Just use the customization tool - http://technet.microsoft.com/en-us/library/cc179097.aspx
Adobe Acrobat X Reader
AdbeRdr1000_en_US.exe /sAll /msi /norestart ALLUSERS=1 EULA_ACCEPT=YES
VMWare Player 3.0
msiexec /i "vmware player.msi" REBOOT=ReallySuppress DESKTOP_SHORTCUT=0 QUICKLAUNCH_SHORTCUT=0 /qn
Microsoft Visual Studio 2010 (recommend doing an application bundle with SP1)
setup\setup.exe /q /norestart
Microsoft Visual Studio 2010 SP1 (recommend doing an application bundle with SP1)
setup /q /norestart
Roxio Creator 10.3
setup.exe /qn Reboot=ReallySuppress
SQL Server 2008 R2
Let the GUI build out an unattended file for you.
Then use this syntax:
setup /CONFIGURATIONFILE=CompanyInstallSettingsR2.ini /INDICATEPROGRESS /SAPWD="password"
Microsoft TMG 2010 Firewall Client
msiexec /i ms_fwc.msi SERVER_NAME_OR_IP=yourTMGServer ENABLE_AUTO_DETECT=1 REFRESH_WEB_PROXY=1 /qn /L*v c:\fwc_inst.log
SnagIT 9.x
Build out a batch file
snagit.exe USERNAME="INSERT USER NAME HERE" TSC_SOFTWARE_KEY="INSERT KEY HERE" TSC_LICENSEMODE="Full" /quiet
That's all folks! Good luck.
Subscribe to:
Posts (Atom)
Posts
