What's he up to?

Well it turns our that the reg key only makes it so that any new DFS links are fully-qualified. Which means removing and readding the DFS root links which is ok, but kinda sucky. So that worked, and it is now handing out FQDN's for one server (still need to do the other 2), but part of our install is still broken.

Basically a client machine adds itself to the domain using a script account, looks at a share and determines based off IP address whether there is a backup of itself on the share. If so, it moved it to C:\Backup Image.

Well, its doing funny stuff. It can map the share, and read the data, but can't "move" it, which means there is a permissions issue. BUT the perms are set right, and when you try and look at certain advanced perms, it asks you to login again.

So there is something wrong with the authentication->authorization bit that could have something to do with using NTLM vs. Kerberos or some such nonesense.

So. I fixed what I thought was the problem, but it turns out there are more.

sigh

Hooray for figuring stuff out! Well, maybe.

We moved some files from one server to another, both accessed via MS DFS, and stuff starts breaking. Sounds familiar? It should. It happens all the time because IT is all about building very large houses out of misshapen cards.

Anyways. The new machine that is the DFS link target has a different DNS suffix than the Domain Controllers (that hold the DFS root). The old server did too, so I think that can't be the issue. Wrong!

Turns out that by default DFS referrals are handed out using NetBios names instead of FQDN's, but since the old server was in the same subnet as the DC's it was cool finding things with NB broadcasts.

You can't however use FQDN's when creating a DFS root (at least the tools won't let you), but there is a reg key that you can set on the DC's to have them only hand out FQDN referrals.

I've set the key, but now I have to wait 15 minutes for the DFS cache on the member server to timeout, cause I haven't figured out how to clear it yet. Bah!

Tools used:
netdiag /debug
ethereal
dfsgui.msc
google

I do alot of poking around inside Windows at my job. Alot of times I can make stuff work that really was not designed for the environments we support.

But there are some very glaring holes in what I know, and its a pain when you realized you've hit the end of what you know when trying to fix a problem.

So i am very glad there are some people out there that go through and post stuff like this such that dufus's like me can follow along.

Cracking Software to run as non-admin
Mark's Blog @ Sysinternals

Dreamweaver keeps hanging using AFS over wireless. Ok. My bad. But it should not crash and lose your work.

Aspen hates me. Dispite never needing a dongle in the past, we now have to use one, and the license expires on Friday. No, they haven't shipped us the media or dongle yet. And I just hope it uses Sentinel 7.x. Make my day.

Solidworks keeps looking for a cab file that is not on the CD I'm using and therefore will not install. Is this due to a RDP drive mapping issue of some sort? Don't know. I do know that copying the Cd locally won't work.

Update!

My complaint about License Servers

Most people probably think they already know all they need to know about License Servers, but I have some new information to bring to light. To start, it is not news that the reasons that License Servers gives for its bait-and-switch tactics clearly do not correspond with its real motives. What speaks volumes, though, is that I want to lift our nation from the quicksand of injustice to the solid rock of brotherhood. That may seem simple enough, but if you're interested in the finagling, double-dealing, chicanery, cheating, cajolery, cunning, rascality, and abject villainy by which it may leave helpless citizens afraid in the streets, in their jobs, and even in their homes within a short period of time, then you'll want to consider the following very carefully. You'll especially want to consider that every time License Servers tells its fans that freedom must be abolished in order for people to be more secure and comfortable, their eyes roll into the backs of their heads as they become mindless receptacles of unsubstantiated information, which they accept without question. Although License Servers has unfairly depicted me and those who share my beliefs as bullies and sluggards, we are neither. Yes, it is not possible fully to understand the present except as a projection of the past, but I myself am convinced that there will be a strong effort on License Servers's part to replace our timeless traditions with its addlepated ones one of these days. This effort will be disguised, of course. It will be cloaked in deceit, as such efforts always are. That's why I'm informing you that one can predict on empirical grounds that in a matter of days License Servers will reinforce the impression that pigheaded creeps -- as opposed to License Servers's acolytes -- are striving to step on other people's toes. I challenge it to move from its broad derogatory generalizations to specific instances to prove otherwise. License Servers's ideological colors may have changed over the years. Nevertheless, its core principle has remained the same: to combine, in a rare mixture, bestial cruelty and an inconceivable gift for lying. If you don't believe me, then note that I have a dream that my children will be able to live in a world filled with open spaces and beautiful wilderness -- not in a dark, contentious world run by illogical morons. Alcoholism doesn't work. So why does License Servers cling to it? It is bootless to speculate on the matter, but it should be noted that License Servers has been deluding people into believing that the Universe belongs to it by right. Don't let it delude you, too.

License Servers's orations are like hothouse plants. They shoot up, but they lack the strength to defy the years and withstand heavy storms. I can't possibly believe License Servers's claim that it answers to no one. If someone can convince me otherwise, I'll eat my hat. Heck, I'll eat a whole closetful of hats. That's a pretty safe bet, because I, not being one of the many destructive fanatics of this world, have a problem with License Servers's use of the phrase, "We all know that...". With this phrase, it doesn't need to prove its claim that merit is adequately measured by its methods and qualifications; it merely accepts it as fact. To put it another way, if I didn't sincerely believe that it finds enemies everywhere, then I wouldn't be writing this letter.

Regardless of what License Servers seems to suspect, there are lessons to be learned from history. Even if our society had no social problems at all, we could still say that I don't know how License Servers can be so libidinous. Its factotums probably don't realize that, because it's not mentioned in the funny papers or in the movies. Nevertheless, it will not be easy to focus on the major economic, social, and political forces that provide the setting for the expression of a ruthless agenda. Nevertheless, we must attempt to do exactly that, for the overriding reason that its effusions all stem from one, simple, faulty premise -- that it can walk on water. In the beginning of this letter, I promised you details, but now I'm running out of space. So here's one detail to end with: I can barely contain myself from going into a laughing fit when I see one of these bestial drug addicts.

[generated by Scott Pakin's automatic complaint-letter generator]

After careful thought and much deliberation, I have determined that the graphics for this site are singularly bad. However I know diddly-squat about css and am horrible at any sort of graphics-creation. So it will probably stay bad.

So there.

Things that Apple did that I really like (also note that since I am not really an Apple weenie like the boss, some of this may be a bit off...):

Desktop:

Dashboard is cool. Its the ultimate time wasting device. You can have all you games and other widgets up and hit f12 and they all go away.

Spotlight looks very useful, but since I am more of a cetory man than a search man, I am not as psyched about it as some of my peers...

Server:
Look here for actual info.

iChat server - which is really a Jabber server

SUS - Software Update Server. I think Microsoft might sue them if the stick to the "SUS" acronym.

Much more specific ACL's - The standard unix file permissions kinda weird me out.

Apparently the version of spybot on the Admin Desktop will only pick up updates from 2004. I guess this needs to be added to the list of things to update.

Been adding some new RSS feeds lately. Here are some of the interesting ones:

What's up with IE 7

Mark from Sysinternals

Security Forums Dot Com - Kinda like TechTalk on the TheWolfWeb should have been...

Random Technology tutorials. There are also a bunch of other feeds.

This is cool. Wikipedia has a long list of "well known" bloggers.

This is a list of Bloggers at WinHEC.

Wolfcall Update going better than expected. More info might show up on the Wolfcall page in a couple weeks.

XP upgrade for AD going verrrryyyy slowly. See a couple posts back.

App distribution for students is really important to me. Tunneling licenses for Matlab works like a chanp, but for Ansys doesn't work because of the Triad.

Lab utilization really needs to be finished. The data just isn't going to ever be complete and that just needs to be excepted, and then I can actually finish my part.

I wanna get more concrete info about training the TA's for E115. I would actually like to also try my hand at teaching a class, but that ain;t likely to happen. Also, I really liked the idea of doing a few "seminars" for various stuff outside of the classes. I would probably be willing to volunteer for that.

Bah. Battery is dying...

Well, last week I gave up my Powerbook to Ellen and got Henderson's T41p...

I really like the Mac, but damn if I can't get stuff done on the IBM at a much (much!) faster rate.

I am really glad Ellen really likes the Mac, cause now I don't feel bad...

Stuff for meeting first thing tomorrow:

Status:

Installer - We need to look into replacing the current DOS disks w/ NIC drivers on them cause it is becoming increasingly harder to support all of the various different hardware out there. Rob had the idea to look at Windows PE and it looks like we might be licensed for that. That would be about a decade leap forward in technology and allow us to more easily support differing hardware.

XP - Figured out how to fix 3 of the current problems. The login vbscript error, the XP tour, and the perms for pinball and wordpad. They need to be implemented in a more permanent fashion (but I am a bit worried about using IE GPO settings after the fact). Drivers need to be added to the install and the newest remote root hotfixes slipstreamed/included. Also need to figure out what needs to happen with regards to RDP and Firewall.

Office 2003 - 2k3 with SP1 slipstreamed is on the network, but can't be assigned via GPO until we look at the "default" configuration of it. Also, 2000 needs to be moved to a separate GPO than the current set of apps so that it can be filtered based on OS.

Acrobat - Acrobat is done (their deployment tool for creating transforms is very good, way to go Adobe!). But Mulberry crashes if it is started via a mailto: that has an attachment (tested on XP and 2k, 3.1.5 and 3.1.6), and that feature is added to office apps and acrobat itself in version 7. So that must be looked into and reported. See Rob. Also I have to figure out what to do about keyclient/keyserver.

SAV - 9.03 needs to be done soon. Should be fairly easy except for the reboot that is needed in order for it to work, and how that deals with new installs. The current version of 8 is not vulnerable to the EXE decomposition issue (cause its disabled) and isn't causing Joe any issues yet, but will likely soon.

Firefox - Has some bugs. 1 of which is fixed in the MSI already. JPG association is broken. It doesn't enforce the network profile like I would like it to do. It reinstalls alot on helpdesk, but nowhere else. It needs to be updated to 1.0.3. I need to port the "fixmozilla.bat" batch file for HD. Charles' bug is a problem with the program or with 2k or with AFS, but is not something that the msi can deal with.

PuTTY - .57 is done and tested, but now .58 is out. Needs to be updated, but should be quick.

WinSCP - Need to update cause there have been a fair number of security updates. Its 1 file. It'll be quick.

TugZip - Done and tested. Has 1-2 caveats that need to be (might have already been done) documented for HD.

Wolfcall/AFS/KfW - Charlie has been doing well on this and has helped me to get where I can now theoretically update things. We might be able to get the new openafs/kfw/wolfcall on XP.

ACS - ACS icons for admin portal and removing local financials are done and tested (I believe?)

Optimusprime.eos.ncsu.edu is getting reinstalled. This is the last of the 2000 lab machines we have, and it is running the image from july 2003.

And it is driving me crazy! The mapping to ITD's apps volume disappeared 15 times over the past 3 days. And none of the right apps show up.

I just hope wolfprep doesn't blow away the other harddrive.

I noticed that the RAS box that I'm using for zephyrs (I know...) had a warning in Nagios. I did a who and a ps-ef and here's what I found:

7 people logged in with the following Apps running:
Cadence
HSpice
Pine X2
Synopsys
Nedit
XTracs

And the box was still totally usable. Not bad.

The auto-brightness feature on my Mac drives me nuts. When a cloud passes the sun, the brightness changes. When the tree outside get blowin in front of the Window, the brightness changes. Sometimes, my hands block enough light while typing to cause it to change.

Its a really cool feature, but needs to be a little less sensitive by default.

Ok, so as part of the "ITECS Systems Spring Training", I went first covering Active Directory, and specifically our implementation of it.

Needless to say, I should have prepared a bit more than I did.

I totally sounded like a tool when trying to talk about domain topology, and how Windows printing sucks.

Things that came out of it:

• need to have version control on the scripts in the domain
• need to get the DB backed up on a regular basis
• need to make a quarterly (or so) backup of the \dfs\dist
• need to have XP rolled out pretty soon

...only its not as sought after as diamond are.

It turns out that I have many GB of crap laying around. Between AFS and the local drives of my machines, I have somewhere around 70 gigs of crap. Now a good chunk of that is old images and stuff I copied off of the L: drive before removing it from there, but that only takes up about 50 gigs of it.

Now that my user volume is moving, maybe I should clean up a bit...

Well, Kristi finally convinced me to kill off roaming profiles for the helpdesk in AD. It turns out that spreading spyware is a bad thing.

I really am a little sadistic when it comes to people learning about computing... The only reason the helpdesk had roaming profiles at all was because I wanted them to compare/contrast them in AD and Novell and come to the conclusion that Windows roaming profiles are a steaming pile, and from there, be able to apply their experience to troubleshooting stuff on the lab environment.

The first part happened, but not the last. Oh, well. I'll kill them off in a few minutes.

And then I'll start preparing for the Microsys meeting on thursday. Maybe I can convince them to kill them off for the labs as well. Yeah right. I should just keep pushing that boulder up the hill.

A friend asked why I had a Mac when I work on Windows primarily, and I responded that it was but one of 7 boxes I use on a daily basis at work. And that does not include the test bed at all. That might be a bit much...

So far...

4 - Got Firefox Error page
5 - Bookmarks not copied
1 - Keyclient pops up alot
1 - Firefox .92 still hanging around
1 - firefox apparently starting prior to the installer finishing?
2 - the boxen at the helpdesk are getting a "previous install needs to finish" error

(not sure if I spelled that right... or if there is a "right" spelling)

Ok. It appears my understanding of how Keyserver/Keyclient worked was a bit off.

It turns out that the "key" for a given application is not some sort of generated GUID, but is actually pulled out of the application itself. Meaning that 2 people on opposite sides of the globe will both get the same "key" when keying an application.

The implecation of that is you can have your keyed copy of an app and my keyed copy of an app without having different servers. Which is BS.

So. All I have to do is manage to change the "key". Right. Problem is I can't actually find anything online about what the "key" actually is. There is a name that is generates based on the "key" and thats what gets used in all of the GUI's.

Bah.

Current list of things to do (will work these into project pages later):

Test VCL images to see if security measures are actually there
change "default" page in firefox to give error (don't ask)
check PuTTY version deployed via MSI
find out what a windows keyed app uses to determine its identity
find out what the beeping outside of my office is...
finish self-help for vcl with all known issues
document ansys remedy call
put dan's suggestion on the remoteaccess troubleshooting page
put new lab box at HD
email nag re:jabber
dhtml ms security fix and primavera - work magic
update winscp to fix same bug as in PuTTY
begin work on acrobat
test pspice w/o runonce reg keys (are they really needed? if so move them to a script)
bogdan and primavera vcl image
respond to wyoming guy
nag and firewall re:henderson
email vic re:ndstech updates meeting
get license server logs a-moving

I just scanned through the consult, cc, and microsys remedy queues looking for a couple calls that I had to do with. OH MY CRAP THERE ARE ALOT OF THINGS BROKEN.

And most of them have to do with the Windows lab environment. Upon which a shoehorn of mythical proportions was used to try to cram it into the MIT/Athena model of computing. We're gonna need a bigger boat!

This program has been a pain in my @$$ for 3 years. It has broken so many times I've lost count. And the vendor is fairly unhelpful. The sponsor is practically beligerent when its determined that its broken, weeks after not bothering to test it.

And now just after it appears we got the new version working, it seems the new OLE patch from Microsoft breaks the local database server that goes along with the app.

I give up.

There's a util in XP that allows you to send massages to a user who is currently logged in via RDP. Normally stuff like net send go to the console and not the Terminal Services session.

Well, on the VCL boxes, users get a "Your crap is going to go away in 10 minutes" type message prior to their session ending that way they can save their data or go extend their reservation.

Well, clicking the OK button with RDP in windowed mode on my Win2k Admin Desktop box ate my mouse. Completely. Had to reboot.

Interestingly enough I have no idea how to disconnect from an RDP session that in windowed mode with just the keyboard without killing the process...