Windows IT Pro dec07 notes

It was a while since I read december 2007 Windows IT Pro issue, but here goes some notes from stuff I found particular useful, or otherwise hard to remember :-)

PDF utilities, similar to PDFcreator (that does not work on Vista), and working on Vista: CutePDF and PDFTools. I use PDFcreator all the time, but I dont use Vista just yet, but this is good to keep in mind! Some quotes from PDFTools features:

• encrypt a PDF file by assigning it a password
• create a protection-free version of encrypted PDF file
• create a PDF file by joining multiple PDF files
• split a PDF file in multiple ways, such as splitting each page to new PDF file and splitting a file after a given page number
• arrange pages in a PDF file
• overlay text or an image over a PDF file
• convert an XML file into a PDF file

Note that you need Java Runtime Environment/Java Development Kit (JRE/JDK) 1.4 or later to use PDFTools.

It was interesting to read "Are IT Pros Steering Their Children Away From IT" and "A Good Career For Your Kids", as since I recently became a dad I have actually been thinking about this several times!

I am certainly not recommending IT business to just anyone. I like to think of IT as being a "call", a desire, for helping people, deliver results, services and service to people, a call to engineer stable and innovative IT systems. For my daughter I will encourage her to do what ever she likes, and if that is IT, that is OK. I think an IT developer, administrator or project manager can be a happy job, but you have to be very aware of the all the factors. This is a hard topic to just put down some notes on, I definately have to give it some more thoughts and its own post, its really interesting and worth dicussing with wife, family and friends!

As you probably know Windows 2008 will have the Server Core option, which has a very limited GUI. This will be exciting to use, and undoubtly we will have to get used to many new command line utils and new/better usage of existing ones. One of the new tools we will get used to is the script SCRegEdit (Server Core RegEdit). Although regedit is a gui that will work in Server Core, SCRegEdit will help edit many registry keys, eg.:
scregedit /ar 0 enables remote desktop
scregedit /au 4 will download and install updates
scregedit /cs will allow Pre-Vista clients to connect with terminal services
... check out Microsofts Server Core guide, there are good tips:

Managing a Server Core installation: Overview
...
The script is located in the \Windows\System32 folder of a server running a Server Core installation. At a command prompt, open the folder, and then use the following command to display the usage instructions for the previous options:

cscript scregedit.wsf /?

Note:
You can use this command with the /cli option to display a list of common command-line tools and their usage.

Some VMware Server and VMware Workstation differences. So far I have managed fine with Server version. ESX will be next, the Workstation is never considered! But anyways interesting:

• Price, VMware Server is free :-)
• Server is service, Workstation is a desktop application
• Multiuser access for Server, not for Workstation. Server has a webinterface too!
  
• Workstation supports virtuals machines (VM) up to 8 GB RAM, Server only 3.6 GB RAM.
• Server can have only one snapshot, Workstation can have many.
• You can clone a Workstation virtual machine. In Server copying a VM is a manual process, but works fine.
• Workstation lets you manage several VMs in teams, eg. to have certain VMs startup before others. Server dont have VM Teams.
• Drag and drop objects from your desktop to the Workstation VMs. Server can not.
• You can capture an .avi movie of all activity in a Workstation VM.

So it was another great Windows IT Pro issue :-)

UPDATE: It was brought to my attention that VMWare workstation can be set up as a service [http://blogs.techrepublic.com.com/datacenter/?p=429&tag=nl.e101]

Verify computers health before allowing network access

The topic will be interesting to any Windows administrator who worries about what client computers are allowed on the network. I could imagine that many people will have created their own ways of checking, for example before dhcp gives an ip, or blackholing ips if traffic or status of a machine fails checks.

With Network Access Protection (NAP) in Windows Server 2008 there is a new possibility.

Some quotes and hype:

• Administrators can enfore policies with NAP, eg. placing clients that fail requirements in quaratine(limited access) or with no access.
• Using NAP with DHCP lets you protect all NAP capable clients that get network access from DHCP including Wifi and lan computers.
• Windows XP SP3 will include NAP client software. Vista has it by default. Nap client software for XP beta 3 will XP SP2 NAP capable.
• NAP is not limited to Microsoft, the system just has to provide the NAP server with its health state. Example: missing!

To use NAP for DHCP you must perform these tasks: (Remember these are just some snips from Windows IT Pro november 2007 issue).

• Prepare environment: must have AD with one or more 2003(or 2008) DCs. Must have DHCP on a 2008 machine, eg. a member server in the domain. Open server manager and add Network Policy Server(NPS) which replaces 2003s Internet Authentication Server(IAS). etc etc
• Configure health policies: in the NPS console, configure the System Health Validator (SHV) to the client requirements you have. Configure the Health Policy options, select new and check the SHV's you want to use and if they must eg. pass all SHV checks to be considered healthy, eg. automatic update on, hotfixes installed, firewall on, etc etc. Also create a new health policy for clients to be considered non-compliant/unhealthy. etc etc
• Create network policies for NAP: in the NPS console setup Network Policies to specify what network access that will apply to eg. unhealthy clients. etc etc
• Configure DHCP for NAP: configure one group of scope options for compliant NAP clients and one scope for incompliant clients. Go to properties of the scope in the DHCP console, enable for this scope in the Network Access Protection tab.
• Enforce NAP on the client side: use the NAP client console, group policies or netsh (which has new NAP context). You can edit GPOs from Vista or 2008 Group Policy Management Console (GPMC). Start the Network Access Protection Agent service, and automatic of course. On Vista there is a mmc, napclcfg.msc. Netsh command is: netsh nap client set enforcement ID = 79617.
• Run a NAP test and check how you can notice if some clients fail. You will probably get a call from the client owner who can not get online.

Btw, Windows 2003 SP1 already had some Network Access Quarantine (NAQ) that helps administrators limit of deny connections to computers that dont comply with a companys security policies. However there are some problems with NAQ:

• Only works with VPN, leaving wifi and normal lan connections out of the game!
• NAQ is based on scripts that run on the client, which can be hard to create for every firewall or antivirus software you want to check
• After NAQ check is completed, the user can disable firewall or antivirus, it will not be detected, and level of access remains the same.

Of course NAP replaces NAQ:

NAP is essentially the replacement for Network Access Quarantine Control and the long-term solution for customers. Microsoft anticipates that partners will provide services and solutions to assist customers with the maintenance of their existing investment or the update of their networks for NAP.

For a detailed comparison of NAP with Network Access Quarantine Control in Windows Server 2003, see Network Access Protection Platform Overview.

So NAP seems like another tool in the box of Windows network administration, just like WSUS is.

Windows 2008 notes

Current notes about Windows 2008 status that I found worth noting:

Terminal Services functionality gets much better:

• Terminal Services Gateway (TSG) which lets you connect to a TSG and from there to other services. This takes away one, not all, reason to use G/On.
• New kind of RDP over SSL. Newer XP and 2003 RDP clients will be able to use this.
• Remote Programs, which can be placed on your desktop, running on a remote server over RDP. Takes away one, not all, reason to use Citrix.

Server Core is the ability to install a Windows 2008 server without a gui, or in fact a very limited gui. This is interesting, especially for a Unix server administrator like myself.

• Server Core does not have .NET.
• Server Core can not use Windows PowerShell functionality as that is .NET based!
• Server Core can not yet be bought at a speciel license, it is an option.
• Server Core can run IIS, but not with .NET.
• Server Core can run DHCP, DNS, WINS, file and printer server.
• Server Core can not run Exchange 2007 or SQL server 2005.
• Server Core is managed from the command window, which means command line.
• Server Core can be GUI adminstrated with MMC from a full blown Windows 2008.

64 bit is here, get used to it! 64 bit considered default for Windows server 2008 installation!

• 64 bit makes real use of RAM above 4 GB, the space can now be 16 TB.
• Windows 2008 will be the last Windows server edition to support 32 bit hardware!

Active Directory now called Active Directory Domain Services (ADDS), introduces some new features.

• Read Only Domain Controllers (RODC) and read/write Domain Controllers, insted of all domain contollers of since Windows 2000 and 2003 was read/write.
• Active Directory snapshot, which you can load, browse and compare. No need to install a seperate Domain Controller.
• Fine grained password policies for people inside same domain. Try run adsiedit.msc.

In Windows 2008 version of Group Policy Management Console (GPMC) has a Find command for searching the GPOs :-)