Globalize Networks blog

At a large HMO I used to work for, they used to have a tough re-image policy.  I believe that if a problem took more than two hours to solve, they would just have the desktop support person re-image the machine.  This approach did lead to plenty of problems, lost user data, etc.  But, if managed properly it probably could have cut down on user downtime and support costs.

1. User data – My current approach is to backup all user data to the server anyway.  Sometime users will save files outside the standard folders (i.e. My Documents).  This HMO also had a clever script that would locate all supported data files (i.e. – .doc, .pdf, .pst, etc.) and back them up prior to the image drop.
2. Non-standard software – Once drawback to this method is that IT didn’t necessary have images that included ALL of the software required by all the departments.  One group required SAS tools that weren’t in the base image.
3. Software updates – This approach would work best if the images were updated with the latest Windows updates, etc.   Otherwise you need to re-run all the patches each time you drop an image.
4. User profiles – On the one hand you could keep the user profile on the network, but on the other hand sometimes a corrupt user profile is the cause of the problem.

I haven’t tried this method at the small business level, but I think that it would be very difficult to reduce support costs by taking this approach.

I had a lively exchange with another consultant today that included a discussion of imaging client machines. This other fellow subscribed to what I think is an old school philosophy that there should be a separate volume for the system and the data on client machines. I still subscribe to this view in regard to servers – but in that case we are usually talking about different disk arrays (i.e. a two-drive RAID 1 container and a N-Drive RAID 5 or RAID 10 container)

So his primary argument in favor of a separate system volume (or partition in his case as he is an adherent to FAT32 – which is a whole other can of worms) was that he can keep a “ghost” image on the data partition and if there is ever a problem with the system partition or if the OS won’t boot, he can walk the end-user through booting to DOS and running a script to re-image machine. Now I like the creativity of this solution, but here are my reservations:

1. Using FAT32 is probably causing as many blue screens as it solves. Because it’s not a journaling file system, you are more likely to run into problems whenever Windows is ungracefully shut down.
2. Having users self image a machine risks overwriting data that might have been unknowingly saved to the system partition.
3. It can be a waste of disk space if you allocate too much space for the system partition, but you risk filling it up and bringing the system down if you allocate too little.

I think it’s simplest to just keep one partition.

1. You don’t need to worry about resizing partitions or wasting disk space.
2. Simplifies administration (no need to document or train admins on this aspect of a client build)
3. You can save a base “ghost” image to the fileserver or on a USB drive somewhere. If you do want to risk having the end-user re-image their machine, you can have them first backup their current image to USB.

Of course client data backups are a must:

http://globalizenetworks.com/blog/2008/05/22/client-backups

For corporate Video Conferencing, we usually have a dedicated “codec” from Tandberg or Polycom.  However, we recently ran across this offering from Sony which works well, has nice modular add-ons, supports the latest protocols, and is more economical:  Sony iPela PCS-G50
(CDW is a good corporate vendor if you want to simplify purchasing – not the best prices, but decent)

NetMeeting is a deprecated Microsoft H.323 client.  Looks like Microsoft wants to push everyone over to Live Meeting.  It’s still included in XP though (START | RUN | Conf), and I guess that you can install it into Vista: http://en.wikipedia.org/wiki/Microsoft_NetMeeting

We have been using NetMeeting to test H.323 connectivity and to link in remote users.  (Multi-site capabilities in the VC codec usually cost more.)

I have come to conclusion that it doesn’t make sense to keep your codec behind a firewall, I agree with this site: http://www.more.net/technical/video/troubleshooting/videofirewalls.html.  Basically just turn off the web-interface and other IP services and you should be secure.  I have many bumps on my head from H.323 firewall configuration.

I have been thinking about how to provide health monitoring to our clients, host servers for our consulting business, and have a flexible lab environment for testing and training.  We don’t have a data center of our own, so I started looking at dedicated servers, virtual dedicated servers, etc. I was able to cave in and set up a dedicated server account with one of the top Google hits for “dedicated server hosting” (currently rackspace.com, theplanet.com, aplus.net)  Then I was checking out the metro Ethernet offering from coloserve.com and saw their goGrid offering (http://www.gogrid.com/) which is like some crazy cloud computing platform, then I saw the Amazon EC2 (http://www.amazon.com/gp/browse.html?node=201590011) cloud computing platform.  I was really surprised that this cloud computing it blowing up so much.  EC2 only supports Linux, but why not just drop VMWare server on top and run what you want? (Talk about virtual machine! I wonder how many layers you are from the hardware?)

Ok, so I had problems with “C Header files” when I tried to install VMWare server. I might still beat on that later, but in the meantime I found that someone else has already gotten WIndows running on EC2 using Qemu:

(http://www.howtoforge.com/amazon_elastic_compute_cloud_qemu)

I also found out that the Amazon “Cloud” is  really just running Xen and that it only recently became more cloud-like with the addition of “Availability Zones” (http://www.theregister.co.uk/2008/03/27/amazon_flexible_ec2/)

Now I find that you need to regenerate your AMI each time you make a change!?!@#%  How is this going to work for what we want to do??

http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1403&ref=featured

Maybe GOGRID is the way to go, but it doesn’t support multiple virtual processors…  Maybe I should just call it a day and get a dedicated server after all.

Some IT shops don’t even bother with client backups. I’ve had one IT Admin tell me that he sets a policy for all users to save their data on the network. If they neglect to do that, it’s not his fault. This CYA approach only makes sense if you are almost deliberately blind to the underlying business goals. How many hours of labor does client data represent? Are we to leave the security of this asset to user discretion? I think not.

So what do we do? Well, for some clients, the best way is to use offline folders:

1. Create a GPO that redirects the my documents and desktop to folders on the server
2. open GPMC.msc (GPMC download from Microsoft)
3. Select the GPO that you want to use | right-click | Edit
4. User Configuration | Windows Settings | Folder Redirection | right-click Desktop | Properties
5. Under Setting select “Basic – Redirect everyone’s folder to the same location”
6. Under “Target Folder…” select “Create a folder for each user…” ( we already had folders for each user, but that didn’t matter.)
7. Under “Root Path” put the path to your users share (i.e. “\\server\users\”
8. Repeat for “My Documents”

Now their “My Documents” and “Desktop” special folders are pointing to a location on the server (which is being backed up to tape or mozy or whatever) and have been automatically made available offline

Some things to note:

1. The first time this GPO is applied to a new user, XP appears to hang with a blank screen right after login. This is normal, though annoying. Windows is just copying the user data up to the server, then making a local cache by copying it back down (I’m guessing.) You can check progress by checking the size of the user’s home directory periodically. Watch your disk space, depending on your settings, you might end up with two copies of the user data: the old data in c:\documents and settings and one cached copy in c:\windows\csc
2. VPN – this is a nightmare. The user will always be offline when they login at home (unless you use this connection for login?) I’ve gotten many calls about users not being able to see all of the files on the server when VPN’d in. Basically they are still working offline and can only see the files that are available offline. Running a manual synchronize usually fixes this and most other offline folders problems (My Computer | tools | synchronize | synchronize)
3. I’ve seen some printers stop working when a user goes offline due to a network glitch- a manual synch fixes this too
4. Offline folders are usually cached locally in c:\windows\CSC, but you can change this location using cachemov.exe from the w2k resource kit. Vista users can have fun with this http://support.microsoft.com/kb/942960
5. Sometimes your server’s autodisconnect feature wreaks havoc on offline folders, you can try this: net config server /autodisconnect:-1 (http://support.microsoft.com/kb/138365)
6. Offline folders over slow VPN connections can be a pain, so you MIGHT try the old “Go Offline on Slow Link” trick. (http://support.microsoft.com/kb/811525# see the Overview section) Of course I ran into a wonderful scenario where not all needed files are available offline when a user was at a poorly connect site. So I was stuck, if we set them to go offline, they could only see their own my document and desktop folders on the server. If we put them online, the performance was terrible trying access their own desktop. I basically had to remove offline folders for these users.
7. You can’t make PST files or MDB files available offline, but it still give errors on these types of files unless you MANUALLY right click each one and UNselect “make available offline” – Why is this? I do not know. It shouldn’t ever try to make them available offline in the first place. Oh well.

So we look at all of these problems and now you can see why I sometimes just say “The heck with it” and run a nice little robocopy.exe script: (available in the w2k3 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en)

Robocopy is like the copy command but it only moves files that are changed (newer) BY DEFAULT. There is no switch to make it do that. Just put a batch file into the “startup folder” and you are good to go. If a user cancels that weird DOS window – no sweat. It will just pick up where it left off next login. I usually do something like this:

robocopy /e /zb “c:\documents and settings\user\My Documents” “\\server\users\user\My Documents”
robocopy /e /zb “c:\documents and settings\user\Desktop” “\\server\users\user\Desktop”

Robocopy even has a /IPG:n :: Inter-Packet Gap (ms), to free bandwidth on slow lines. (nice)

I like free things that work. Why did I try to use offline folders again? (Of course offline folders works better when you might need conflict resolution like a file is modified in BOTH locations. But a basic backup scenario doesn’t result in this usually.)

I wasn’t hip to Google video until recently, but it’s a cheap and simple way to embed video in web pages.

http://video.google.com/support/bin/answer.py?hl=en&answer=35093

Some clients insist on having mobile broadband cards in their laptops which is pretty cool.  But why pay for the extra data plan when so many of these same users already have a smartphone with data.  Just configure the device and laptop and you can access the internet wherever there is a cell phone signal.   I have gotten BlackBerry and Windows Mobile devices up and running in this way (on AT&T and T-Mobile, other carriers might block this and try to charge extra for it).

Here is a guide to setting up Blackberry devices as “modems”

http://www.blackberryforums.com/blackberry-guides/2019-user-howto-use-blackberry-modem-laptop.html
Windows Mobile setup is pretty simple:

http://blogs.msdn.com/jasonlan/archive/2007/03/30/internet-sharing-the-most-underutilised-unknown-feature-of-windows-mobile.aspx

I haven’t setup Treo’s for this.

After much abuse from my associates, I have finally caved in.  I’m all for using http://Postini.com to filter out spam.  It’s cheap and it works well.  It keeps the spam off the network, and I like how it just sends a quarantine report to the end-users each day.

Of course, now we have to turn off that pesky Outlook junk mail filter:

http://office.microsoft.com/en-us/ork2003/HA011402621033.aspx

To enforce Outlook Junk E-mail Filter user interface options for users

1. In Group Policy, load the Outlook 2003 template (Outlk11.adm).
2. Under User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools | Options\Preferences, click Junk Mail.
3. Double-click Junk E-mail protection level.
4. Click the Enabled radio button to enable configuring the policy.
5. In the Select level drop-down list, select a protection level to enforce.
6. Click OK.
7. Set other policies, such as specifying to permanently delete junk e-mail messages.

(Found this http://www.myitforum.com/forums/m_148505/mpage_1/key_/tm.htm#148505 via google on “disable junk mail outlook” – thanks to kdsrazor)

Why am I so turned off by online backups?  Well I’m not entirely turned off, I use http://filesanywhere.com to backup my personal workstation. Here are some things that bother me:

1. special files – The performance of online backups relies on being able to perform incremental backups (and compress these?).  But some special files are problematic to incrementally backup: SQL & MS Access databases, Exchange Information Stores, Outlook PST files, Active Directory, etc.  Of course I trust Backup Exec to perform incremental backups of databases and information stores, but many online services don’t even offer that feature.
2. Ok, let’s say that you have to restore EVERYTHING.  How long will that take?  Say you have 150 GB of data and a T1.  (Is it over 13 hours at the theoretical maximum? T1 = 1.5 megabits per second /8 = 187 megaBYTEs per second, 150,000 MB / 187 MBps /60 = ~13 hours.  But when do we ever get full 1.5 mbps transfer rates?  1.2 is probably more realistic so > 16 hours.)  Of course that probably does compare with other off-site solutions like sending tapes to Iron Mountain…

Well, everyone keeps talking about http://mozy.com and they claim to be able to backup all of these special files and they can overnight a DVD in the event of a full restore scenario.  So I guess that I just need to get an account and do some intense testing. (Of course General Electric is already using it for client backups, so who am I to question them? )

• One problem is that for clients with very large data sets, this gets really pricey.  Mozy charges $1.75/GB so 500 GB of data is $875 a month!  We can do it by hand to tape at an hourly rate  and use Iron Mountain for cheaper than that.
• I might look into idrive.com which is much cheaper ($49.95 for 500 GB) but they don’t advertise exchange or sql backups.
• ibackup.com claims to do exchange and SQL for about $1/GB, but do they have the high-profile clients that mozy can boast?

Many times our clients run into the problem of sharing files with people outside the company.  Sometimes it’s just a simple matter of needing to send large files that cannot be attached to e-mail due to attachment size restrictions.  One simple (not highly secure) way to handle this is http://www.yousendit.com/.  I like this service because it’s the fastest and simplest way to send attachments up to 100 mb for FREE.  (Thanks to Shimi Ben Baruch for letting me know about this service)  You basically fill in the sender and recipient address and then upload the attachment.  The recipient receives an e-mail with an http link to the file.  SIMPLE.

A more challenging scenario is when you need to share an entire folder tree with outside users.  This is especially a problem when the files are being updated on a regular basis.  There are several things to consider here:

1. Transport security – All companies need to always think about security.  It’s just foolish to move unencrypted files over the internet.
2. User and password security – You want to be able to control and log who has access to what files and control that with individual usernames and passwords.
3. End-user Simplicity – If a solution isn’t simple, then it won’t get used.
4. Thin client – Web based solutions don’t require any installation or upgrades which make them cheaper from an admin point of view.

I’ve investigated a bunch of services and my favorite by far is http://Filesanywhere.com.  Here are some of the cool things you can do with this service when you purchase an account:

1. Send large attachments – This is not as simple for the sender as yousendit.com, but there are many more features than yousendit’s free version, such as message tracking, password protection, etc.  (Not an apples-to-apples comparison, I  admit. I might add a full comparison chart at some point.)  To send a large file, the sender logs into their filesanywhere account, uploads the file into their tree, then clicks on the share file link and fills out some parameters (limit number of downloads, limit time file is available, other cool features)
2. Synchronize files – you can even install a thick client on a file server and synchronize files between your filesanywhere account and the file server.  I know what you are thinking, there are several problems with this.
   1. Is this program going to crash and bring down my fileserver? – Probably not: I’ve run it on several systems for almost a year now and it’s never crashed.  Also it has been well maintained and updated several times during that period.
   2. Is this a security hole? – Depends: I usually allow HTTP out from the file server to get windows updates,etc.  This can be a fully encrypted and user/password protected connection, so I like the security.
   3. Will files get wiped by accident? – This is one of my primary concerns: I like to set up staging folders that are used to mirror data.  You can set it up to push only, pull only or synch (based on size, newest, etc.)

Here are some scenarios to consider:

• Data room – share due diligence with investors.  In this case, you can assemble the data to be mirrored into one tree and push to filesanywhere only.  No need to pull and all files are set to read only.  There is very little risk of server files being lost.  (I can’t think of how that would happen.)
• Project teams – share project files with partners and contractors.  In this case, you would want to make the filesanywhere files read-write and the files on the server read-write.  Probably the only way to really do this safely is to implement file versioning (oh, didn’t I mention that was available through Filesanywhere?) as well as performing periodic backups throughout the day.  Also, you can use Windows Volume Shadow Copy if you have the disk space.

You can also use this service as an online backup – but I generally disapprove of online backup and don’t think that this is the best service for this anyway (I hear mozy.com is good, but I haven’t tried it yet).  I will rant about that separately, but for now let me say – differential backups are great – how do you do PST files, SQL databases, or Exchange Information Stores?  Also, what do you do when a real disaster happens and you need to restore EVERYTHING?  How long does 150 GB of data take to download over a T1? anyway – I’ll save it for another time.

Filesanywhere claims to be: HIPAA, SOX, PCI, GLBA, ISO-27002, SAS-70 compliant and is independently audited.  I like the Multi-User Web Advanced workgroup plan.

*As with all services that I promote, I don’t receive kickbacks.  However, I might become an advertising partner at some point just because I like them and don’t mind making a buck here and there.