Shawn Ross' IT Blog

Automating Video Conversion, Part 1

2009-07-23T20:14:00.003-05:00

Part of my role here at Calvary is “other duties as assigned”. This blog post today is the first in a series with the goal of “documentation for myself and my coworkers category”. This post is from the viewpoint of an IT guy trying to help coworkers out (when you really need a Broadcast engineer for all this video stuff). You’ve been warned ;)

A little background:

Recently we started using MediaShout for some ministries (Youth, Children’s, etc.) It’s a very nice product, but definitely has some quirks. One of those is getting it to play QuickTime files. The nuances of video formats and vendors makes my head hurt, so we’ll skip most of it.

Our Children’s Ministry recently started using some curriculum from Re:Think Group. They get a “packaged” solution, and can adapt it to their needs. Unfortunately, Rethink doesn’t offer their files in a format that works well (supposedly it works perfect if you have Mac’s). Unfortunately we discovered this after purchasing the curriculum (which is marketed as working on Windows OOB).

Note to curriculum vendors: my next post will be highlighting automating this process. You’ll earn big customer loyalty if you provide your video in a format that a non-video/non-techie can use.

So, as part of my helping, I was tasked with finding a solution. After spending a few hours working with the people at Rethink, we reached the conclusion that the only way to get their files to work reliably was to convert them (they primarily provided some h264 format that didn’t work for us). Rethink recommended QuickTime Pro ($30). Fortunately we had a license handy to give it a go.

Using Quicktime to convert video files

Install QuickTime player, and then register your "Pro” version (the free version doesn’t convert files).
Open your source file in QuickTime (if it plays w/ QuickTime, you should be able to convert it)
File –> Export (specifying the destination directory)
Specify your export settings. In my case I’m exporting with the intent of using these in MediaShout, and I’ve previously decided on “mp4” files:

Choose “Movie to MPEG-4” in the “Export” menu:
Click the “Options” button. This will bring up the Export Settings dialogue. We’ll be changing a lot of these settings:
Note: many of these options stay in the format that you last used, i.e. you don’t have to change them every time.
First of all, change the “File Format” to “MP4” without the (ISMA). Don’t ask me why, I don’t know. What I do know is that vanilla MP4 worked, and MP4 (ISMA) didn’t work in our situation:
Next, we need to specify a video format. We decided on H.264, because it provides high quality, and high compression, and the source content is H.264:
Now we need to specify the “Image Size”. We’re just looking to do a format conversion (no scaling), so choose “current”:
Next we need to change the “Data Rate” (the amount of disk space used during compression). We’re going with 6000kbits/sec (that’s what I picked). Go ahead and replace the current setting with “6000”:
Now, we need to change some other, more advanced options. Click on the “Video Options” button:
We’re going to stick with the “Main” profile (that’s the default), but change the “encoding mode” to “Best Quality (Multi-Pass):

Click OK
At this point, we’ve set all the options. Before moving on, let’s review the options we’ve set:

H.264 Video (in an mp4 “wrapper")
maintain the video size/frame size
use a video compression rate of 6000kbps (6mbps)
use the default of 30 fps
AAC-LC audio, Stereo
128kbps audio compression rate
44.1 kHz

Click OK, name your file, and click “Save”
Go get a cup of coffee, and then (hopefully) it will be done converting your file. If you want to, you can start up multiple conversions simultaneously.

Note: We decided to use Sorenson Squeeze to automate this (detailed in my next post)

Clonezilla, Imaging and Sysprep

2009-07-07T16:13:00.002-05:00

My apologies for the long wait on a new posting. Chalk it up to living life ;) This is the first in a 2-part post.

This post here is of the "technical, document it so I don't forget" nature.

One of the "projects" that I've been working on lately is getting a more standardized installation of software on our computers.

To help accomplish this, I've been working with a volunteer, Phil, on using Clonezilla (currently the Live version). Up until now, we've been using all WindowsXP boxes. Here's an idea of the process as it happens (some of this is scripted):

NOTE: All installs are done as a local "admin" account, not as a domain account (more on that later). We use an internal software repository. This order is simply a guide, and what we've found works best from trial and error.

Install Windows XP on the machine (using the proper media)
Install any needed service packs
Join the machine to our AD domain
Add local administrator accounts, including setting passwords (we'll call these accounts "admin1" and "admin2" for now)
BIOS update (if applicable)
"System Software" ala Dell Desktop System Software
Chipset Software/Drivers
Graphics Card software/drivers
NIC software/drivers
If a laptop, management software, ala Dell Quickset
Audio card software/drivers
Wireless Card software
Touchpad/Pointing software
vPro/TPM software
Antivirus/Anti-Malware software (we use Sunbelt Vipre, a great product)
MS Office
MS Office addendum's (visio, etc.)
MS Office service pack's
Microsoft .NET Framework 3.5 & patches
Paint.NET
Foxit Reader
Mozilla Firefox
XP Previous Versions client
UltraVNC (used for in-house remote tech support)
Verify UltraVNC setup is working
Adobe Flash Player plugins
CDBurnerXP
ACS Facility Scheduler
ACS People Suite
ACS The Ministry Scheduler
Copy "Sysprep" folder to C:\ drive
Run Windows Update (preferably use Microsoft Update)
Setup and copy a clean user profile
- This is why we have 2 local admins. You need "admin2" so that you can copy the profile info from "admin1" to the "default user" profile
Run Sysprep
- we use "C:\sysprep\sysprep -reseal -quiet -mini -pnp"
- This cleans the SID's from the system, does all it's work with little/no intervention, and also "resets" the system (similar to how a new PC comes from the OEM)
- If you also create a "sysprep.inf" file, you can make the complete setup "unattended"
Image the machine. We use Clonezilla
Reboot, and watch the magic happen
Properly name the computer, and add it to the domain

Some possible "gotcha's":

If you use the "pnp" switch, upon first bootup (after you re-image a system), you will have to wait 3-6 minutes for Plug-n-Play to redetect hardware, but you get the added advantage of having images that can traverse hardware types (Core2Duo -> P4, etc)
I have ran into issues when working with large platform changes (i.e. very old P4 ServerWorks architecture to a new AMD architecture). This happens because the system doesn't have the proper IDE/ATA drivers in place, and sometimes different drivers don't play well together.
If you are moving between different hardware with one image, you need to include the proper drivers for all your systems before you image the machine.

This process works for us, even though it's very 2004. There are now better solutions, and Vista requires some rethinking/reworking of this process. At some point we'll upgrade. How do you handle imaging/deployment of your machine's?

House Purchase

2009-02-14T00:17:00.002-06:00

Today my wife Michelle and I started the process of purchasing a house.

Details at our family blog.

ESXi monitoring, for free!

2008-12-23T13:36:00.001-06:00

A few months ago I transitioned us from VMware Server to VMware ESXi, booting off of a USB flash drive. If you don't know about server virtualization, VMware ESXi is a great way to get your feet wet, and it's a stable, production-ready (IMO) product.

However, one of the things that eluded me (in both the "Server" flavor and the "ESXi" flavor) was proper monitoring. Sure, I could setup data on each guest VM, but that didn't give me any info on the host.

Fast forward to yesterday, and I hear through the grapevine that Veeam is offering a free ESXi monitoring tool. Go get it here.

I'm just downloading it today, but if it does what the "Features and Benefits" page says, then this will be a new must-have in my toolkit. More updates to come (hopefully) as I try it out.

HELP: ACS TMS to Facility Scheduler Conversion

2008-12-21T10:29:00.001-06:00

One of my current projects at Calvary is to work on moving us to the latest release of the ACS People Suite (10.1.1.2). Part of this process is getting all of our ACS The Ministry Scheduler data into ACS Facility Scheduler.

ACS Facility Scheduler is an "on demand" product. This means that all the actual data sits on ACS' servers, and they handle data integrity, backup, etc. for you. Months ago, we looked at converting to Facility Scheduler before ACS 10.0 came out. At the time, there were some issues we had (features missing). So, we waited until those features came out. When they arrived, I had other projects taking precedence, and consequently we rolled it all into the 10.x upgrade.

As part of our upgrade process, I found out that ACS has a great conversion tool to transfer your current ACS TMS data into Facility Scheduler. I first used this tool when we were testing the feature set. Before this 10.x upgrade, I got in touch with one of the ACS people about "resetting" our data so I could re-upload the current data. He kindly let me know that the latest version of the tool had this functionality built in!

However, if you take a look at the ACS Knowledge Base article or Facility Scheduler FAQ on the subject, you find that you can no longer download the conversion tool (and it doesn't show up in the previous "client downloads" section either).

Does anyone out there have the file "tmsconversion.exe" or "ACS_TMS_to_FS_Conversion.exe", the converter to move from The Ministry Scheduler to Facility Scheduler? If so, please shoot me an email: sross *at* calvaryonline.cc

Moving an Ubuntu virtual machine from VMware Server to ESXi (on a PE1950)

2008-10-03T11:41:00.001-05:00

Wednesday I migrated my PE1950 from VMware Server (1.0.2!) to ESXi 3.5 Update 2. During the process I ran into some issues moving my Ubuntu 6.06 LTS VM to ESXi. Here's the play-by-play (including my hardware upgrade).

Copy the VM's off of the VMware Server.
Verify the copied VM's work ok, and that you have valid backups.
Shutdown the PE1950.
Update the BIOS on the PE1950. Without a BIOS update, ESXi will not run correctly.
- Can you believe I was running 1.x, when we're now at 2.3.x! This box has been very, very reliable.
Unrack the PE1950, and replace the SAS 5/iR (no RAID) controller with a PERC 6/i controller.
- ESXi needs a hardware RAID controller.
- I was previously running software RAID-1 on the Ubuntu LTS host. We needed a reliable system, since this box had become mission-critical.
Install ESXi onto a USB flash drive (>=1GB).
Boot the PE1950, and setup the RAID array (2x300GB 7200RPM SATA in RAID-1).
After the array has initialized, reboot with the USB Flash drive plugged in (preferably to one of the rear USB ports).
Enter the BIOS (F2), and modify the boot order.
- I set the USB Flash Drive's mode to "Hard disk"
- Modify the boot order to include the USB flash drive as taking higher priority than the PERC array.
- Save and exit the BIOS.
Setup ESXi.
- ESXi will give you the IP you need for setting up the Virtual Infrastructure client, etc.
- Your RAID-1 array will be setup as your primary datastore (datastore1).
Use VMware Converter to move the vm's to the new ESXi box.
Boot up the Ubuntu guest OS.

Upon boot, you'll notice that the Ubuntu machine has no network connectivity. Here's how you fix it (commands you need to type are in bold):

Install VMware tools on the guest os (it's probably outdated)
- In the VMware Infrastructure Client, choose the VM, and then go to Inventory->Virtual Machine->Install/Upgrade VMware Tools
- log into the ubuntu console
- elevate your privileges to root level by running sudo su
- mount the cd-rom drive: mount /media/cdrom0
- change directories to the cdrom drive: cd /media/cdrom0
- copy the vmware tools tar archive to your tmp directory (making sure you pay attention to the name of your archive, including case):
  cp VMwareTools-3.5.0-110271.tar.gz /tmp/
- change to the tmp directory: cd /tmp
- extract the tar file: tar -xvf VMwareTools-3.5.0-110271.tar.gz
- change directories to the vmware-tools installer: cd vmware-tools-distrib
- run the vmware tools installer script: ./vmware-install.pl
Restart your networking: /etc/init.d/networking restart
Check to see if your NIC is now working properly. You can check your interfaces using the following command: ifconfig -a
If you are receiving an IP properly, you're probably OK. This didn't work for me.
DO NOT complete the following steps unless you have no network connectivity
Shut down the VM: shutdown -h now (remember, we elevated our privileges earlier to root)
Remove any NIC's that are currently in the VM.
After removing any NIC's that are currently in the VM, add a new NIC.
Boot the VM
I now had a NIC that my system recognized, but I wasn't getting an IP. The issue was with my interfaces file.
- Contents of /etc/network/interfaces:
  # The loopback network interface
  auto lo
  iface lo inet loopback
  
  # The primary network interface
  auto eth0
  iface eth0 inet dhcp
- Notice how it lists "eth0" When I ran "ifconfig -a" earlier, I received eth1 as an interface, not eth0
Change eth0 to eth1 in my interfaces file: vi /etc/network/interfaces (replacing eth0 with eth1)
Restart networking: /etc/init.d/networking restart

At this point, everything was working well.

VMware ESXi (bootable) USB flash creation tip

2008-10-02T03:38:00.001-05:00

Yesterday I went to install VMware ESXi on a Poweredge 1950. All along I wanted to get the system setup with a USB flash drive (and not use the onboard storage as my boot disk).

I did some research, and this blog post seemed to be the most complete posting on creating your own ESXi bootable flash drive.

So, I downloaded the ESXi installable ISO, opened up 7-Zip, and went for it.
I was very surprised that every time I tried to image the flash drive, I got an error in WinImage. Now, this was running on my Vista x64 box, so I went ahead and fired up a VM w/ XP Pro 32-bit. At that point, I attempted to re-image the USB flash drive, and things worked as planned

Moral of the story: Don't try and create a bootable USB flash drive using Winimage on Vista x64, it won't work! Use VMware (or another computer) to create the flash drive's ESXi install (apparently on a 32-bit OS).

AV Software Initial Thoughts: Sophos Endpoint Security

2008-09-09T13:02:00.001-05:00

During my "find a new Security Software" dance, I've narrowed it down to 3 vendors/products:

- Sophos Endpoint Security
- Eset NOD32
- Sunbelt Vipre

I'm going to focus on Sophos Endpoint Security here. If you're interested in Sunbelt Vipre, check out my previous post.

The setup is very easy on the server side. If you would like to install on an x64 Edition of Windows Server, you'll need to create the database ahead of time.
The local "agents" on your computer are pretty slim. They aren't as lean/mean as the Sunbelt agents, but do have the option of adding NAC and a firewall. I tested without NAC or firewall enabled. Running with open file/copy file protection enabled really slows things down.
Sophos is way ahead of our previous version of Symantec. It uses fewer resources, and actually catches malware (and removes it). Symantec at best reported Malware. Windows Defender did a better job than our version of Symantec.
Deploying the software wasn't an issue. I didn't try a Vista rollout, but some people have had issues with Vista rollouts. I'm assuming any Vista issues are fixed at this point (Vista SP1 has been out for a while now).
The Enterprise Console is very powerful and flexible. It is very busy, imo. I felt like I really needed to spend some time getting familiar with Sophos' admin philosophy before I was ready to go. This isn't a bad thing.
I saw some of the reports. There seem to be enough. I didn't play with customizations.
I was able to run the "Console" without any issues.
Licensing was straight-forward.
Sophos arguably has the most feature-rich product I've seen to date that doesn't eat your computer for lunch.

Sophos' pricing was extremely competitive. Their rep's were knowledgeable and courteous.

I really have no complaints about Sophos.

AV Software Initial Thoughts: Sunbelt VIPRE Enterprise

2008-08-27T11:40:00.002-05:00

I'm currently in a cycle of reviewing some Antivirus/AntiMalware software for our next round of protection.

Here are my initial thoughts on Sunbelt's VIPRE Enterprise (remember, I'm just a normal, non-AV-specialist IT admin trying this out):

The setup is very easy on the server side. Just make sure you have .NET framework installed (it will notify/install it for you).
The local "agents" on your network computers use a ridiculously low amount of resources (my Vista x64 box uses just 52MB of RAM when I turn all of the protection on; XP Pro uses less). Running with "open file/copy file protection" can slow things down.
Deploying the software to Vista machines is easy as pie. I've had some struggles with my XP boxes (haven't finished reading the proper way to do it yet).
The Enterprise Console can be a little slow at times when doing intensive tasks (like loading all of the threats in the database as a list, or sorting them).
A LOT of good reports come standard in the box.
Run the "Console" on a computer with a lot of RAM. When making changes to policies, etc. you can eat a huge amount of RAM. I ate 500+MB when doing some large list/policy settings.
Licensing is not complicated. I was very happy that it was straight-forward, and easy to understand

More updates to come! Up next is Sophos Endpoint Security.

Windows Vista Testing: Update 1

2008-08-26T19:28:00.002-05:00

Welcome to part one of my Windows Vista testing experiment!

I'm going to try and put this in a series of Pro's/Con's, with a summary write-up at the end.

Pro's:

It sure is pretty. My machine uses Aero Glass, and it's a breeze to look at. I'm not sure yet if it makes life "easier" or "better"
Font rendering is greatly improved. Looking at XP (even on the same exact hardware), it's not as smooth. This reminds me of the good font rendering Apple has had for a while.
I was able to "push" my AV client to the Vista install without a hitch.
Vista is capable of using more RAM than XP 32-bit.
Vista x64 is more stable than XP x64.
Sidebar gadget's have immense potential for making my job easier (think management).

Con's:

User Account Control can be very annoying. Especially when getting everything installed.
You can't right-click on a folder and "Search" anymore.
Searching for "*.mp3" takes a LOT longer than searching for "mp3".
Setting up Search Indexing is not easy. I keep on using the "Click to turn on the index..." link, but then it keeps telling me it's not on.
Vista x64 uses more RAM than XP x64.
Vista's Task Manager doesn't give you the "usual" picture on Memory usage:
- While using VMWare Workstation 6.5 today I noticed that my Sidebar was telling me I had used 89% of my 8GB of RAM. This seemed odd, because I looked in task manager and found that the largest process, explorer.exe, was using "186,104K". I only had a total of 80 processes, with 3 consuming >100,000K.
- Upon further investigation, I found that the default "Mem Usage" column from Win2k/XP has now been replaced with "Memory (Private Working Set)".
- To really see how much memory your processes are using, add the "Memory-Working Set" column.

Windows Vista: Testing Begins

2008-08-25T13:40:00.001-05:00

Yesterday/Today I installed Windows Vista Enterprise x64 on my new workstation as my 2nd boot OS (I also have XP x64). Look for upcoming posts about how this experience goes for me. I'll be trying to implement the following best practices:

- As much as possible, try to experience Windows Vista like a regular user on the network would. aka "Eat your own Dog food"

- Follow Microsoft's "assumed best/default way" as much as possible.

Here are a couple questions for you:

What performance "metrics" suggestions do you have?

Am I missing any obvious "Best Practices" that you would implement with your users?

ACS Backup Service

2008-08-13T15:06:00.001-05:00

For the past month I've been having issues with our ACS Backup Service. What this does is make a backup of the ACS Database to a network location. This is a crucial step in our DR process, because files in the backup location are replicated (tape, Disk, offsite).

The problem seems to be that the Backup Service doesn't want to run properly, and hangs in some way or form. I've worked with ACS, and at this point we're waiting for validation of ACS 10.0 (which we're hoping fixes the issue). In the meantime they suggested using the old, non-service backup program. This works, but also requires the user to be logged in. Being a server that I rarely touch, this server sometimes reboots for Windows Updates, etc. This creates an issue for us (seeing how you have to be logged in for the old backup tool to run).

So, I came up with the following script to restart the service. You can setup a scheduled task to perform this action at times you designate. This is a very basic script, and could be used to restart any service you're needing to restart at certain points in time:

net stop "ACS Service"
net start "ACS Service"
end

I'll definitely be finding other uses for this using Scheduled Tasks. Are there ways that you accomplish this more elegantly?

Test: Dew Revolution

2008-08-12T15:34:00.006-05:00

Beware, this isn't IT-related info! So, if you're looking for a tech fix, this isn't it.

Today during lunch I tried Mountain Dew Revolution, which is described as "Dew infused with Wild Berry fruit flavor and Ginseng". My Dad had a couple of cans of it, and handed them off to me (he doesn't "do" the dew).

Experience:
I had Dew Revolution while eating my Sinai Kosher Hot Dog and Buffalo Wings potato chips. It was a good combination. Dew Revolution seems to be similar to traditional Dew, but then again, without some of the Citrus "kick" I associate with Dew. It was almost "Sprite with Mount Dew".
Then I ended lunch. At this point I had some Dew Revolution left, and kept working on it. Then I had a revelation: I didn't like the taste. The Dew Revolution was definitely not like Sprite, Classic Dew, or the 2 mixed together. I didn't finish it.

Verdict: Good with lunch, but not as a stand-alone.

Will I buy Dew Revolution? Probably not. If it was a stand-alone drinkable product, I might substitute it here or there instead of the original. But it's not. It definitely "feels" like it has more caffeine/kick, but it's pretty slight. If I want that caffeinated kick, I'll have a Mocha, regular Dew, or Dr. Pepper.

AV software choices

2008-08-08T16:57:00.003-05:00

I'm starting the process of looking for a (possibly) new AV/malware protection vendor. We're currently using Symantec Corporate Edition, and the time has come for another round of licensing, etc.

Here's a short list of what I'm checking out in the next 2 weeks (hopefully I'll decide before August is over):

- Symantec Endpoint Security (apparently this replaces Symantec Corporate Edition)
- Eset NOD32
- Sophos Endpoint Security
- Sunbelt VIPRE Enterprise
- Avira Network Bundle

What other products should I be checking out?

VMWare ESXi resources

2008-07-29T10:30:00.003-05:00

Well, the blogosphere is definitely talking about the fact that VMware released ESXi for free as of July 28th.

I've started putting together some resources for when I decide to try upgrading from my current free VMware Server to ESXi installable. Here's some starting points:

Good "help" site on ESX 3.5/ESXi 3.5
ESXi drivers, etc. on whitebox hardware
VMware ESXi website

Does anyone have any other good links for VMware support (hardware for ESXi, etc.)?

New Workspace

2008-07-22T08:12:00.011-05:00

Well, because of some staffing changes, my office was recently rearranged. During the "move", I gained some desk space. At the same time, I also setup a new computer. The fast workstation I now have under my desk will be used for a Virtual "Test Lab", server staging, and (eventually) a network monitoring station. Here's some pics of the new layout:

Here's the hardware I'm working with:
1. IBM Thinkpad T43: Centrino 1.86GHz, 2GB RAM, 2x HDD (160GB total), removable DVD burner.
2. Custom Built computer (outside of pic): Core2 Quad Q9450, 8GB RAM, 300GB 10k boot disk, 1.3TB of usable disk space (1TB RAID-5 and 300GB RAID-0 array), Dual Nvidia 8600GT, Logitech Z4 speakers and a DVD burner.
3. Displays: 2x Benq G2400WD on an Ergotron Monitor arm, 1x Acer AL2216WBD attached to an Ergotron Laptop/Monitor combo mount.

The 2 Benq LCD's and the Acer are currently all hooked up to the Quad-core rig, and I'm using the Thinkpad stand-alone (although I sometimes use the Acer with it).

Software I work with everyday:
ACS People Suite
Microsoft Office 2007
Mozilla Firefox 3
Mozilla Thunderbird
Putty
UltraVNC
VMWare Workstation 6.0
Winamp

I'm thankful that I've got such a great setup of tools to use every day.

Data Execution Prevention and svchost error (fixed)

2008-07-09T15:15:00.005-05:00

Today, while trying to complete a user's Windows re-installation, I ran into an interesting issue giving me Data Execution Prevention (DEP) and svchost errors. Here's how it went down:

1. Clean Windows XP install (including SP2)
2. Installed XP SP3
3. Installed our "standard" setup (Office 2k, Publisher 2k2, ACS, Foxit Reader, CD/DVD burner, Windows Defender)
4. Installed the user's "needed" auxilary apps: iTunes, Quicktime, Audacity, Lame MP3 encoder.
5. Installed "useful" apps (trying to help the user out, since this computer has been a nightmare): .NET framework 3.5, CDBurnerXP, Paint.NET

Up until step 5, the computer was working exactly as planned, and had zero stability problems. Now, after installing .NET 3.5, CDBurnerXP, and Paint.net, things went haywire upon reboot. Suddenly I'm getting DEP errors, svchost errors, and things just aren't right (hard locks, no GUI, etc.). The exact errors were Event ID "1001" and Source "Application Error". Searching eventid.net and some other places yielded few, if any, results that were useful to me.

So, how (I) managed to fix this issue:

1. Uninstall Paint.net, CDBurnerXP, and then uninstall .NET 3.5 (notice the order there). This puts me at a "stable" config again.
2. Install .NET 3.5. REBOOT (this will cause any DEP and svchost errors to reappear upon boot-up).
3. If there are no issue, go ahead and install apps again, one at a time, rebooting after every installation.
4. I was able to install paint.net (the latest version) with no issues. My old version, 3.22, (that I originally was using) had issues with .NET 3.5.

If an app gives you an issue, find a new version (or don't install it). For me, it looks like Paint.net is the issue.

The crazy thing about this is that I have a lot of other copies of paint.net installed (with no problems). The problem here seems to be related to paint.net (which I had an old version of) and .NET 3.5.

Have you had similar issues with other .NET enabled software?

Google Apps Scripting

2008-06-04T16:12:00.001-05:00

We've been a happy Google Apps customer now for about 3 months. The experience has been positive in every way that I've seen so far.

In my free moments, I often look at our growth over the next years, and in the process I'm re-evaluating the way we do all kinds of things: email, phones, internal communication, security, usernames, etc. This brings up a good point in the case of Google Apps:

How do I handle the "scripting" and other abilities that you get with a piece of software like Microsoft Exchange? Does Google Apps have the ability to use a language for automation of certain tasks (ala using scripts to do Active Directory tasks). I know that you can use scripts to help automate the tasks associated with creating new users, etc.
Google Apps has their API for a Single Sign On implementation. We haven't implemented this yet, but what limitations are there to this model? I would love to implement SSO across our "enterprise" (of about 85 computers ;) However, I'm currently facing all kinds of hurdles here: Database username restrictions, old habits, standards creation...
How do you handle and maintain changes across your complete domain with a web-app like Google Apps? Does anyone using a SaaS product like FellowshipOne have any experiences with multi-user changes (without having to go through each one at a time)?

How do you approach the "unification" issues in your organization? Does management at the higher levels make a decision? Does it kind of grow over time, unofficially? What approach do you take to admin issues when looking at SaaS type products?

iPrism experiences

2008-05-16T16:07:00.006-05:00

We're using a St. Bernard iPrism for our filtering here, and it's been a stellar product to work with. Here's a taste of what we've seen when using it:

- An improvement in the amount of perceived "wasted time"
- A great job in filtering out the bad content (porn, etc.)
- An excellent job in reducing the amount of malware-related materials. As an example, we don't have an enterprise anti-malware/spyware solution. The iPrism blocks malicious sites, and that takes care of almost all instances
- A reduction in the amount of viruses our virus-scanners have to address

These are all great examples of why the iPrism has been a big win for us. However, I've recently had 2 issues:
- There is no "social-networking" type of monitor. It's currently all or nothing. Other competitors are now coming out with these features, and it appears to be a hole in iPrism's lineup. I need an elegant way to handle social networks.
- IP spoofing: I've recently (over the last 3 days) had a LOT of issues with blogger.com It appears that Google (who owns blogger) distributes their servers, and this has caused a lot of issues with IP Spoofs. I'm talking to them now about blogger.com It seems that any time I need to write a blog post (or anyone else here), the "Sign in" bar, etc. is blocked. The "blogger.ch" domain is marked as pornography/nudity, and at the same time, if I add an IP-Hostmap entry, it works just fine.

Would I buy the iPrism again? most likely
Would I renew our support/updates contract again? definitely

So, are there any other iPrism users out there who can enlighten me?

Security Hardening? Windows, Linux?

2008-05-15T14:56:00.006-05:00

Here at Calvary I run a few different OS'es for my services: Windows Server 2003 (not R2 yet), Ubuntu Server Edition LTSP, Windows Server 2003 Storage Edition, and pfSense (via FreeBSD).

I read this article over on ars technica about SSH attacks rising (for the short-term it seems). I also read a good portion of the discussion that followed in the forums. The following comment got me pretty good.

Posted by "Muerr":
SANS suggests using the CIS Benchmarks (http://www.cisecurity.org/) as a starting point for hardening your systems according to the Defense In Depth principles taught in SANS courses.

Part of the security implementation should include disabling remote root login from ALL services, not just SSH. In fact, all unnecessary services should be stopped and disabled completely. If you must login as root remotely through SSH, use the option "PermitRootLogin without-password" which will enable SSH key authentication only. TCPwrappers are also desirable, as part of a 'default deny' security stance, and only allowing specific IPs or networks to connect to the sshd daemon.

Security through obscurity is only "good" against casual attacks. A dedicated attacker will find your SSH daemon running on port 10783 or whereever, because they're going to do a full port scan first.

I encourage everyone to read the CIS Benchmarks to get started on securing their Linux and Unix systems. That goes for MacOSX - if they don't have a benchmark, check out one of the BSD documents, since Mac OSX kernel, Darwin, is based on BSD.

Also, SANS provides a number of papers on security in their reading room, and of course, their training courses are probably the best in the industry. http://www.sans.org/

How hardened are my systems? How hardened are most Churches IT assets? Do we pay much, if any attention to "hardening" a system after setup/installation? Should we?

I know that we pretty much block anything from coming into our network at the firewall level (security through deny all).

What do you do, if anything to "harden" your systems?

WD and RAID????

2008-03-26T09:50:00.005-05:00

So I was recently looking to put together a NAS box as part of a possible D2D2T implementation. My plan went the following way:

Get a case with a lot of drive bays
Purchase a cheap (but reliable) Mobo/Proc/RAM system (with lots of PCIe ports)
Install FreeNAS on a CF card
Purchase a RAID card (say this one) and hook up a bunch of drives

So when I was looking into this, I started looking at options like staggered spin-up and other reliability features, and e-mailed Highpoint to make sure the drives would play nice.

Here's what I got back:

"WD drives no longer support Staggered Drive Spinup.
In fact, some of their disks are reported to have serious problems with this option - if enabled, the disks will no longer be detected by non-RAID controllers.
Unfortunately, the disks do not actually support the setting, so it cannot be disabled.
This issue is not unique to our products.

NCQ should still function normally, but we would recommend contacting WD for more information."

To me, this is a little disturbing. WD drives don't supported Staggered Spinup, and there's no way to run in a "protected" mode?

For now this is a non-issue for me, as we've learned that we're not going to need the D2D2T strategy for the time being. If we re-visit this, we may need to look into how this shakes down.

SheldonS mentioned today in #citrt that he thought there was a firmware update that fixes this, but I would think that the Highpoint people would know about it.

Have you had any experiences with staggered spinup and Western Digital (or other drives)?

Cabling Clean-up: Phase 1

2008-03-24T12:24:00.003-05:00

So in my previous post I mentioned adding some NeatPatch units to clean up the cabling. Well, today I got started. Here's the beginning of Phase 1, where I get a couple NeatPatches installed, and start trying to get the slack tightened up (and also allowing the patch points to move around).

Network Messiness

2008-03-20T15:48:00.005-05:00

I've been working here at Calvary for going on 2 years now. In all that time, we've had a pretty simple network: 1 Rack that is our IDF, server rack, everything. It's worked very well, and has been simple to manage.

Just one problem: we're growing!

As part of our growth, along with the addition of a 2nd rack (in another part of the building), we're getting things tidied up. So, first up is our current main rack (which is essentially full). Here are some before pics that I will let you gawk at before I get it all cleaned:

That's the front

That's the side/entry point for most of the cables through the drop ceiling.

To help combat this, I picked up a few NeatPatch units from Jason Powell.

More pics to come as I get started!

MozyPro: Update

2008-03-10T11:39:00.005-05:00

So in case you haven't noticed lately, Mozy is increasing it's cost for storage.

I went to do some investigating (to see how this works for us), and finally got a clear answer:

Current customers will experience the change like this:

- On the switchover (the 11th of March), Mozy will introduce their "new" admin interface, which will allow you to consolidate (and I'm assuming) simplify your management.

- The "new" interface will have 2 modes for backup: Desktop and "Enterprise-y". I say Enterprise-y (is that a word??), because it appears they have 2 levels of Enterprise, "MozyPro" and "MozyEnterprise". Enterprise gets you guaranteed response windows, and a couple other features, whereas current MozyPro customers are getting the same as their used to with MozyPro.

- With the new interface, you can purchase desktop licenses and storage at their current rates ($3.95/license, $0.50/GB)

- With the new interface, there will be a "Grandfathered" section. This is where you buy storage for "Grandfathered" licenses at "Grandfathered" rates.

- If you have a license for the "MozyPro" type with the new interface/pricing structure, you can buy as much storage as you like for only $0.50/GB. Note that this only applies to storage for "Grandfathered" licenses.

- If you need more licenses or storage after March 11th (tomorrow!), then you will pay the new rates ($6.95/license/mo., + $1.75/GB/mo.).

SO, the moral of the story is, BUY MORE LICENSES NOW, and then add whatever storage you need as you need it.

I personally love this model. I think this is a home-run for Mozy also, because they get to keep their current customers, strengthen their current customers loyalty, and also do what they're trying to do: make money. Of course, I would rather them keep the prices the same, but that does not appear to be possible.

Vista x64 Volume: More egg on Microsoft's face

2008-03-07T13:14:00.006-06:00

So I'm trying to install Windows Vista Business English x64 (64-bit), and realizing further why IT departments are frustrated at Microsoft: the product line is incomplete!

Being a Microsoft Volume Licensing customer, they make install images for most of their products available. This is part of a recent change they made, where you can download the needed installer, instead of having to pay for and get a media kit shipped. I've loved this recently, because it's a huge time-saver, and saves us money (media kit's are between $15-$30).

HOWEVER, it appears that Microsoft does not want to make this easy for Volume license customers. You can log-in to your eopen/MLVS account, and download 32-bit media for pretty much any version of Vista, but 64-bit is nowhere to be seen! This seemed a little odd to me, so I made a couple phone calls. First up was our reseller, SHI. My rep there, Brian Spence, mentioned that the only media kits available are done online through the eopen site. However, if you go and try to find the media kits for 64-bit, they're "invisible";) So, next I called Microsoft eOpen support. They at first were utterly confused what I was talking about, and then they tried it for themselves. Needless to say, they couldn't get it downloaded either, so they then told me that I must order the media over the phone (since that was the only way it was available). When I asked why it wasn't available for download, and when it would be available, they had no answer or timetable.

This all underscores one thing: lack of a consistent experience. As an administrator (and user), when you tell me that you're going to make it easier, and you're trying to promote your flagship OS, wouldn't you want to provide a positive experience? Apparently not. I really had to pry to find out why the 64-bit version wasn't available, and I also had to then spend more money! No one had an answer for my on why it was this way, no one apologized, and no one offered me a free media kit.

So, this makes me wonder: does Microsoft really care about their new flagship OS, and getting customers to care, or are they just trying to ruin their reputation?