Saturday, April 08, 2006

 

Virtual Server 2005 Installation Error 1402

Microsoft have decided to give away Virtual Server 2005 for free, gratis, without cost. You can download it from here


However when it came to installing it on my XP SP2 machine, it would fail, returning the following error:

Error 1402. Could not open key:
HKEY_LOCAL_MACHINE\Software\Classes\Msxml.2.DOMDocument.4.0\CLSID. Verify
that you have sufficient access to that key, or contact your support
personnel.


To resolve this (after much annoyance) I gave the system account full control over the Classes key. Interestingly, giving the system account full control to CLSID did not resolve it.

Monday, April 03, 2006

 

DHCP Class ID

What is a Class ID, and why would I need it?

Have you ever been in the situation where you need to assign a different default gateway to a certain group of people? or maybe you're about to migrate half your users to a new domain but still want to use one DHCP Server?

Obviously what you need is a class id. There are two types of Class ID. User Classes and Vendor Classes. I'm only going to mention User Classes from now on.

By configuring a class id on a clients lan connection the DHCP Server will check for a matching class id when distributing IP addresses (and associated config).

To configure a class id on a client machine you use the command

ipconfig /setclassid "local area connection" classid

where classid is the name of your new class.

Now open the DHCP MMC
Right click on your Server and click on define User Classes.
Click on the add button, and enter the name of your new class.

Expand your scope and go to the Scope Options.
Here you should mirror you're current config (except the setting you want to be different), but when defining the options click the advanced button, and choose your classid.

Tuesday, March 28, 2006

 

Windows 2003 Anonymous Connections

Out of the box, Windows 2003 will accept anonymous connections to the Inter Process Communications (IPC) share (which is IPC$). This is known as a null user and surprisingly is necessary for some communications with NT4.0.

To check whether your Server will accept anonymous connections you can employ the NET USE command.

NET USE \\Server1\IPC$

This should return

“The command completed successfully”

From here you have a multitude of options open to you. Anyone with a NetBIOS connection to your server can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user. Let’s start with something simple like enumerating Share names.

NET VIEW \\Server1

Not particularly interesting, but depending on our motives, it could be useful.

If your Server accepts anonymous connections it is highly likely that it will also allow SID to Name translation. And as we know several Active Directory accounts use a default RID (Relative ID). Let us assume our Admin has been somewhat on the ball, when he configured the system and has renamed the default Administrator account. First we need to identify the SID of the domain. So we need to know the name of either an account on the domain or one of the default accounts

Using Sysinternals PsGetSid

The command

PsGetSid “Domain Admins”

Will return

S-1-5-21-12345678-123456789-1234567890-512

(I have of course made this up)

The RID is the last 3 characters (512)

Therefore we know the default administrator account will have a SID of

S-1-5-21-12345678-123456789-1234567890-500

Using JoeWares SIDTONAME we get

[User]: Domain\Scott.Cross

We now have the account name of the Built-in Administrator account. Okay this isn’t enough to compromise a system. But it’s already undone any work the admin has done by changing the administrator account name.

The easiest way to disable Anonymous Connections is to use a Group Policy. The following four options are what need to be set:-

Network access: Allow anonymous SID/Name translation
Network access: Let everyone's permissions apply to anonymous users
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares

As always check the phrasing before deciding whether to enable or disable an option. I often have to think about the double negative.

Check here for possible repercussions before you make a change.

 

Intel's Quad Core Processor in time for Vista

Intel have announced they will ship their Quad Core Processor in the 1st Quarter of 2007, in line with Microsofts release of Vista OEM.

The new Processor code-named "Kentsfield" was first mentioned in December 2005, when it was said to be running 2 cores with 4MB of Cache. Given it is now going to have 4 cores can we expect 8MB of Cache?

Monday, March 27, 2006

 

Are you being served?

Excuse me while I comandeer Scott’s blog to have a small rant about online service.

This weekend I had a bit of spare cash, so, after having a nightmare in town on a Saturday afternoon I thought that I would have more luck online. So come Sunday evening I settle down with a glass of wine and a load of URLs to try out.
Good idea in theory.

I started at River Island. Brilliant website, you can easily find what you want and all the pictures are very clear. They even accesorise it for you! What more could a girl ask for? However I then tried to actually buy something. I’d got to the point of filling in all my details and they wanted my credit card. And then told me I needed pop ups enabled. So I enabled them through my browser (IE6) and the page refreshed. Only the site was written in flash so I went all the way back to the beginning. And sat there staring at the home page wondering what to do next.
At this point I decide to try and log in thinking that the information may have been entered into their database. It was and I could log in. And there was my basket in the “view order” section. Noted as “ordered”. Hmmm no option to pay.
Well I decide that as I hadn’t entered my credit card details they can’t take any money off it or deliver my stuff, so I go back through the whole process, finding my items, adding them to the basket, and reorder, this time making sure that pop ups were enabled so that I could pay.

It makes me fume – did no one test the site???? Did no one put a test transaction through, just to make sure it worked on all the most common setups that people have? And if they did why in God’s name did they not put a notice on the site asking people to make sure they had pop ups enabled when it came time to pay?
I work for a web design company. I’m not a developer but I do work there. And as a non-techie a big part of what I do for our clients is test the sites before we hand them over. Make sure that everything works. Because for all their brilliance technical people just don’t think of things the same way that non-techies do. They forget the rest of us are mere mortals and don’t automatically have this, that or the other installed, enabled or whatever.

But my rant doesn’t end there! Oh no – there’s more, much more!

I tried another website to buy a handbag (yeah I was in the shopping zone!) http://www.yoox.com/, again a pretty good website, clear, quite easy to navigate, great pictures of the products and a couple of really good features such as a running tally of all the products you looked at in more details. I picked out my handbag. Popped it in my basket and went to pay. Filled in all my details and pressed the button to give them the money.
First thing that happened was that the Verified Visa authenticate pop up happened (again I needed to enable pop ups grrrrr). Now I’m not the most up to date person perhaps – but this looked an awful lot like phishing software to me – isn’t this what the banks keep telling us not to do? Give our bank details to anyone? Enter them on any site but the official site that we type in ourselves? Shouldn’t they have told us about this? And of course it won’t let you pay until you give them all your details and sign up for the account. So I do a bit of research on it and reassure myself that its legitamate. (more effort expended so that I feel comfortable giving them my money – shouldn’t they be doing this?)
So I fill it in and get sent back to the site, only to be told “My Transaction can not be processed”. Hmmm. Check my online bank accounts and credit card statements – I’ve definitely got the money. Maybe I’ll try another card cos I might have tripped the security on my credit card be using it online so much? (we bought wine online earlier in the evening) So I try another visa card. Same message.
By this point I’m getting pretty wound up that they won’t take my money – and I really want that bag (or else I wouldn’t have bothered!) But I decide to go to bed and try again in the morning.
So bright and early Monday morning I phone up the helpline and get informed that they are having a problem with Visa. So if I just put the same card through but as Switch then it will work no problem. WHY DOESN’T IT SAY THAT ON THE SITE????? I suggest (much more politely!) and the girl has a light on moment and replies, “Oh yeah that would be a good idea, I’ll pass that on to my manager as a suggestion.” Good plan
So I go back, enter the card as a Switch and finally, buy my handbags.

At this point I would like to really compliment Topshop.com on their site. It’s clear and easy to use, great graphics, you can find everything you want and they give you all the information straight away. When you go to purchase it does require a pop up but they use flash and java script to get around the problems that River Island had. I had absolutely no problems or questions getting around the site or purchasing. You can see why they are dominating the high street market because they are so on the ball and organised. They’ve realised that just because their products aren’t expensive doesn’t mean they can’t offer first class service. And that the first class service will have people buying in much higher quantities much more regularly, and therefore increase their profit margins – which is what its all about at the end of the day.

There is one more site I have to gripe about. Mango.com. Not only do you have to go through about half a dozen pages to get to the UK shop when you get there it’s a nightmare!
I do a lot of shopping online and it normally takes me about 20 secs to figure out how to get around a site. Not mango. It took me a good 5, very confusing, minutes to figure out what to do and how to do it. Despite the entire site being written in flash the menu has no animation or alterations during navigation to let you know if something is a link let alone if you’ve actually clicked on it. When you do click on a link all it does is change the TINY pictures in the top right hand corner. So you don’t even realise that its worked. When you do finally figure it out you then have to click on every single image to actually see a large enough version of it to be able to tell one item from another. I could only bear to look at handbags – the thought of having to click on each individual item to decide if it was something I wanted to look at was just too long winded to bear.
However I found a couple of bags I liked enough to have a closer look at and chose them to purchase. Only, guess what? The checkout service doesn’t work. Mango is a Spanish company so all the error messages were in Spanish as well! So no clue for your average english user. I tried refreshing a couple of times and then decided that it was obviously not my night for shopping and gave up and went to bed.
This morning I thought I’d try again, assuming that their web support would have been on the problem first thing this morning. Oh no – we’re dealing with Spanish people here so it will be manana obviously! I logged onto the online help to find out what was going on (nice idea by the way, and I was very promptly speaking to someone) And was curtly told that there was too much traffic on the internet and to come back later. I mentioned that the problem had been there since Sunday night – was midnight on a Sunday usually their busiest time? And got no reply. Hmmm.
Tried to ask an hour or so later and was told that the problems might be because the IT dept was doing some work on the site (like fixing it??) When I asked why they didn’t inform people that the payment system was down I was told that there was no point as they didn’t know how long it would take. Errrr ok – you don’t know if its going to be hours or days but feel no need to tell your customers that????? The mind boggles.
If you were going to close your shop or office you’d tell your clients right? I mean they might want something. In fact you might offer an emergency number or an alternative way. At the least you’d put a sign up saying “Sorry we’re closed because the roof fell in, we’ll be open again tomorrow once we have it fixed” ? But apparently these same rules don’t apply online because we’re not real human beings, we’re just “users” or “hits” or “conversions” or any of those other terms used to negate the fact that we are real people at the end of the phone line. If sites took the time to treat their users as human beings they might find they made a hell of a lot more money.

Wednesday, March 22, 2006

 

Vista slides downhill into 2007

Microsoft Announced that the OEM version of Vista will not be available before 2007. Looks like those big OEMs wanting to get a sparkly new toy out for Xmas will have to wait. Interestingly Volume License subscribers will be able to get their hands on it in November 2006.

I can't remember the last time an MS product actually shipped on time, with the features originally announced. SQL Server 2005 was late, and rather keep delaying it they dropped features. WinFS will no longer be part of Vista, and may hopefully appear later.

Should we be waiting for Vista R2?

Thursday, March 16, 2006

 

Comments open to all

I've decided to open the option to comment to all. No longer do you have to be a member to leave a comment on this site.

However, as it's my name at the top of the page I do reserve the right to moderate comments. So, play nice!

 

Domain Controller Load Testing

You have deployed two Domain Controllers at your company’s new site, and as per MS’s recommendation they’re both Global Catalogue Servers. Everything is running fine and as usual you’ve done a great job.

What happens if someone decides to double the number of users at this site? Will your DC’s cope with a 100% increase in load. How can you tell?

What you need is the Active Directory Performance Testing Tool. ADTest is a load generation tool designed to simulate client transactions on a host server.

Don't forget this tool is for load simulation and therefore capacity planning. Make sure you understand the difference between your tests and your live enviroment. The results should probably be seen as a guide rather than than an official answer.


Wednesday, March 15, 2006

 

Group Policy Common Scenarios

Need some pointers on how to implement Group Policy in your enterprise? Microsoft have a white paper detailing common scenarios and Group Policy implementation. Have a look here.

 

Administering Group Policy

Microsoft have a number tools to assist in administering Group Policy, two I’d never come across until today are.

Group Policy Settings Reference – An Excel spreadsheet which shows details on every GP setting in Windows 2003 SP1, with an explanation and the Registry Keys modified.

Group Policy Inventory – A tool designed to collect Group Policy and other information from any number of computers in your network. It works by running multiple Resultant set of Policies (RSoP) or Windows Management Instrumentation (WMI) queries.

 

Access Based Enumeration in Windows 2003

I know this has been around a while, but I have never had the chance to implement it. Basically, it works by only letting people with the relevant access permission see folders or other shared resources. So if you don’t have permission to see it, you don’t see it. To a certain extent it’s ‘security through obscurity’, but as it is in addition to NTFS permissions, so it’s not that bad. Sure you can do something similar using the $ suffix but that hides the share from everybody. This way, the designated users can see the share and no one else.

You can download Access-Based Enumeration from here

Once installed, when you look at the properties of a shared folder, there is a new tab called ‘Access-Based Enumeration’. Here you can turn on ABE on a per share or per server basis.

Happy hiding!

This page is powered by Blogger. Isn't yours?