Digital Locksmith: Resetting the Directory Services Restore Mode password on Windows Server 2003

Do you have a friend that you call when you have some totally off the wall question about IT related stuff? Well I am that friend for most of the people that I know for some odd reason, and some of the questions I get are doozies.

For instance I get this call yesterday afternoon:

Friend in need: “Hey man how’s it going?”

Me: “Not bad, working on getting our new accounting software set up, Go Live is next Monday, so I just want to make sure everything is right, you know.”

Friend in need: “Cool, hey do you know how to reset the Directory Services Restore Mode password on a WS2003 box?”

Me: Wait, what?

Not your everyday run of the mill question. This is an interesting type of problem, where you need thing A to get thing B, but cannot get thing A without already having thing B, or what I like to call “The Bill and Ted Conundrum” (excerpt from Bill and Ted’s Excellent Adventure):

Bill: Ted, while I agree that, in time, our band will be most triumphant, the truth is, Wyld Stallyns will never be a super band until we have Eddie Van Halen on guitar.
Ted: Yes, Bill, but, I do not believe we will get Eddie Van Halen until we have a triumphant video.
Bill: Ted, it’s pointless to have a triumphant video before we even have decent instruments.
Ted: Well, how can we have decent instruments when we don’t really even know how to play?
Bill: That is why we NEED Eddie Van Halen!
Ted: And THAT is why we need a triumphant video.

The Directory Services Restore Mode (DSRM) password is somewhat of a last ditch safe guard put in place by Microsoft to protect Active Directory. Without the DSRM password, you cannot restore Active Directory. This prevents attackers from creating a new Active Directory and then restoring it over your Active Directory, thereby completely pwning your network.

But what if you need to restore Active Directory, and do not have the DSRM password? Like if the SysAdmin who built AD originally did not document it and then left the company? Now we are in The Bill and Ted Conundrum: you need the DSRM password to restore AD, but you don’t have the DSRM password.

Luckily for us, Microsoft has their own version of Rufus with his time travelling Phone Booth for WS2003; the NT Directory Services Utility (Ntdsutil.exe).

To reset the DSRM password in Windows Server 2003 using Ntdsutil.exe:

1. Log on to the domain controller using an account with administrative rights.
2. Go to Start>Run and type: cmd {ENTER}.
3. At the command prompt, type: cd %SystemRoot%\System32 {ENTER}.
4. Type: ntdsutil.exe {ENTER}
5. Type: set dsrm password {ENTER}
6. Type: reset password on server null {ENTER}
7. Enter the new password when prompted.
8. Confirm the new password when prompted.
9. At the DSRM command prompt, type: q (to exit) {ENTER}
10. At the Ntdsutil command prompt, type: q (to exit the utility and return to the command prompt) {ENTER}

Now that the DSRM password is changed to something you know, write it down this time. In the immortal words of The Great Ones: Bill, Ted: EXCELLENT! (cue air guitar)

November 26, 2008 Posted by Just Joe | Ask an IT ninja!!!, Digital Locksmith | | No Comments Yet

Banish Windows Notepad: Replacing Notepad with Notepad++

It’s no secret around these parts that I hate Windows Notepad. It hasn’t been updated (in any useful way) since Windows 95, and is just plain inadequate for most tasks I need a text editor for. Up to this point I have been content to simply never use it, however as I am finding myself working with text files more and more these days, I would like to completely replace it.

Now obviously I am a big proponent of Notepad++, and this would be my ideal replacement for notepad.exe and luckily for me, there is a launcher made specifically for this. Before we begin, we will need to download the following files:

1. The current Notepad++ install package from here.
2. The current Notepad++ launcher from here.

Once we have these files, we can begin the process:

1. Install Notepad++.
2. Unzip the Notepad++ launcher, and have it ready to be copied (we will need to put this in a couple different directories.
3. Turn off hide invisible files in Tools->Folder Options->View.

Now at this point it is pertinent to mention that there are several methods that may work for preplacing Notepad, you may need to try each one until you find the one that works for your OS version (Method 1 worked for me on one XP sp2 install, but I had to use Method 2 on another.

Method 1

1. Go to %windir%\system32\Restore
2. Select filelist.xml and right click->Properties and uncheck Read-only
3. Edit the file, adding:

<REC>%windir%\notepad.exe</REC>

to:

<Exclude>
<REC>%windir%\system.ini</REC>
<REC>%windir%\tasks\desktop.ini</REC>
<REC>%windir%\win.ini</REC>
<REC>*:\AUTOEXEC.BAT</REC>
<REC>*:\CONFIG.MSI</REC>
<REC>*:\CONFIG.SYS</REC>
</Exclude>


4. Copy the Notepad++ launcher to %windir%\system32, replacing notepad.exe there with the Notepad++ launcher.
5. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Method 2

1. Copy the Notepad ++ launcher to %windir%\system32\dllcache
2. Copy the Notepad ++ launcher to %windir%\system32
3. A dialog will pop up hit cancel.
4. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Method 3

1. Copy the Notepad ++ launcher to %windir%\servicepackfiles\i386
2. Copy the Notepad ++ launcher to %windir%\system32\dllcache
3. Copy the Notepad ++ launcher to %windir%\system32
4. Copy the Notepad ++ launcher to %windir%
5. When you replace notepad.exe in %windir% and %windir%\system32, a “Windows File Protection” message box appears, click Cancel. Then another message box appears, click OK.
6. If this worked, you should now be able to open a Run dialog, and type: notepad {ENTER}, which will launch Notepad++.

Now, enjoy the goodness that comes from having a real text editor as your default text editor.

November 25, 2008 Posted by Just Joe | Admin's Arsenal, Ask an IT ninja!!! | | No Comments Yet

Can you hear me now? Know when your email got to their BlackBerry.

I just love hearing “oh sorry, I didn’t get your email” as a response when I ask someone for a response for the third time. Especially when I know that person has a BlackBerry. When it’s from users on my BlackBerry Enterprise Server (BES) I usually just create a help desk ticket from their “oh I didn’t get your email” response, and then attach a screen shot of the BES log showing that it was in fact delivered to their BlackBerry.

Then they forget that I can do this, and in a few weeks I have to repeat the whole thing. But what do you do when the person you’re sending email to doesn’t have a BES, or is not on your network?

Apparently the good folks at RIM are one step ahead of me, as they have a solution to this nonsense built in. Keeping in mind that this will only work with actual BlackBerry devices (I’ve confirmed that it works with a BES server, and using the BlackBerry Redirector for peeps without a BES), send a email to the address that gets delivered to the BlackBerry with <confirm> as the subject, and in a few moments you should get a reply that looks something like this:

As you’ll see in the screen shot, you can use this functionality with an actual subject, or by sending just <confirm> as the subject (just make sure that <confirm> is the first thing on the subject line). The really awesome part of this is that unless the recipient knows what the <confirm> tag in the subject line does, they have no idea that you now know that the email was delivered to their device. Take note smarmy sales weasels: I see what you did there.

November 14, 2008 Posted by Just Joe | Ask an IT ninja!!! | | No Comments Yet

I, SysAdmin

(Evil SysAdmin laugh) Silly Users! You cannot escape my domain! I have been getting a whole lot of questions regarding… “Can I do this at work” or “Will I get caught if I am downloading…” and my all time favorite “If I look at a little pr0n will I get caught?”

Here’s a clue; most of the time, if we have the capabilities of remote monitoring, we’re not using them. Unless you do something to draw the Evil Eye of a SysAdmin, we just don’t care, we’ve got other things to worry about.

Now that being said, if you DO happen to do something to draw our attention, you’re dead in the water if you’re doing something wrong.

Here is a list of things that most SysAdmins don’t really care about:

• Light Porn surfing (if it’s playboy type stuff) up to say 10-15 minutes a day, we just don’t care. We might be a bit entertained by your old woman or tranny fetish, but chances are, nothing to really worry about. Unless you owe us money. Just be aware, we know what you’re doing.

• Reading news sites, or shopping online. Again, we just don’t care. Most of our days are spent in one of two modes; putting out fires, or preventing fires.

• Circumventing the proxy to go watch that really funny YouTube video your brother sent you in your corporate email. If you’re smart enough to do it, more power to you. If you didn’t do it exactly right, the Evil Eye is turning your way right now. If it’s just a funny YouTube video, no big deal. If you’re logging into hardcore pr0n sites to download videos, and eating all the T1 bandwith, your fapping is about to be seriously interrupted. It might even be something like total computer failure, which we will conveniently be able to pin to the pr0n you were downloading.

If you have thus far managed to evade the Evil Eye, good job! Here are some things that will draw down the Striking Hammer Of God:

• Illegal pr0n. If she could be your daughter, or our kid sister, you are toast. We don’t just get you fired, we call the FBI and let them arrest you. At work. If you (sick bastards) are unlucky enough to get a SysAdmin like me, you first get the living shit beat out of you, then you get to deal with the Feds.

• Illegal pr0n. If the “man” of the pr0n is named fido, we call the FBI and again, probably beat the crap out of you for good measure. We definitely make sure that EVERYONE in the company (and likely your spouse, and/or family) know what you were doing, and why the men in suits have come to take you away.

• Downloading illegal music. Not cool man. Not at work. Yeah we have a T1, but it’s not your personal playground. Expect to have the music mysteriously disappear from your machine overnight, and forget being able to do anything like that in the future, we just demoted you to the Guest account.

• Listening to streaming music. Ok, so yeah it’s not illegal. But you and your 10 brethren have just filled our T1, and effectively DoS’d the email server. If you want music, bring it from home on a portable hard drive, and don’t copy it to the machines. Just play it from the hard drive.

• Installing or running any port scanners, or downloading anything that might be considered a “hack” tool. Congratulations, you just pissed IT off, and will likely be locked out of the network shortly. I’ve got enough to do without wrangling your script kiddie ass too.

• Heavy pr0n surfing. Like 5-6 hours a day heavy. Dude, just stop. You are likely going to be visiting some websites that are, ummm, let’s just say less than legit, to get in that amount of pr0n every day. You are going to end up getting that machine infested with virii and spyware. You might even actually inadvertently compromise the corporate network. If that happens, do you really think that anyone is going to let that slide? Now I’ve actually had to explain to the boss why you need to be fired before your little problem destroys the network, and I don’t really care to discuss what you’ve been looking at (you mean there’s more than one person that looks at THAT?!?!?) with my boss.

Even if I’ve been cool enough not to filter out web content, the boss is going to want to know how you were able to view this stuff. Rather than blow it for everyone, I am going to do the right thing. I am going to lie my ass off. You must be a hacker, because you’ve been able to circumvent every filtering method I’ve set up, and I have logs to prove it (believe me, I have logs to prove ANYTHING).

The short answer is, if we’re watching you, there is no escape. Between hardware keyloggers, and specialty software that is designed to be undetectable (which is extremely hard to find even to buy), we will catch you.

If you are doing something that is in a grey area, take your SysAdmin out for lunch a couple times, or for a beer, and find out what the real policy is (the one that gets enforced, not the one in the manual). Hell if we like you, we’ll let you get away with a lot more than if you’re a dick to us in the hall.

November 13, 2008 Posted by Just Joe | Ask an IT ninja!!!, Seppuku yourself, and save me the trouble. | | No Comments Yet

Guerrilla Event Log archiving: why and how.

I am quite positive that there are as many solutions (both paid and unpaid) for handling Win32 Syslogs as there are SysAdmins out there. On my *NIX machines syslogs are a simple thing, configure Syslog-ng and move on. My Windows Syslogs are a whole different story.

First off, shame on you Microsoft for not providing built in syslogd integration capabilities. With the volume of BSD code in Windows there is just no acceptable reason for this.

But that doesn’t help me. The long term goal is of course to get a central Syslog server set up that will handle and archive log entries from all of my machines (*NIX and Win32), but that is going to take two things:

1. Time I don’t have.
2. Money I don’t have.

I need a solution for archiving my Windows event logs right now, in a central location, until I can get the central Syslog server set up. As I mentioned, most of the solutions for doing this on Windows machines (the ones I feel comfortable entrusting my event logs to anyway) cost somewhere in the neighborhood of an arm, a leg, and most of an ear, so those are not viable options. Now what do you do?

Well if you’re me, you roll your own solution. I’ve got several WS2003 servers that I need to log the event data from, because, well to be quite honest, because this network was built by someone that is more of a *NIX SysAdmin, and didn’t set up the Windows side correctly, so there are quite a few odd bugs in this network that will take quite a while to work out.

Now I could go through and manually export the event logs to a file once a month, but that is way too much work. I decided to script the solution to this problem using VBScript (as it is available on all of the Servers I need event log info from).

I give you logArchive.vbs:

'#==============================================================================
'#==============================================================================
'#  SCRIPT.........:  logArchive.vbs
'#  AUTHOR.........:  Joe Glessner
'#  EMAIL..........:  jglessner@gmail.com
'#  VERSION........:  1.0
'#  DATE...........:  30JUL07
'#  COPYRIGHT......:  2008, Joe-IT.com
'#  LICENSE........:  Freeware
'#  REQUIREMENTS...:
'#
'#  DESCRIPTION....:  This script backs up all of the event logs on the
'#                    designated computer, to the specified file server.
'#                    Optionally this script can also clear the event logs once
'#                    they are archived.
'#
'#  NOTES..........:
'#
'#  CUSTOMIZE......:
'#==============================================================================
'#  REVISED BY.....:
'#  EMAIL..........:
'#  REVISION DATE..:
'#  REVISION NOTES.:
'#
'#==============================================================================
'#==============================================================================
'**Start Encode**

'#==============================================================================
'#  START OF SCRIPT
'#==============================================================================
'Option Explicit
'On Error Resume Next

    '#--------------------------------------------------------------------------
    '#  SCRIPT CONFIGURATION SECTION
    '#--------------------------------------------------------------------------
    '#  OPTIONS:
    '#              strComputer = The name of the computer that generated the
    '#                            event logs (e.g. fs01 - use "." for the local
    '#                            machine.
    '#              objDir2 =      The destination directory on the file server.
    '#              clearEVTLogs   "No" does not clear the event logs. "Yes"
    '#                             will clear the event logs once the current
    '#                             logs are archived.
    '#--------------------------------------------------------------------------
    DIM strComputer, objDir2
    strComputer = "dc1"
    objDir2 = "\\SyslogServer\EventLogs$\" & strComputer
    clearEVTLogs = "Yes"

    '#--------------------------------------------------------------------------
    '#  Declare Remaining Variables
    '#--------------------------------------------------------------------------
    Dim current: current = Now
    Dim strDateStamp: strDateStamp = dateStamp(current)
    DIM objDir1: objDir1 = "\\" & strComputer & "\c$\EVT"

    '#--------------------------------------------------------------------------
    '#  Ensure that the Scratch directory exists on the source computer.
    '#--------------------------------------------------------------------------
    Set filesys=CreateObject("Scripting.FileSystemObject")
    If Not filesys.FolderExists(objDir1) Then
        createDir(objDir1)
    End If

    '#--------------------------------------------------------------------------
    '#  Ensure that the destination directory exists on the file server.
    '#--------------------------------------------------------------------------
    If Not filesys.FolderExists(objDir2) Then
        createDir(objDir2)
    End If

    '#--------------------------------------------------------------------------
    '#  Make create backups of the event logs to the Scratch directory.
    '#--------------------------------------------------------------------------
    strPath = objDir2 & "\"
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
            & strComputer & "\root\cimv2")
    Set colLogFiles = objWMIService.ExecQuery _
        ("Select * from Win32_NTEventLogFile")
    For Each objLogfile in colLogFiles
        strCopyFile = strDateStamp & "_" & strComputer & "_" _
        & objLogFile.LogFileName & ".evt&"
        strBackupFile = "c:\EVT\" & strDateStamp & "_" _
            & strComputer & "_" & objLogFile.LogFileName & ".evt"
        strBackupLog = objLogFile.BackupEventLog _
            (strBackupFile)
        'WScript.Echo objLogFile.LogFileName & " backed up to " _
        '    & strBackupFile

        '#----------------------------------------------------------------------
        '#  Copy the event logs to the file server.
        '#----------------------------------------------------------------------
        call copyAFile(objDir1, strPath, strCopyFile)

        '#----------------------------------------------------------------------
        '#  Clear the event logs, or not.
        '#----------------------------------------------------------------------
        If clearEVTLogs = "Yes" then
            objLogFile.ClearEventLog()
        End If
    Next

'#==============================================================================
'#  SUBROUTINES/FUNCTIONS/CLASSES
'#==============================================================================
    '#--------------------------------------------------------------------------
    '#  FUNCTION.........:  dateStamp(ByVal dt)
    '#  PURPOSE..........:  Generate an 8-character date stamp from the current
    '#                      VBScript date.
    '#  ARGUMENTS........:  dt = The date stamp to convert.
    '#  EXAMPLE..........:  Dim current: current = Now
    '#                      WScript.Echo dateStamp(current)
    '#  REQUIREMENTS.....:
    '#  NOTES............:  The above example will produce output of 20080730 if
    '#                      run on 07/30/08.
    '#--------------------------------------------------------------------------
    Function dateStamp(ByVal dt)
        Dim y, m, d
        y = Year(dt)
        m = Month(dt)
        If Len(m) = 1 Then m = "0" & m
        d = Day(dt)
        If Len(d) = 1 Then d = "0" & d
        dateStamp = y & m & d
    End Function

    '#--------------------------------------------------------------------------
    '#  FUNCTION........:  copyAFile()
    '#  ARGUMENTS.......:  strScourceFolder = The folder containing the files to
    '#                                        be copied.
    '#                     strTargetFolder = The Destination Folder
    '#                     strFileName = The name and file extension of the file
    '#                                   to be copied.
    '#  PURPOSE.........:  General purpose file copying function.
    '#  EXAMPLE.........:  Wscript.Echo copyAFile("C:\", "\\Server\Share", _
    '#                     & "fileName.txt")
    '#  NOTES...........:  strSourceFolder folder must exist
    '#                     strTargetFolder folder must exist
    '#                     strFileName file must exist in strSourceFolder folder
    '#--------------------------------------------------------------------------
    Function copyAFile( Byval strSourceFolder, Byval strTargetFolder, _
        Byval strFileName)
        Dim objFSO, booOverWrite, strResult
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        If objFSO.FileExists( strSourceFolder & "\" & strFileName) _
            And UCase( strSourceFolder)  UCase( strTargetFolder) Then
            If objFSO.FolderExists( strTargetFolder) Then
                Else
                strResult = "The destination folder does not exist!"
                'copyAFile = strResult
                Exit Function
            End If
            If objFSO.FileExists( strTargetFolder & "\" & strFileName) Then
                strResult = "The file exists, overwritten"
                booOverWrite = vbTrue
            Else
                strResult = "The file does not exist, created"
                booOverWrite = vbFalse
            End If
            objFSO.CopyFile strSourceFolder & "\" _
                & strFileName, strTargetFolder & "\", booOverWrite
        Else
            strResult = "The source file does not exist, or " _
                & "identical Source and Target folders!"
        End If
        'copyAFile = strResult
    End Function

    '#--------------------------------------------------------------------------
    '#  FUNCTION.......:  createDir(strDir)
    '#  ARGUMENTS......:  strDir = UNC path of the directory to create.
    '#  PURPOSE........:  Creates directories.
    '#  EXAMPLE........:  createDir("c:\WSH_TEST\")
    '#                    createDir("c:\WSH_TEST\" & "Files\")
    '#  NOTES..........:  If creating a subdirectory of a directory that does
    '#                    not exist, the parent directory must be created
    '#                    first, as shown in the example.
    '#--------------------------------------------------------------------------
    Function createDir(strDir)
        set filesys=CreateObject("Scripting.FileSystemObject")
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        If Not filesys.FolderExists(strDir) Then
            Set objFolder = objFSO.CreateFolder(strDir)
        End If
    End Function

'#==============================================================================
'#  END OF FILE
'#==============================================================================

So, What does it do? This script will copy the event logs (well technically it creates a backup it doesn’t actually copy the data per se) from the target system to a directory defined by the user, and optionally clear the logs.

You can then use the built in Windows Event Log viewer to open the resulting file and search the event logs for the time period in the file.

How I use this:

I have several copies of this script set up in Windows’ Task Scheduler to run on the first of every month at exactly midnight, with the option to clear the event logs turned on. This allows me to create a Monthly archive of event logs for each Server that it is run against, and when I get a cryptic event log message like “Windows has previously logged the source of this error”, I can go back and search for the referenced previous entry.

Like I said before, this is a temporary system designed to do one thing: archive all of the Event logs from all of my Windows server to a central location until I can get a proper central Syslog server in place. It works flawlessly for the task it was designed to do.

November 10, 2008 Posted by Just Joe | Ask an IT ninja!!!, VBScript | | 7 Comments

Scripting IT, one step at a time.

Learning to script as a SysAdmin is like learning to breathe properly for an athlete: Sure you can get along without it, but you’ll never be as good as someone that knows it (in case you were wondering, proper breathing is done in through the nose, out through the mouth, and from the diaphragm not the chest).

Learning to script will save you time and make your network run much smoother. You’ll wonder how you ever got along without it once you’ve experienced the benefits of being able to do 10 hours worth of work in 10 seconds through the power of a script.

The biggest hurdle that I encountered when learning to script was deciding which language to learn (I foolishly thought that I only needed to learn one, and then I’d be good). On the Windows side the house, the progression of scripting languages usually goes something like this:

First you learn batch scripting (called shell scripting in the *NIX world, and by some in the Windows world). Then when you start running into things you can’t do with shell scripting, you learn VBScript. With the recent introduction of PowerShell from Microsoft you can now progress to that as well when you find the things you can’t do with VBScript (which will likely take a while, as VBScript is pretty robust).

If I could give a SysAdmin just starting out in scripting only one piece of advice, it would be to forget that progression. It takes too long (took me about 4 years to go from Shell Scripting to PowerShell). Start with PowerShell.

You are going to find that there is a bit of a steep learning curve for PowerShell if you have never done any scripting but the payoff, I promise you, is well worth the headache. Don’t get me wrong, VBScript has been the scripting language of choice for the Windows SysAdmin since the introduction of WSH (Windows Script Host) with Windows 2000, and there are several distinct benefits of learning VBScript:

• There are thousands of VBScripts readily available on the internet.
• Learning to work with WMI and ADSI in VBScript will teach you a lot about both.
• Pretty much anything you will want to do, someone has already done, and you can find their work via google (LAOAE applies here).

The reason I suggest that you go straight for PowerShell is the sheer power and flexibility that it offers. Unlike VBScript or shell scripting, PowerShell sees everything as an object, and as such gives you access to all of the DotNET Classes, Methods, and Properties for that object. This is very powerful when it comes to manipulating things with a script.

Another great reason to start off with PowerShell is that it was designed from the start to have built in security. By default PowerShell will not run scripts at all. Whereas the WSH (what runs VBScript) has no such compunctions, and will run ANY script right out of the gate (anybody remember the “I love you” virus?). In the past this has been an issue for SysAdmins, many going so far as to delete the WSH interpreter from their machines, so that NO scripts could be run.

On the Linux side the progression is from Shell Scripting, to Perl or Python. I would advise you to learn Shell Scripting first, as the BASH shell (the default on most Linux distros) is quite robust. Perl or Python (one is just as good as the other, though I prefer Python) will allow you to greatly expand what can be done with Shell Scripting. In addition, both Perl and Python can be run on Windows through the WSH interpreter.

At the end of the day making the commitment, and taking the time to learn a scripting language is more important than which language you choose. It will make your job easier, and make you feel like a Rock Star when you can use scripting to provide solutions to many of the difficulties you will face as a SysAdmin.

November 6, 2008 Posted by Just Joe | Ask an IT ninja!!! | | 1 Comment

Graffiti: a societal blight, and how it can be dangerous to IT.

Graffiti is one of those things that I see so often I am pretty much inured to it. It disgusts me that our society has let it become such a pervasive blight in most cities that no one really cares about it anymore.

Personally I think the punishment for graffiti should be to have whatever garbage you were painting or writing branded on your face (if they only hold the brand for 2 seconds the resulting mark will only last for about 10 years, five seconds is good for a lifetime). But that’s just me.

The area of town where my office is located is rife with graffiti (yeah I work in the “hood”), and on most days there is a police department graffiti unit somewhere in the neighborhood (got a bit of a gang problem in that area as well). I see so much of the crap that I tend not to really notice it much.

Until this morning as I was kind of wandering aimlessly around our parking lot on my cell phone. Among the other random (I can’t read that crap) squiggles interspersed around the lot I found something different.

Here is a drawing of what I found (it was silver marker on gray concrete so I couldn’t get it to show up right on the camera I keep at the office):

At first I thought it was just kind of interesting, and then the realization of what I was looking at hit me: it’s not graffiti, it’s modified warchalking.

Warchalking has pretty much died out, so I’m not too sure about how many people even know what it is, but if you don’t, you need to read up on it. Let’s examine this image:

modified warchalk graffiti

1.  This is the warchalking symbol for a closed node. I know this because…

2.  This is (or rather was) the SSID for the wireless access setup in the building that the symbol was in front of.

3.  This is an interesting modification. I believe that the symbol in the small circle is noting that the signal is 802.11g, and the key shape is denoting that the node is password protected.

4.  Traditionally the warchalking symbol will have a “W” in it if the node is WEP protected, I can only assume that this is a modification of that to show that the network is WPA2 encrypted.

After realizing this I was both furious and amused, as we apparently have a hood denizen that is both a petty criminal (hence the vandalism), and also believes he is some sort of computer criminal. I know that nothing was compromised, but I changed all of my wireless settings just in case.

I also contacted the graffiti abatement unit at the police station and explained what I had in the parking lot. They sent an investigator out to photograph the graffiti, and I explained to him what it meant, and he took notes. Hopefully when they catch the little punk they’ll confiscate his laptop and charge him with some cyber terrorism related crime.

The lesson I’ve learned is this – keeping an eye on the external environment can be an important bit of security.

November 6, 2008 Posted by Just Joe | Ask an IT ninja!!! | | No Comments Yet

The LAOAE Principle

Least Amount Of Administrative Effort. From the moment that I first heard that term, I knew it was important. The first time you hear it, most people will think “man that guy is lazy”, and dismiss it.

Then when you are in the 35th hour of a 100 machine deployment with no help, scurrying to and fro like a hummingbird on meth trying to get installs going, you’ll pause to breathe and think to yourself; there must be an easier way to do this.

That is the point at which most people get their first peek at understanding The LAOAE (pronounced “layaway”) Principle.

The point of LAOAE is not to do less. That is just not an option for most SysAdmins. They’re too busy learning the latest Linux distro, the latest version of Windows, and how to make them play nice, web design, eMail administration, reading about the latest security solutions, learning about how to bypass the latest security solutions, keeping SPAM at bay, getting the phone system to work correctly, learning a new scripting or programming language, checking system logs to make sure everything is working, trying to consolidate servers with virtualization, replacing failed hardware, ordering new hardware, tracking orders, tracking licenses, inventorying hardware and software, checking backups, restoring the computer you accidentally DoD secure wiped, reporting stolen hardware, dealing with vendor calls, calling vendors, researching ways to ease the migration to the next version of (insert insanely complex software package here), and trying to get coffee so they can stay awake after having been at the office all night trying to restore the server that crashed at 1am, and they need to find a way to get it all done.

In short the point of LAOAE is to be able to do the job of 2 or 3 people, because no one outside of IT understands what it takes to get it all done, and they are not going to take your word that you need help. They are going to ask you to quantify the need, which will take more time that you don’t have enough of in the first place.

When following The LAOAE Principle there are some general rules of thumb that will help you in using LAOAE appropriately:

• If you will do a task the same way more than once, find a way to automate it.
• Don’t reinvent the wheel.
• Work smarter.
• Document your network.

Automation is mostly about scripting. On Windows machines Batch files are good, VBScript is better, PowerShell is best (if appropriate). On Linux machines Shell scripting is good, Perl and Python are best. If you choose Perl or Python you get the added benefits of being able to use the same language on both Windows (through the WSH interpreter) and Linux. Personally I like Python better than Perl, and PowerShell better than either (but that’s just my preference).

Google is your friend. If you want to do something, chances are good that someone has already done it. If you can use someone else’s hard work in getting (whatever it is) done, all the better. Fits The LAOAE Principle nicely.

It’s amazing how many people do tasks the hard way. Mostly it’s because the vast majority of people never really stop to think about the task that they are doing, they just focus on getting it done. Here’s an example of what I’m talking about on a Windows computer:

Open the C: drive on your computer. Go on, I’ll wait….

…Ok, if you’re like the vast majority of people you just did the following:

• Click the Start Menu
• Click the ‘My Computer’ icon
• Double click the ‘C:’ icon

A more efficient way to do that is this:

• Press: “Win + R” (that’s the Windows key and the “r” key at the same time)
• Type: “c:” (without the quotes) {ENTER}

It’s not much of a difference (maybe a couple of seconds), but I can do it the second way faster than anyone I’ve ever seen using the first way (and I can’t touch type).

Finally we come to Network Documentation. This is probably the one thing that most SysAdmins consistently don’t do. It’s a tedious task, and boring to boot. So what? You’ll be glad you have it when you need it. Good network documentation is absolutely priceless when it’s needed (like when all the servers are stolen, and you have to rebuild your network as fast as possible to get the business running).

LAOAE is not about cutting corners. It is all about efficiency. There are several benefits to following this principle beyond saving time. One of the biggest benefits is consistency.

Consider this:
One of the most common tasks that an administrator will do is creating new user accounts. If you create a script to do this for you, you will never forget to add a user to a group, or forget to assign a logon script to that user. Every account created using that script will be created exactly the same way. A side benefit to this is that any permissions that the user has will always be consistent, leading to tighter security.

November 5, 2008 Posted by Just Joe | Ask an IT ninja!!! | | No Comments Yet

Mysterious Server 2003 disk space consumption

So the System drive of my (primary) domain controller has been running low on disk space (it’s a 20GB partition running with about 4GB or so free). This has been a nagging issue that I’ve had off and on for a while now, and I haven’t really had the time to delve into it.

I decided to start my investigation by running WinDirStat and looking for any oddly large files. The largest portion of the System disk is consumed by the Program Files directory (no big surprise there), and aside from a couple slightly disturbing large files from my backup software there is only one group of large files on the drive – hovering in at about 12GB for the 8 or so files. And they all have the same path and are similarly named: C:\System Volume Information\{914b4760-84b2-11dd-bca9-000e0cb2b564}{3808876b-c176-4e28-b7ae-04046e6cc752}

Hmmm, interesting. A quick Google search turns up some results linking this directory (more specifically files with CSLID names in this directory) to two things: System Restore points, and virus files.

Well I’m pretty sure it’s not virus files (no other odd behavior or weird network activity), and if I’m not mistaken to enable System Restore on WS2003 you have to manually copy over some files from an XP CD (which is a pretty cool hack, but not something I’ve done on any corporate network I’ve ever worked on).

At this point I start hearing dramatic music in the back of my mind, I’ve got a bonafied mystery! Or at least initial facts would indicate so.

Well a bit more in depth investigation turns up what some of you already knew at this point, the culprit is VSS. But I never configured VSS! (queue swelling of dramatic music in the background)

Ok so this is something of a mystery after all. So I go digging around in the event logs for the last 3 years looking for the initial VSS snapshot message. It sounds like a lot of work, but Microsoft Log Parser actually makes things like this pretty trivial.

Turns out that the VSS snapshots started on the same day that I installed our current Backup software (Yosemite Backup 8.5 sp2) which cooincidentally has the ability to make use of VSS snapshots!

Now this is not a huge issue, as VSS will delete old snapshots when space is needed, however I tend to take exception to software doing things like this without my permission.

Well luckily for me, I used to be a manager at the company that makes our backup software, so I fire up my trusty IM client, and start poking at the engineering department.

Twenty minutes later I have my trusty pipe and smoking jacket firmly in place, as I am feeling quite like Sherlock Holmes. It seems that in fact it was the backup software which enabled VSS for all volumes on my server, and (because it uses the defaults when enabling VSS) had set VSS to not limit the space consumed by snapshots!

A simple trip into Disk Management, and a quick change to the drive’s Property page, and VSS is now limited to 4GB for the system partition (which is far more than I’ll ever need). Interestingly enough had I disabled the VSS service on this machine before installing the backup software, it would not have enabled VSS. I’ve asked that they include a note about VSS being automatically configured to the Yosemite Backup installer (it may exist now, I’m not sure as I haven’t actually read any of the installer screens in years), but who knows when that will make it into the software.

As a side note, I’ve spoken to the Tech Support Manager at Yosemite Technologies (they make Yosemite Backup), and they are currently writing a knowledge base article about this, and how to change the VSS settings from the defaults that Yosemite Backup enables.

October 1, 2008 Posted by Just Joe | Ask an IT ninja!!!, General | | No Comments Yet

Voiding the warranty on your Verizon BlackBerry 8830 for fun and profit

It’s no secret that I’ve never been a big fan of Verizon, but it’s the cell provider that my employer uses, and since they pay for my cell phone, I don’t really have much choice.

It’s also no big secret that I am a die hard BlackBerry fan (until there is something that has equivalent functionality, including a user changable battery – I’m looking directly at you iPhone).

So naturally when I started working for this employer I got a Motorola Q from Verizon as my work phone (Verizon didn’t have much in the way of modern BlackBerries at that point in time). Ugh, huge mistake, I’ve learned my lesson there, and will never stray from the BlackBerry goodness again. At least until next time something equally attractive comes along.

Well thankfully by the time I became fed up with my Motorola Q’s inabilty to open an email without choking like the star of the latest Max Hardcore movie, they had just introduced the BlackBerry 8830.

So I sucked it up and after several replacement Q’s had the same issues, I told my boss that the Q just wasn’t cutting it, and I needed to upgrade to a BlackBerry. The first few days with the new BlackBerry were pure bliss after enduring six months of pure torture at the hands of the previously mentioned under performing Motorola Q.

Then I had lunch with a friend that had just bought a BlackBerry 8820 from AT&T (basically the same phone with a slightly different feature set). During lunch his phone rang, and I was absolutely floored by the volume of his ringer! It was so loud! I suddenly realized that my BlackBerry 8830’s ringer sounded positively weak in comparison. As it turns out, this is a common problem with the Verizon 8830 (note to Verizon: learn from Dell’s mistakes, and quit screwing with the firmware of the phones you sell).

Also turns out the Motorola Q that was having issues was not the phone’s fault, I ran into someone with one from Sprint, and it worked just fine.

Well it’s been my experience in the past with Dell hardware that is malfunctioning that like 90% of the time flashing the problem device with the actual manufacturer’s firmware resolves the issue. Ok, mission defined, let’s flash the firmware on the BlackBerry 8830 with some standard RIM firmware and see what happens.

It turns out that RIM does not have “standard” firmware for their devices. They instead redirect you to download the latest BlackBerry OS from your device manufacturer! Bummer.

Flash forward 6 months to last week (yeah I just pulled off a flash forward and a flashback at the same time, I RULE!). I am once again having lunch with the previously mentioned 8820 owning friend, when he shows me the latest BalckBerry 4.5OS on his 8820. Then he proceeds to tell me that AT&T wasn’t quick enough with the BlackBerry OS upgrades, so he’s figured out how to find generic OS updates and apply them. SCORE!!!

Well not so much, as it turns out. Apparently the 8830 is only carried by Verizon and Sprint, and there is not an updated OS for it available yet. However some quick google searching turns up beta OS forums.

Now, normally I would never, but since there is a release for the 8820, and the 8830 is not THAT different, the beta is probably extremely close to the RTM version. Just one catch, it will void my warranty with Verizon.

But, seeing as there are compelling reasons to update (louder ringer reported on Verizon phones, html email, and the ability to open Office documents attached to email without a BlackBerry Enterprise Server), I took the plunge.

A couple hours and some torrent downloading later, I have the 4.5 OS running on my Blackberry, and guess what? The ringer is LOUD!!! Finally I can hear my phone ringing without it being right next to me.

And I must say, while slightly slower than the previous 4.2 OS (which I am going to chalk up to it being a beta OS), the improvements are really nice.

For me, losing the Verizon warranty is totally worth it. And I guess technically if I ever have an issue with the phone, I can always revert back to the original 4.2 OS before calling Verizon support.

##############################
# WARNING!
##############################

Backup your 8830 first!

NOTE:
I did not include instructions before for a reason, this is NOT a safe procedure! If you are not 100% comfortable with possibly bricking your phone, DO NOT DO THIS!!!
I am not responsible if you brick your phone! (and neither is anyone connected with this site, so don’t get any ideas)

Before you go any further, make a note of these two links (you are going to want to read the second one in it’s entirety before you start this!):
http://www.blackberryforums.com/beta-you-than-me/

http://www.blackberryforums.com/beta-you-than-me/146196-4-5-0-77-8830-a.html

First, update the BlackBerry Desktop Software to the latest version (I think it’s v4.6) from this site: https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22

After that is done, you are going to want to download two versions of the 4.5 OS. The names of the torrents you are looking for are:

BlackBerry.8830.World.Edition.OS.4.5.0.51.beta.zip.torrent

8830_4[1].5r74.exe.torrent

Once Google has given you links to the torrent files, and you’ve downloaded them, here are the basic steps:

1. Disconnect your BlackBerry from your computer.
2. Install OS Beta v4.5.0.51 (be careful here, the file names can be confusing) on your computer (you are going to use the Desktop Software to load this to the BlackBerry).
3. Navigate to C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\8830-v4.5.0.51_P3.2.0.41\Java, and locate the file “net_rim_bb_medialoader_qualcomm.cod”
4. Copy this file to a safe location (this is your volume corrected ringers, which RIM left out of the final beta for whatever reason).

Now at this point I loaded the v4.5.0.51 OS Beta to my phone, but you should not have to do this (though it certainly won’t hurt).

To load an updated OS to your phone, connect your phone to the computer, and select AppLoader from the BlackBerry desktop Software. The OS update detection should be automatic. If not, you might want to try deleting the vendor.xml file located in c:\program files\common files\research in motion\apploader.

Now, once you have decided how you are going to handle the first beta, you can proceed to the final beta (v4.5.0.77 currently).

If you installed v4.5.0.51 make sure you disconnect your BlackBerry from the computer before proceeding.

Following the same procedure as before, install the v4.5.0.77 beta OS to your computer, but do not connect the BlackBerry just yet.

First, rename the “net_rim_bb_medialoader_qualcomm.cod” file you copied earlier to “net_rim_bb_medialoader_8830.cod” and drop it into the C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\8830-v4.5.0.77_P3.2.0.51\Java\ folder on your computer.

Once this is done, you may want to delete the vendor.xml file located in c:\program files\common files\research in motion\apploader.

Once that is done, connect the BlackBerry, and select AppLoader from the BlackBerry Desktop Software. The installation of the 4.5.0.77 beta OS should now begin.

Again, if you brick your phone you have no one to blame but yourself.

September 28, 2008 Posted by Just Joe | Ask an IT ninja!!! | | No Comments Yet