DPM across Domains

I've been using the Microsoft System Center Data Protection Manager product for just under 4 years; and I really like the product. As far as I am concerned, it ticks a load of the relevant boxes; easy to install, easy to use and manage, and most importantly, it works really well. It backs up to disk, then from disk to tape. It uses a relatively small amount of bandwidth and data recovery is quick and easy. It is simply one of the best backup products that I have come across, far easier to use than many of the more well known software packages.

A while ago, the company bought out a partner organisation. This left us a sales office based in Paris; they are a separate entity, but as they are quite small, they don't have their own IT staff. They have been using the services of another business, but it was decided a while ago that we would take on that responsibility. We needed to provide a backup function to preserve their data, and set about putting this into place.

One of the key issues was that they did not have an Active Directory domain on site. Everything was set-up as a workgroup only, and this causes a lot of issues. So one of the first things to do was set-up a suitable domain structure. Hopefully, this will reduce the amount of admin work that is required; previously, it was necessary to create a local user account on every single piece of kit, which required a lot of work. The new domain was created a couple of weeks ago, and we've now also created a two trust between the two AD domains.

The next step was to set-up the remote site to be backed up by our DPM server, but this was where we hit a snag. Each time we tried to install the agent, it responded with messages that the remote site was not available. I could prove that this was false; I could ping the remote server and even RDP to it from the DPM server. I checked all sorts of things, and each showed that the remote site was fully operational and accesible.

So I decided to do a manual install of the agent on the remote site. The first step was to RDP to the remote server, then create a mapped drive back to the DPM server. Having done that, I then opened the folder where the DPMAgentInstaller.exe file was found - that's at \Program Files\Microsoft DPM\DPM\Agents\RA\\i386 and there are also options for AMD & 64 bit installs.

This actually went through OK, and having installed the agent, it's necessary to define which is the correct DPM server. This is done using \Program Files\Microsoft Data Protection Manager\DPM\bin\SetDpmServer.exe – dpmServerName . Again this went through OK, but it still produced an error message that there were insufficient permissions to complete the process.

After having checked the event log, I was able to see a number of LsaSrv Event ID: 6033 errors. This showed that I should modify the registry key \Program Files\Microsoft Data Protection Manager\DPM\bin\SetDpmServer.exe – dpmServerName to disable the anonymous logon block. Having done this, it then showed another set of errors taht indicated that there was still a problem with permissions.

Having checked these yet again, I could see that the DPM server was in the correct groups etc. but I also thought to put the DPM administrator account into the administrators group account. Having done this, the error went away, but the agent still wouldn't connect to the DPM server. However, I ran the SetDPMServer.exe utiltiy again, and this time, it completed correctly. When I went back to the DPM console, it showed the agent as installed and connecting to the remote server.

So now we are in the position where we can actually backup that remote site. It will be a bit of an issue to begin with as there is a lot of data on site. I'll probably go over again, to do a manual copy of the data to a portable hard drive. This can then be manually copied to the DPM server to get the initial data load, and then the synchronisation process will only work on the data that has changed from that copy; a great deal less than the full synch process.

This is going to make a huge difference to the people on the remote site; they won't have to worry about tapes etc. or what to do if someone goes on holiday. The data is being backed up off site, so is more secure. The recovery process is really simple and we can give them the confidence that we can deal with it really quickly if needed.

Transformational Security

A couple of weeks ago, I attended an event hosted by Computer Weekly, SC Magazine and a couple of others. “Information Security Leaders 2011: Transformational Security” - as you might gather form the title it was a look at how and why things are changing and how to provide security in the newer IT landscapes.

Although a lot of people think that these are just junkets, with a chance to pick up some SWAG and eat and drink at someone elses' expense, I actually find these events very useful. Working within IT can have its problems; all too often, we work in small groups, and it's very easy to become isolated. This means that we develop set habits, and forget that there may be other ways of doing things.

Getting out to events like this can be really useful in many ways. It's interesting to talk to others in the industry and see just what kinds of problems they are facing. All too often, we might think that we are the only ones with a particular issue, only to find many other people with exactly the same problem. I really like to share advice and information on how we approach some of these and how and why we go down the route that we do.

This particular event was very useful. There were some keynote speakers that offered a real insight into just how things are changing and why; and they offered some considered advice on how to look at this as an opportunity. In particular, the concept of "consumerisation" was raised - people wanting to use their own equipment that they use for home based email, social networks etc, then wanting to use the same items for work use. (That's not just the same make or model, but the actual device).

At first, I thought that this was not an issue that we would face; but then I realised that it has already happened. We have a number of staff that have their own mobile phone (smartphone device) that are then trying to connect up so that they can get their email on the device. It's not been a major issue so far; but what would we do if one of those people then left the company? (OK, cancel their email account is a start, but what if they had access to someone else's account as well?)

Or how would you react if they lost their mobile device and someone else found it and then could use this to get access to company systems. The answers may seem simple, but as the speakers pointed out, this is the thin end of the wedge, and it's going to start happening a lot more often and involve a lot more devices and people.

All in all, the event was a good day (and yes the food was good!); it was also very useful from the point of view of getting people to think slightly outside of their comfort zone. If there are any more events of this type, either this year or in the future, I would strongly recommend thaking the opportunity to get along. You won't regret it!

Email signatures

Some time ago, it was suggested that we should have an agreed format for Email signatures across the company. Unfortunately, it took some time to get agreement on what format we should use. I could go into the details of this, but it's pretty boring; for example, the discussions on the font to be used seemed to take forever. Suffice to say that there were numerous discussions and it has taken quite a while for the final decision.

There are numerous sample VB scripts out on the Internet for producing an email signature, but none seemed to achieve what we wanted. I did think about trying PowerShell, but I don't yet know enough to be able to do the work using that. As I've used VB script on and off for a few years, it made sense to try and use that, at least for the time being.

The script has taken a little while to put together to make sure that it meets the needs of the business. It takes data from the Active Directory, formats it and places it in the required location. It also inserts a company logo, and there is a bit of conditional text to insert other logos; this is because we attend a number of trade shows, and like to promote these on our emails.

There is one slight issue; the email has to go out in Rich Text Format. If it goes as .HTML, the lines get double spaced. This is just because of the way that it gets rendered and I haven't found a way around this. Also if it goes out as plain text, the logo doesn't get inserted. It works by using Word - it extracts the AD data and sets the sig in Word before saving it in Outlook.

I'm putting the script below as I am quite pleased with it and the results; if it would be of any help, please feel free to make use of it. Just copy the text, place in a text file, save it and then change the extension to .vbs - I haven't tested it with all versions of software, but I have tried with Outlook 2003 / 2007 / 2010 on Exchange 2003 (on Server 2003), on PCs running Windows XP and Windows 7 and it worked in each case.

(Note that I have removed the specific details of our company so that it is a generic script; you would then have to modify it to show your own details.)

Enjoy!

====================

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")

strUser = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)

strName = objUser.FullName
strTitle = objUser.Title
strDepartment = objUser.Department
strCompany = objUser.Company
strOffice = objUser.physicalDeliveryOfficeName
strPhone = objUser.telephoneNumber
strFax = objUser.faxNumber
strMob = objUser.Mobile
strAddrs1 = "Site 1 Address"
strAddrs2 = "Site 2 Address"
strAddrs3 = "Site 3 Address"
strWeb = "www.domain.net"
Logo = "\\server\share\logo.jpg"
ShowLogo = "\\server\share\show1.jpg"

Set objWord = CreateObject("Word.Application")

Set objDoc = objWord.Documents.Add()
Set objSelection = objWord.Selection

Set objEmailOptions = objWord.EmailOptions
Set objSignatureObject = objEmailOptions.EmailSignature

Set objSignatureEntries = objSignatureObject.EmailSignatureEntries

objSelection.Font.Name = "Arial"
objSelection.Font.Size = "10"

objSelection.InlineShapes.AddPicture(Logo)
objSelection.TypeParagraph()
objSelection.TypeParagraph()

objSelection.TypeText strName & ", " & strTitle & Chr(10)
objSelection.TypeText strDepartment & ", " & strCompany & ", " & strOffice & Chr(10)
if strOffice = "Site1" then
objSelection.TypeText strAddrs1
end if
if strOffice = "Site2" then
objSelection.TypeText strAddrs2
end if
if strOffice = "Site3" then
objSelection.TypeText strAddrs3
end if
objSelection.TypeText strOffAddrs & Chr(10)
objSelection.TypeText "Tel:" & " " & strPhone & Chr(10)
objSelection.TypeText "Fax:" & " " & strFax & Chr(10)

if strMob <> "" then
objSelection.TypeText "Mob:" & " " & strMob
end if

objSelection.TypeParagraph()
objSelection.TypeText strWeb & Chr(13)
objSelection.TypeParagraph()
objSelection.TypeParagraph()

if strOffice = "Site1" then

end if
if strOffice = "Site2" then
objSelection.InlineShapes.AddPicture(ShowLogo)
end if
if strOffice = "Site3" then

end if


Set objSelection = objDoc.Range()

objSignatureEntries.Add "AD Signature", objSelection
objSignatureObject.NewMessageSignature = "AD Signature"

objDoc.Saved = True
objWord.Quit

A third slice of V

Happy new year to one and all!

This post follows on from a previous item on virtualisation. We had installed the hardware, then the ESXi software - now to start getting serious.

ESXi does have a console to set-up certain key items, but these are very limited. Essentially, it allows you to change hostname, set IP addressing and some security, not much else. To manage the host machines, you have to use another piece of software; the VSphere Client which runs from a PC. I already had a copy of this installed on my laptop, from the tests that I had run earlier in the year. However, I decided to get the latest version so that we could start as we mean to continue.

The update went through quite quickly and after about 15 minutes, I had the logon dialog box. Put in the correct IP address and logon to the host; except that it came up with an "invalid user name or password" message. I checked the details and they were correct. I double checked the details; domain, username, password. They were definitely all correct. After having stared at this for a few minutes, I then realised that the host installation had used a US keyboard layout and I was inputting the details using a UK layout keyboard. When I re-entered the same details using the US layout, it let me access the host. And it appears that there is no UK layout option available on the host installation routine.

Looking at the details of the host, I could creat VMs and allocate resources; but this wouldn't allow me to manage the other hosts. To do this, I had to install the VCenter Server product and use to do all the management. The idea was that this would be installed on the first VM, but when I tried to install the software, it produced an error stating that it was not possible to install the server software on a VM. This made no sense; the material that I had received all indicated that the best practice would be to install the VCenter Server on a VM.

After some analysis, the solution became obvious; I had the wrong version of VCenter Server. I had downloaded it from the VMWare web site; once you get used to the site, it is quite sensibly laid out, but to start with, it can be a bit overwhelming. When I checked, there is a particular set of downloads to match the version of VMWare that we had purchased, and this was where I should have got the software from. So I downloaded that version; and yes, it installed straightaway.

So far, so good; I had the hosts running, the SAN was available and with the VCenter Server software installed, I could see all of the hosts and start to do some more detailed work. Unfortunately, we have a number of projects on the go at the moment, so I was involved in another one for a few days before I could get back to playing with the VMs.

When I did get back to the virtual platform, I wanted to make the storage on the SAN unit available. I was able to initiate the iSCSI connectors and these showed the disk allocation on the SAN unit. However, these were not available to the VMs; it needs a check box to be ticked for this to happen.

Later on, I realised that we still had an issue; although the storage area was available to VMs on the one host, it wasn't available to the others. Further checking revealed yet another setting (this time on the SAN itself) that needed to be checked, and as soon as this was done, each of the hosts could see all of the storage areas.

Unfortunately, I got this resolved after I had created the first VM and installed the VCenter Server. This means that the image and the virtual disk are actually stored in a local drive on the host server, which is not quite what was planned. It appears that this can't be moved using the VMotion process; but I may be able to get around this by using the P2V function at a later stage. If this works I'll write another piece about that later.

So at this point we had all of the hardware installed, all of the software licensed and running, our first VM created and some templates ready for future use. We can now manage the systems and have experiemented with copying, snapshotting, moving using the VMotion process, modifying resource allocation on VMs and deleting the various unwanted bits. It has taken a bit of time, but now there is a good level of confidence in the product and we are comfortable that we can move to the next level. And there will be more on that next time.

BCS - Retro computing

Most IT staff work in fairly small groups; even in the larger companies, teams break down into groups of just a few people. As a result, it's easy for people to develop a "silo" mentality, and forget that there is a larger world out there.

For that reason, I like to try to get to various events where there is an opportunity to speak to others within the profession. It's really useful to be able to share ideas, talk about common problems, to know that there are other people that have exactly the same pressures on them and all too often, the same feeling that their work is not appreciated.

The BCS in the South West organise a number of events throughout the year, although there tend to be more during the Winter and Spring terms. During the Summer months, most of the organisers are busy with educational exam systems as they tend to be in academia.

The latest event at the University of Plymouth was a talk on "Retro computing"; a look back at some of the hardware and software systems of the last half century. It was quite amazing to recall the changes that have occurred over that time, to see once again the boxes that seemed so modern and powerful at the time.

They had an amount of older equipment on display, items that have been picked up over the years and kept to be part of a "museum of computing". People had the opportunity to use a few of these old devices; it was quite interesting to be able to once again play a game of Lemmings on the old Amiga.

However, it wasn't just about games; they had some emulation software there that showed how some of the older systems used to run and what kind of business systems were running on them. As someone who had once had the opportunity to create a program from scratch, by designing the flow chart then creating the commands on a series of large punch cards to be processed on the main frame at County Hall, I had a strange sense of nostalgia.

For some of those there, most of the hardware was beyond their recall; several students were actually younger than some of the exhibits, which is quite a scary thought! It just makes me wonder if my nice new shiny HP laptop will seem as ancient and irrelevant in another 20 years.

The BCS South West are also starting a new web site to act as a repository for some information on older computing. The site is there but nothing is available just yet (http://retrocomputing.org). I'm told that they intend to slowly build this up with the help of a few volunteers in the months to come.

In all, it was a really interesting evening, with a lot to see and do. It was also amusing to see who were the highest scorers in "Crazy Taxi"! Clearly there were a lot of the people with grey in their hair that had spent just as much time playing games as some of the younger generation.

Sec-1 Penetration Workshop

On Friday 10th I went to a workshop event held in Bristol. It was organised by Sec-1 a specialist security firm http://www.sec-1.com/ - note the correct address, if you get it wrong you end up at a completely different type of business!

Obviously, these events are to promote the company and their services; however, it wasn't just a massive sales pitch. The main purpose was to offer people advice about maintaining good security practice by illustrating just how easy it is to break into systems and highlighting the reasons why.

The speaker was Gary O'Leary-Steele and he spoke with passion, conviction and great deal of knowledge. He indicated that they have carried out many investigation tests over the years, and in most cases they could use the same report over and again, but just change the name of the organisation. This is particularly the case in the 150 NHS trusts they have investigated, but is also often true of many private sector businesses.

He stated that in many cases, people have failed to adequately install patches which have been issued for specific problems, often long after the issue has been identified. As it happens, I did a quick search on MS06-040 & MS08-067, the two main culprits and the autocomplete worked in each case after just the first 4 characters, the problem is so well known.

He went on to discuss some of the most common problems and illustrated how they could be used to access systems. He also went on to demonstrate how easy it can be to identify vulnerable systems, get access to accounts with innappropriate levels of security permission, crack passwords and elevate permissions. In most cases, the team of testers expect to get access within 30 mins - if they take longer than an hour, the others tease them unmercifully!

Most of the tools that they use are available quite freely on the Internet. In some cases, they do use items that have been commercially written and there is a small charge, but generally those ones are for the real high end stuff. Each has their own favourites in much the way that people do with most other kinds of software.

Whilst going through the potential problems, Gary also indicated some of the possible solutions, often by using the software tools to confirm the problem, then implementing suitable practice or policy to ensure that something is done to minimise the problem or reduce the impact.

It should also be identified that many of the exploits that were identified were in Microsoft OS or software; but the speaker also very carefully highlighted that issues are just as prevalent in other software products. Mac, Linux, Adobe etc, were all shown to be just as insecure. In many cases, this was due to installation or configuration, but equally there were many flaws straight out of the box.

I'm not a security specialist, although I have had some training in this area. I also enjoy some of the work involved, although it has to be said I don't think that I have the necessary skills to make this my specialism. However, I think that I know enough to be able to state that there are a lot of people that suffer with "delusions of adequacy"; they think that because they use a particular product, or do a specific thing, that makes them invulnerable. Often, they are so wrong that it is difficult to know how to take them seriously in anything.

I'm going to say that it was a great day, a really useful workshop and I was very impressed by the whole event. If they organise any more (and I'm told they certainly hope to) I would very strongly suggest that you grab the opportunity to get along and take advantage of the information and advice that they are willing to hand out free of charge.

V Two

Following on from last week's blog.

So we bought the hardware, and after it had been delivered, installed everything in the rack, and sat back to start planning the installation. I started up one of the host machines to get a look at the POST and boot processes. To my surprise, an operating system had already been installed - and it was Windows Server 2008 R2 Datacenter. We had purchased the licences for this, but hadn't expected that they would pre-install it.

Well no problem, just have to install the VMWare ESXi. I had a version of the ESXi software, but it was an older version, so first I had to download an updated version of the software which was an .iso image, then create an install disk. Having created the disk, I was then able to do the install. I was really quite surprised; it went through very quickly. Very little to see, just a few linux type screens showing the progress of the install. But after just under 15 minutes, it was all done.

So obviously, it also made sense to do the other two hosts at the same time. Away I went and the second machine was done in much the same time, everything complete with no issues. I then started the third machine, and decided to go for a quick cup of tea as there seemd to be no point in me hanging around watching a series of dots advancing across the screen.

But when I got back, I had a bit of a shock; the process had stalled part way through. The equipment didn't seem to respond to any keystrokes, so I took the disk out to check if there was a fault, but it didn't seem so. I tried to start the install again, and unfortunately, once again it stalled. A third attempt fared no better, so I decided to take a break and look at the vSphere client install whilst I thought about what could be the issue.

I already had installed a copy of the latest version of vSphere client on my laptop for our test a short while ago, and just had to change the logon details. It connected to the host machines without any issues and I could play around with the various bits. I even did a quick install of a guest Operating System to create my first Virtual Machine. Everything looked really good.

However, I then noticed that there seemed to be something odd about the disk allocation on the datastore on the server. There were several partitions, none of which I had created. Worse, it seemed that several of these were unusable by either the VMware or by the guest OS. Having given it some thought, it seemed to me that when the ESXi software was installed, it didn't re-partition the disk in the way that might be expected, and part of the disk would never be available for use, which might be an issue.

At that point, it seemed appropriate that I should go back over the ESXi software install. I did this, checking the process, and at no point did it actually indicate that there was an option to manage the partition. In the end, I simply put the Windows disk in, then used the install routine to start up, and delete all existing partitions. After that, I ran through the ESXi install, and this time, it made all of the disk available for use. I then decided that I would do the same on the others, and the second machine completed without any issues.

The third machine also allowed me to delete the partitions OK and there seemed to be be no reason why the ESXi software shouldn't install. But still it would only go so far, then it stalled everytime. I went through this a couple of times, before going back to my desk to give it some more thought. And at that point, I discovered the reason why, and it was so frustratingly simple, I am almost embarassed to tell you what it was.

We use a very clearly structured IP address range within our network; servers get a static address in one subnet, and all addresses assigned via DHCP are in a slight different subnet. The address that I had input as part of the install routine was an address within the server range and one that had been specifically reserved for the virtualised platform.

But somehow, the address allocated for the third machine had also been given to a secondary network card on an old server. Someone had added a cable to the NIC and then plugged it into a network point. The install routine had failed because it detected that the address I tried to give it was already in use! Once I sorted out the superfluous NIC, the install routine went through without any more issues.

At this point I had 3 host machines, all installed and a connection to each tested with the vSphere client software. A good start and I felt that I was starting to understand VMware. I still had a few other things to go over, but I was feeling really quite positive about the various processes and was looking forward to getting on with it.

But the next step will have to wait for another day 8-)