Below is a summary of a talk I gave to Hampton Roads .NET User Group in January 2012.

1st Part: Tools Developers Should (but don’t) Talk About

Developers are usually busy being great developers and just what their systems to work.  I’ve spent many years figuring out how to protect those systems and keep them running.  In this first part I’ve detailed the tools I feel are maybe outside the realm of a developers expertise but should still be running on their systems.

• Web Of Trust - Under the category of “save you from yourself”. A browser add-in that helps you determine if a link or site leads you to a “bad” web page.  By “bad” it could be malicious, untrustworthy, or not safe for families, etc.  It’s user-driven so not always 100% correct (I’ve seen false positives) but the best feature is showing it’s stoplight indicators on google search results.  If you actually goto a page that’s suspect, it’ll darken the page and give you a big “are you sure”?
• DynDNS Internet Guide (or Google Public DNS) – Similar result to Web Of Trust but more behind the scenes.  Honestly I think every home network router should be doing this.  There’s no down side.  You are changing the DNS server IP’s on your computer or home router to theirs (either Dyn or Google’s), which they will provide not only fast DNS lookups, but also filter the DNS results so you don’t end up on a bad website.  Similar to WOT, DynDNS will warn you first.  It also allows you to set custom settings with a free account if you are a parent and want to filter additional types of sites from all your computers.
• Bitlocker - Another “no reason not to do this” on laptops.  To me it justify’s the extra cost of Windows 7 Ultimate (or Enterprise) to have this feature, which will encrypt your disk drives to prevent data theft if you loose your laptop.  It helps me sleep at night knowing my data is still protected in case of theft.  Just search the Start menu for Bitlocker and copy the key to your smartphone, email, or print it for safe keeping in case you ever need it (usually don’t) to boot the computer.
• Nitro Reader - Outside the OS and the browser itself, the next likely security risks revolve around the browser add-in’s and some of the worst ones are Java and Adobe Acrobat Reader.  We can’t replace Java but we can ditch Acrobat Reader, and in the process get a better PDF program that does more for free then Reader.  Enter Nitro Reader.  Fast, modern interface with no ad-ware.  I recommend it to all my clients as a Acrobat Reader replacement (and upgrade) and so far everyone’s happy.
• Microsoft Security Essentials - Free forever anti-virus/malware.  Rumor has it that it’ll be included in Windows 8 (FINALLY anti-virus built into Windows).  It gets high ranks for quality of the engine, plus my favorite feature: it almost NEVER bugs you, and that’s what we all want in a anti-virus, an app that we never have to mess with.
• Secunia PSI - Do you ever wonder if you have any software on your computer that has known security issues?  Secunia PSI answers that question with a great tool that’s like a Windows Update for the rest of your apps. It scans your system and notifies you of software that has known security issues and a download link to the newest version to fix it.  I run it on my Windows systems monthly.  Only free for personal use.
• Backblaze (or Mozy or Carbonite) – I used Carbonite years ago, and I’ve used Mozy for some business systems, but Backblaze takes the cake for the best whole-computer online backup solution.  It even backs up USB drives, and provides a bonus feature similar to a LoJack for your PC.  You should always use an automated backup solution, and now-a-days it’s easiest to use an online backup solution, so why not go with the best-bang-for-your-buck with Backblaze.  Here’s hoping you’ll never need it.
• SugarSync (or dropbox or box) – I’ve used them for years to sync files between my multiple PC’s, as well as share files with co-workers or access my files when I don’t have my computer.  This is a sneaky way to get others who you share files with to keep those files you share backed up.  Plus, it prevents the need to always email files back and forth.

2nd Part: Virtualization for the Developer

Virtualization of PC’s for test and devlopment is not new, but some have still not taking the leap to this great solution.  Others maybe are using a tool that doesn’t meet there needs or could use some advice on managing their virtual systems, so lets start from the begining.

• Why?
  • You are likely developing for a OS different then the one you are on.
  • Test Microsoft products quickly (pre configured): search “vhd” at www.microsoft.com/downloads and more listed at www.microsoft.com/vhd.
  • Use browsers of other OS’s or run your web app on a real IIS Server.
  • Allow you to run multiple versions of Visual Studio, Office, etc.
  • Use snapshots to test software changes on test virtual machines’s.
• Getting Started
  • You should be running a 64-bit OS on your hardware (32-bit does work in some cases but is quite limited).  Not sure if you are 64bit?  Run msinfo32.exe and look for “system type” on the right and it hopefully says x64.  If it says x86 then sorry, you’re 32-bit.  There’s nothing to fear from reloading into x64.  It’s not the land-of-confusion it was 5 years ago.
  • Be sure your BIOS has virtualization enabled.  This Microsoft Virtual PC tutorial talks at length and gives you a tool to check, but basically there is a BIOS feature for your hardware to be “virtualization enhanced” that is often not enabled.  This is required for Hyper-V to work, and if not enabled VirtualBox will run much slower.
  • Terminology: The OS running directly on your hardware is called the “host” or “parent” and the virtual machine (VM) running inside the host is a “guest” or “child”.
• Your Virtualization Options
  • Virtual PC
    • Free. Not recommended for developers.  It only works with 32-bit guests and is only designed to run Windows XP/Vista/7.  Designed for end users with legacy apps.
  • VirtualBox
    • Free.  Open Source.  The best choice if your running Windows 7 and all you need in 95% of scenarios.  You might consider VMWare a paid upgrade to this in terms of advanced functionality but if you don’t know why you need VMWare, you likely don’t.
  • Hyper-V
    • The best choice if you are running Server 2008 R2 or Windows 8.
  • VMWare
    • A good product, but to get features comparable to Hyper-V or VirtualBox you have to pay, a lot.
• Virtualization File Formats
  • A virtual machine has 2 (or more) files associated with it.  The two you usually care about are the disk drive files and a configuration file.  Every virtualization software manufacture has their own standard for each (or more then one) and it can get quite confusing, especially if you want to download test pre-build images.  Stick with Microsoft’s .vhd.
  • Microsoft’s current standard (2011-12) is the .vhd disk format but with Windows 8 a new .vhdx format is emerging.  .vhd is used by lots of Microsoft products like the legacy Virtual Server 2005, Virtual PC, Hyper-V, and even Windows Backup.  If you want to keep things simple, always create your virtual machines using this .vhd format so they’ll work across any product (even VMWare and VirtualBox).
  • The configuration file stores hardware configuration such as number of CPU’s, RAM, how many drives, and NIC MAC addresses.  This file format is different in every product so usually you just recreate your settings if you swtich between, say, VirtualBox and Hyper-V.
• Which To Use
  • Running Windows Vista/7: VirtualBox
  • Running Server 2008 R2 or Windows 8: Hyper-V
• VM Management
  • Keep your .vhd’s (virtual hard drives) small.  Google “shrink vhd“, disable the Recycle Bin in VM’s, disable hibernate, use Spacesniffer to find large files and folders.
  • Keep your ISO’s and install files outside of the VM and use network shares or VirtualBox shared folders to access them.  Mount ISO’s from Hyper-V/VirtualBox rather then using inside the VM.
  • If you end up creating more then a few guest VM, learn how to use differencing disks (VirtualBox calls them immutable) to have one large source/root disk (use sysprep before making it read only) and then create new differencing disks on top of that for each VM you create.  For Server 2008 R2 this saves me 15GB of disk used per virtual machine.

Problem: when you send a link from Communicator client to another, the link isn’t clickable, has a _ (underbar) in front of it, or both.  Results may be different on different computers. It’ll look like this

_http://www.google.com

Solution:  Two things are happening here that are not related.  The first is the OCS Server (and Edge Server) have the URL Filter enabled, which are adding the _ underbar to all links.  Also called “Intelligent IM Filter”.  You need to tone that filter down or disable all together to your liking.  If users are coming in through an Edge Server, they will follow the Filter settings of the Edge Server they are using, which seams to supersede the Front End Server (my guess is the most restrictive wins).  So be sure to set it on both servers separately.  Results were instant in new IM’s.

The other issue is the lack of a clickable hyperlink.  If you disable the URL Filters above, the underbar goes away but links are still not blue and underlined.  To fix this you need to apply a GPO or set a local registry setting to allow Communicator to make hyperlinks clickable:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator\
new DWORD EnableURL=1

After that exit and restart Communicator.

In both of these cases they are secure by default, which is great; but even years after this features release over several versions their use and configuration are still a mystery to most starting out.

please log in access was denied 0×85010002

In the ISA Monitoring you would see a denied connection on your ActiveSync rule with this status:

12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).

I first thought this was the HTTP session timeout that changed with a Exchange 2003  service pack when Direct Push came out back in 2005.  I remembered that setting and looked under the ISA Web Listener for ActiveSync on the Connections tab>Advanced>“connection timeout”.  The wizard had correctly set it to 1800 seconds (30 minutes). No dice.

I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA).  ISA is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).

Tom and the forums at isaserver.org confirmed my suspicion.  The forms auth timeout was indeed affecting ActiveSync.  To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked. 

Failed to configure the service NETLOGON as requested “the wait operation timed out.”

The root problem was that this domain controller had a DNS entry to another domain controller that no longer existed.  It was trying to contact it but couldn’t.  Removing that entry and running dcpromo.exe again solved it.

The big problem with changing your Network Template is that ISA wants’ to slick your config and start over, so you’ll end up with two options: Try to make a 3 NIC config work in  your original design by adding in networks and network rules, or applying a new network template and then bringing your config back in via import.  After failing the former (likely my lack of skills), we chose the later.

Mileage may very, but here’s some notes on what we did:

• Obviously you need the 3rd NIC installed first.
• Add the Subnets to the new NIC’s IP config for your DMZ aka “Perimeter” network in Windows.
• Export your firewall config, including all settings, make a copy of the XML file, and open for editing.
• We’re going to remove the network section of the XML file to prevent issues later.  Once you’ve chosen a new network template, you’ll want to import the config back in, minus the network related stuff (which is what the network template will change for  you).

• Search the XML file for the open and closing NetConfig tags:

• <fpc4:NetConfig StorageName="NetConfig" StorageType="1">
• </fpc4:NetConfig>

I just posted that in R2 Microsoft plans to provide a true Recycle Bin for AD objects that were deleted, but until then the best we’ve got is Windows Server 2008 Active Directory.

After hours of researching “how do AD snapshots in 2008 help me recover a deleted object(s), it’s attributes, and referring objects (i.e. groups pointing back to the deleted user)?” I was disappointed.

From what I can tell, the answer is: built in tools allow for no additional automation over 2003 AD, other than using cut and paste to restore attributes from the snapshot to live AD (after you’ve reanimated the object in live AD). 

You may be able to mount AD snapshots, and even view them with Users and Computers and other AD tools, but you really can’t DO ANYTHING with that data  So I went searching for how others were solving this. 

Here’s one of a few tools that tries to automate the process of finding the tombstoned object in your live AD, find it’s old info in a snapshot, and dumping that data back in to the reanimated object in AD:

Jorge from dirteam.com talks about it, basically describing my realization in greater detail

I used an excellent idea found at the How-To Geek site for creating a rule to prevent the “Oh No!” reaction after sending an email you realize you didn’t mean to send. (i.e. forgot the attachment, left someone off the To: line, etc.).  This rule will delay any message you send in Outlook for a period of time (in minutes).  It will look like it sent, but actually is waiting in your Outbox.

I tweaked that rule a bit from the How-To above.  First, mine is only 1 minute, not 5 as the tutorial above suggests.  I find that you almost always “Oh No” with in 60 seconds.  Second, I put in an exception to send right now if i mark the email as high importance (exclamation mark).  Try it out!

1. WebDAV Access.  Lets say you want to browse to a SharePoint site using UNC path names, or maybe use the new fabulous sysinternals \\live.sysinternals.com\tools way of getting their tools quickly… we’ll you can’t until you add the 2008 feature “Desktop Experience” which will then add the WebClient service.  That service is what allows you WebDAV access to other servers.  Don’t confuse this with the IIS 7 WebDAV which will allow you to serve up WebDAV content to others.  Also note that in Windows Server 2003 the WebClient service is disabled by defaut so if you have the same issues in that OS, enable and set to automatic.  It’s a security thing since most don’t use servers to browse web content.
2. Wireless Access.   You need to install the feature Wireless LAN Service to use a WiFi card.
3. Hyper-V. = no sleep/hibernate (fixed: read update below).  It’s been said on many other sites, but once you add the Hyper-V role to Server 2008 these features are disabled… making it harder to use it on a laptop.
4. Internet Explorer Enhanced Security Configuration (IE ESC).  To make the web useable from IE, you need to disable this, which you’ll find under Server Manager Summary page where the Security Information is at.

update: Have a GUI do all this for you and more! Over at the Windows Server 2008 Workstation Converter blog.

update 11/15/2008: A reg entry has been found for disabling Hyper-V and allowing power states and sleep/hibernate to work.  However, in my experiance, each change of the setting requires a full reboot, so if you disable Hyper-V and reboot, then want to start a VM in Hyper-V, you’ll need to change the setting back and reboot again.

Often my clients, as well as most home users have operating systems like Windows 2000/2003 Server (or Windows XP for home users) installed and end up using a 3rd party application to backup their data. For servers, this can get expensive quickly, and often my clients don’t understand why they have to pay as much money (or more) for backups then they did for the server(s) it’s backing up (expensive software combined with expensive tape systems). With home users, or business workstations, they are very rarely backed up because of the complexity that they perceive it to be. Often, I believe the built-in backup utility of modern Windows could do the job just fine for small businesses and home, but many don’t know how to work with it, and deal with its limitations (and Microsoft doesn’t have a good wizard to walk you though the more advanced scenarios).

Three most common mistakes made in small business data backups

1. Often companies just set an initial backup job and don’t review it until something breaks.
2. Often companies don’t have off-site backups, and if they do, they are old or incomplete (not appropriate for their business needs).
3. Often businesses never test their backups, or even look to see if they are successfully finished.

Advice Before Beginning

ntbackup hides in your start menu under Accessories>System Tools. It can also be run by the command ntbackup.exe from a command line or run prompt.

Establish a single computer as the “central backup computer” that will store the backup files from all computers. This keeps your sanity in check. It doesn’t have to be a Windows “Server” OS. If your going to “pull” all remote files from this computer (rather then “push” files to it from other computers), then disable file sharing in the properties of the network card (to help prevent attacks by viruses or hackers).

One thing you must do in order to limit the frustration of this program is to always run it backup jobs from a backup user account. If you are at home and only have one login, then using the existing login user is fine. But if you’re in an Active Directory environment then I suggest creating a special user called “backupuser” or “sysbackup”, etc. Give this user a strong password (more then 15 characters), and initially, add it to the Backup Operators Group. There are several reasons for this requirement:

• Ntbackup.exe likes to dump its logs under the user’s profile it’s running at. We’ll talk more about logs later, but if you perform backup operations from different users, then you’ll have problems finding all the logs. We’ll show how to change this location later in the document.
• Ntbackup.exe needs to run as a specific user. This user needs to have permissions to backup all files, which could be any account that is an admin. But, when that admin changes their password, or if they leave, etc, this account will not update itself and backups will fail. The account shouldn’t be person-specific, and should not have an auto-expiring password (which is why the password should be extra long and cryptic, so it’s hard to guess or “brute-force”).

How to Schedule Jobs

Ntbackup uses the Scheduled Tasks service (aka at.exe in 2000, schtasks.exe in 2003) to run its jobs. This is equivalent to the cron scheduler in UNIX. The ntbackup interface can be used to create a backup job, and will create a .bks file that is the configuration of all the files selected for backup. If you schedule jobs with the ntbackup interface, then it will add them to the Scheduled Tasks “folder” automatically according to the schedule you selected. All of this is hidden behind the interface so for a beginner, they can just select the files they want, select a location or tape to backup to, and go.

Where to find Backup logs

The Backup logs are under the profile of the user account that is used to run the backup job. So, if a username of “backupuser” was used, then the logs would be located:

C:\Documents and Settings\backupuser\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\

The .bks configuration files are also stored here by default if you create it from the ntbackup interface.

How to edit or create a backup config file (.bks) without using ntbackup

You can use the ntbackup GUI to edit, save and load existing .bks configuration files, but the files themselves are so simple that it’s often quicker to edit them in notepad.

Here are sample lines you could have as the contents of a .bks file

\\SERVER2\APPSHARE\
C:\
C:\WINNT\system32\wbem\repository\ /Exclude
K:\Lables\ /Exclude
K:\Janurary 29.doc /Exclude
DS \\SERVER1
IS \\SERVER1
JET SERVER1\Microsoft Information Store\First Storage Group\
SystemState

• The 1st line backs up a network share from another computer
• The 2nd line backups up the whole c: drive of the local computer. (doesn’t include the registry, AD, etc) By default ntbackup does everything in a directory including sub directories
• The 3rd and 4th lines show how to exclude directories
• The 5th line shows how to exclude a file
• The 6th and 7th show how to backup an Exchange 5.5 directory store and information store
• The 8th line show how to backup a local Exchange 2000/2003 database
• The 9th line shows how to back up the system state. (later we will cover what is in a system state)

So, If I were to create a .bks file with notepad of my backup locations, call it “nightly network backup.bks” and put it in the “c:\scripts” folder I make, I can start constructing my other files needed for the backup job. To create the schedule for your job, you can use the command line, but I find the Task Scheduler easier to deal with and change. Here is the command line for a job that the ntbackup GUI will create:

C:\WINNT\system32\NTBACKUP.EXE backup “@C:\scripts\nightly network backup.bks” /d “nightly network backup” /v:no /r:no /rs:no /hc:off /m normal /j “nightly” /l:s /p “4mm DDS” /um /f “\\server-ts\backups\nightly network.bkf”

Notice I’ve specified which “backup script” to use, and where to store the actual backup file, neither of which has to be on the local computer. For a command line reference, use the help file included with ntbackup.exe (run “ntbackup.exe /?” to see it).

What Exactly The System State Backup Covers

When you backup the System State on a Domain Controller, the following is backed up:

• Active Directory (NTDS)
• The boot files
• The COM+ class registration database
• The registry
• The system volume (SYSVOL)
• The IIS metabase

When you back up the System State on a member server or workstation:

• The Boot file
• The COM+ class registration database
• The registry
• The IIS metabase

When Certificate Server is installed on your server, it is included in the System State.

What ntbackup Does NOT Backup

KB104169 It skips files that are not important, like the pagefile, the hibernate file, recycle bin, tmp files, etc.

How to Notify Yourself About Various Backup Events

Now that you know where the log files are stored, you can use Windows Scripting Host (WSH) to create a mail script in .vbs that will email you at the end of a job. I wish I had one handy to to show you. Blat would allow you to do this in a batch file with much less code (a single line).

How to Backup the System State of Multiple Machines

While it may be easier to buy an enterprise backup program at this point, if you only have 2-6 servers then it may still be more costly to buy then “orchestrating” your backups with ntbackup. I’ve seen two different working options in this case:

• Semi-Centralized: Run backups on the other servers of just the system state to their local hard drives an hour in advance, and then pull those plus your file backups from your “backup server”.
• Distributed: I find for the purposes of a restore, it’s easier to do full backups on each system, and point them to save the .bkf backup file on the “backup server” (note this would require file sharing to be enabled on the backup server). Doing it this way means you’ll need to setup a blat/email job on each server for it’s logs, OR a better option is to share out the log directory’s and “blat them” from a single batch job on the backup server.

Other Options for Performing Backups With and Without a Tape Drive on Small Networks

Perform nightly backups to disk, on a different server or pc, and perform weekly’s to tape. This is the disk-to-disk-tape scenario

Rather then buying bigger tape drives and tape autoloaders, use disk-based backups for onsite and tape only for offsite storage

Use an external USB/Firewire drive and rotate offsite to prevent ANY tape use. 500GB-1TB external drives are cheaper then tape drives, and hold 8-16 times the data of a single 4mm tape

For a offsite backup solution that is really cheap, fast, rather simple and effective; buy at least 2 external USB hard drives and pick a computer to be your “backup server”. Have this backup computer push/pull files daily to store the .bkf files on the USB drive. 1-2 times a week, swap out one drive for the other (use disk manager to ensure they use the same drive letter) and take the new “spare” one home. Now you have disk backups onsite, and offsite, likely for less then $500.

If you do all these things: weekly offsite, nightly backups to disk, and email reports of backups, you’ll have a very complete solution for small business backups that rival most small businesses today. The next step is for you to test your restore skills, but that’s another post.

Reference

How to Schedule Unattended Backups Using a Stand-Alone Tape Library

How to Save Backup Report Logs to an Alternate Location

• Needed to upgrade Google XML Sitemaps. I just deactivated the old and uploaded/activated the new.
• The new plugin upgrade feature in WordPress told me to upgrade my WordPress Database Backup, which wasn’t activated, so I just overwrote the file.
• My K2 theme is so advanced it had it’s own Widget manager before WordPress did. Once WP added the feature, you needed a K2 plugin to disable the WP widget manager (because K2′s is still better). Now, the K2 theme disables the WP one on it’s own without the Plugin. So, I’m removing this plugin and updating my K2 next.