At work we bought two new servers to replace our 5-6 year old DC's. I got most of the OS installed last weekend, and got the go ahead today to bring one of them up as a DC in the domain.
So I ran dcpromo.exe, walked through the wizard, and let it do its thing. After 5 minutes or so, it failed, saying the schema was out of date and needed to be updated. Which was funny, because its a Windows Server 2003 SP1 domain, and I thought that Windows Server 2003 R2 was the same core OS as 2003 SP1. Well, it turns out that atleast the AD components in R2 are newer (to support the Federation Services? or maybe the Integrated Unix Authentication?).
However, running adprep.exe from Disc 1 didn't help, since it kept saying the schema was up to date.
Well, it turns out there's ANOTHER adprep.exe that has to be run. It's located on DISC 2 under the \CMPNTS\R2\ADPREP folder. So, "adprep.exe /forestmode" (and, curiously, "adprep.exe /domainprep /gpprep", for our domain) needs to be executed before dcpromo will work.
Next time, I'll try looking at the docs before doing something I've done dozens of times before...
Well, I got IPSEC to work. Finally. Actually, it only took about a week...there just happened to be this thing called "winter break" and "classes start again" immediately after I got everything working.
So, how did I manage to do it?
- Use certificate authentication, not Kerberos.
- Disable the "map certificates to accounts" setting, otherwise it seems a UNencrypted connection to a DC is needed, just like with Kerberos.
- Somehow keep all the computers you're trying to configure from locking while you're in the middle of setting everything up, because it's likely that if that happens, and you have applied the MS Windows Server 2003 Security Guide recommendations, then you'll be screwed and unable to access the server you're in the middle of configuring. Yes, this happened to me, and no, I never want to go through that experience again.
- Become familiar with "net stop policyagent", as it can save you when things get screwed up. Basically, it turns off IPSEC enforcement/usage, allowing the computer to communicate with the DC (maybe).
- If you see someone like MS doing something with IPSEC, like exempt DC's & DNS servers from policy, PAY ATTENTION. THERE IS A REASON THEY DID THAT. Whatever you do, don't think you're smarter than the people who wrote those papers, especially since their implementation actually works.
So, those are my tips on how to get it working with Windows Server 2003 SP1 and Windows XP SP2. Anyone else got any advice?
You may have noticed the site being up & down (mostly down though) for the last week and a half. Site performance has also decreased now that it's back up.
This is because IPSec is the worst thing EVER. And I mean that. Literally.
IPSec sits in the low level of the OSI stack and provides encryption and authentication for IP. So it can do things like have every TCP packet from the Internet encrypted using 3DES, with the sender and reciever authenticating to each other over Kerberos. So far, so good. Sounds like a wonderful technology: all you have to worry about are IP spoofing, hardware hacking, and Layer 1 (like ARP poisoning) attacks. Everything above that stuff is always encrypted and always authenticated.
Except, it turns out to be incredibly hard to actually use. Sure, it starts simple enough: assign one of the predefined policies that sounds like it's the correct choice, like "Client" or "Require Security". But then you apply that setting...and find out you can't log into the computer anymore, can't get the computer to recognize that you've fixed the policy so that you could actually login, and then find out you can't actually pull the broken policy off because the IPSEC driver has now gone into BLOCK mode, and is denying every attempt to connect.
Even worse is what happened to me. It seemed to work fine for the servers for a day or two. Then they started having those problems. Even more confusing, they'd do this when configured to use Certificate based authentication.
Even more frustrating is that I have the PolicyAgent ("IPSec Services") startup controlled via GPO's. So when I finally did manage to get the service stopped and everything talking once again, the next GP application came around and fired it right back up. While the console was locked. With the "Require Domain Controller authorization to unlock workstation" setting enabled.
Oh, and this is all happening during finals week (well, actually, it started the week before finals; it just took me a while to notice).
Understand why IPSec is the worst thing ever?
Note: I cannot be bribed with donuts.* Oh...but...mmmm....donuts......
* This post subject to change provided a sufficient quantity of donuts is provided. All rights reserved. Void where prohibited. Copywrite [by] Me. <Insert additionaly legalese as sufficient to make people not read this part>
Primarily, this is a post about RSS. You see, there's only one subscriber to the RSS feeds that are in all those tabs to the right (on the v5 site...which is the one that's available when this post is being written). And there should be more!\
But first, a digression into ECE: the lab practical today was just meh. It was a simple enough task, but the infernal contraption just wouldn't work for me! So I ran out of time, and the TA came over to grade what I had, and all of a sudden it mostly started working (I had pulled out the Asynch Reset so I could debug it). So I got a 9/10. Which is good, but the amount of frustration was...even more frustrating.
Back to RSS. It's just another XML format (kind of like most web pages are just the XHTML XML format). However, there are these cool things called RSS Readers that can Subscribe to an RSS Feed (the XML file containing RSS). When a feed (to use the simplified parlance of bloggers - people who author a Web Log, like the one that you're reading right now) is subscribed to, the RSS Reader will automatically check the feed for updates and display those to the user in whatever manner. So subscribing to one of the RSS feeds on this site would mean you'd never have to manually come and visit it to see what's new: the Reader would take care of that for you.
I recommend that you check RSS out and see what it can do for you (like on this site). I use RSS A LOT. I'm subscribed to a lot of RSS feeds (not just blogs - change logs & "new releases" are things I've found to be condusive to use as RSS items). And now onto a little problem I have...
Now, there are a wide variety of RSS Readers. You have web based ones, like Start, live.com, Google Reader (I know Google has one at least), and a wide variety of much more popular sites. There are addons & plugins for existing apps, like Newsgator: Outlook. There are apps that have had Reader capabilities baked in (similar to the plugins), like Mozilla Thunderbird, a couple of Jabber clients, and Microsoft IE7. And then there are the dedicated desktop, rich client RSS Aggregators.
I use the later. Currently, this is RSS Bandit 1.2.117. I started out with SharpReader, but that's waaay too memory intensive, and doesn't look that great in my opinion either. But it lasted me a while. The next client I tried was SauceReader, which looked great, but had even worse resource usage than SharpReader. Finally, I tried RSS Bandit 1.2.114. And that had me hooked: it was specifically designed to not trash system resources. RSS Bandit has served me well for almost a year and a half now.
Development has also continued, lead primarily by Dare Obasanjo ( www.25hoursaday.com). They've had the 1.3 series of versions released for a bit now, and just rolled out a new one. Unfortunately, I have never been able to get the 1.3 versions to work. Between 1.2 and 1.3, they changed some of the UI components, and the new library just does not seem to want to work. So whenever I go to use 1.3, all I get is a blank area where it should be displaying the tree view of the feeds I'm subscribed to. Which means that the program is completely useless, as none of the other sections of the program (post contents & post list for the currently selected feed) get populated. I have seen this problem even on fresh installations of Windows, with just XP SP2 & .NET 1.1 SP1 installed. Obviously everything is working fine for most people, just not for me.
As stated before, I've been running the older version of RSS Bandit because of that issue. However, that solution is becoming increasingly inadequite. A number of the feeds I'm subscribed to use ATOM (as far as end users are concerned, it's the same as RSS...just a different company's take on the whole feed idea), and have recently moved from the 0.3 version to the 1.0 version of the spec. Which means RSS Bandit 1.2 can no longer view them.
So, any recommendations for a new RSS Aggregator? It needs to support ATOM 1.0, podcasting support is not needed, I'd like it to look nice, preferably be a standalone client (although something that acts as an addin to Outlook might also work for me), and ideally be free/cheap.
Thanks!
In Indiana, if you got an operator's permit (driver's license) before you turned 21, it expires on your 21st birthday. That means it needs to be renewed.
Now, the official website ( http://www.in.gov/bmv/driverlicense/) says a license can be renewed in the 6 month period before it expires. When I went to the BMV 4 days before my birthday, I was informed (after having to wait a while) that that is not really correct when the expiration is the 21st birthday. Yes, you can renew before it, BUT 1) it wont have the drinking age info updated, 2) you have to retake the test.
Oh, and you can renew during the 6 month period after the license expires. However, it'll cost you. How much is indeterminate, since I didn't have to take that path, and I don't trust the pricing info on the official web site (it was not correct for the my license renewal at least).
So, basically, wait until the day the license expires to renew, and make sure you get it done on that day!
Taylor's website has comments now. He gets props for being the biggest poster of comments to this site, and he's consistently been the 3rd most frequent user. So go visit his site: www.metasyntax.net
As for this site, here's a summary of the current status of the New Design Project:
- Taylor ran a few perf tests against the test page, and pointed out that the header renders fast, but not the <sharepoint content> area
- I did my own investigating since my Remote Connections to work actually started working (finally)
- It looks like the Perf problem is the <SharePoint:tag/> stuff in the .aspx pages
- Logging in removes all perf problems. So it's either pre-caching stuff for logged in users (low possibility), or something is absolutely killing performance when the Anonymous access maps to NT AUTHORITY\NETWORK SERVICE, and that goes over the wire to SQL Server? Maybe?
I've got a gut feeling as to what's causing that security issue. Not happy with what its telling me right now though.
The universe seems to have been trying to make up for me not celebrating my birthday...
Econ effectively ended today. Yay! No more boring lectures! Boo! No more hours of fun with Monad & RSS Bandit.
The LAST Compilers project is DONE. Didn't do too bad on it either...only 13 hours for me on this one. Did the JUMP and CJUMP stuff without testing it as I went along, and got them both correct in an hour and a half! We also broke the code they supplied to us...hint to other CS352 students: see what happens when you have to push a few thousand arguments onto the stack :). Oh, and then see what happens when you have to deal with a few hundred thousand :D. The best part of that test case was that we managed to extract useful info about some things we were doing wrong, and managed to fix them.
And then the best part of the day: I got more donuts given to me! Some girl (FLL TA?) came into the lab where I was working on the project, set down a dozen pumpkin donuts, and said we (there were two other guys in the Unix lab at that point who were studying math and not even using the computers...) could have them because they were left over from some <event x> that I didn't quite catch. No one else wanted them, so when I was the last one leaving the lab...well, technically you aren't allowed to have food in a lab anyway, so it was NECESSARY that I remove them.
So yes, a donut-ilicious day!
Oh, and Windows Server 2003 R2 RTM'd yesterday, which was a really cool (in an IT'y sort of way) birthday present from the big M.
(expect more commentary in a few weeks...probably not downtime though, since I don't think I'll be upgrading any existing servers)
Update: 2005-12-07 21:38: Unfortunately, it looks like they forgot to send me the licenses & media to go with this wonderful birthday present...come on MS! You can do better!
Yay! Yesterday (/today for you people west of Newfoundland) I turned 21!
So, my day started with me coming back from working on Project 5 for Compilers. Didn't go well...had a bunch of trouble working on it...basically, I wasn't in the right mindset, so didn't get much done. But then I played with Pandora ( www.pandora.com) and did referer analysis on the server logs from the past year, both of which were fun. And caused me to stay up waaay later than I probably should have.
This morning started off great when my Mom delivered doughnuts to me for breakfast, which was completely unexpected. And really cool! Unexpectedly getting doughnuts 20 minutes after waking up is a great way to start a day. I highly recommend it. In fact, if I was a business major, and these were the heady days of the dot-com boom...oh never mind, that's a business plan for fools & idiots.
So I went to compiler's PSO and got stuff done actually! Yay! Sleep works wonders for code generation...
Lunch was great, since there were doughnuts left over from breakfast, and doughnuts make everything better (yay!) (...so sue me...I live a spartan culinary lifestyle, and getting sugary pastries that magically have the center missing is treat).
Astronomy was fun: we got to hear all about how flying things in space could destroy us at any moment! The Horror! Of course, the poll at the end about whether we were more or less concerned about being wiped out by a NEO collision, and seeing how many people were LESS concerned, is what made the lecture really worthwhile.
Compilers afterwards was, well, compilers. No references to Vaxen this time  . But there were a bunch of funny stories before class started about subverting D&D campaigns...
The worst part of today was the DMV, since it took forever...and forever...and forever (where {forever : 30 minutes}, and <union character that I can't seem to insert right now> forever = 1.25 hours.).
But afterwards work was reinitiated on the Compilers project, and the BINOPS were finished. Now just to do Jumps.
Which leaves me here now, playing with Pandora again. Which is really making me wish I had an audio subscription to one of those services. And had a MP3 player that supported PlayForSure(tm)(c)(r)(sm)(.)* Audio Subscription (like the Philips HDD6330). Oh well, there's always Christmas now...:P
|
About the author
Jeffrey Stults is a software developer currently in Portland, Oregon. He is contactable at:
stultsj@ntldr.net
Archive
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|
| 25 | 26 | 27 | 28 | 29 | 30 | 31 | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | | 8 | 9 | 10 | 11 | 12 | 13 | 14 | | 15 | 16 | 17 | 18 | 19 | 20 | 21 | | 22 | 23 | 24 | 25 | 26 | 27 | 28 | | 29 | 30 | 31 | 1 | 2 | 3 | 4 |
Disclaimer
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
© Copyright
2012
Jeffrey Stults, Jr.
Statistics
Total Posts: 256
This Year: 0
This Month: 0
This Week: 0
Comments: 23
Utilities
Pick a theme:
Sign In
|