The Fluffshack

Unraveling the world one sock at a time

Goodreads | 2 reviews of Microsoft Resource Kits

Microsoft  Windows  2000 Server Resource Kit (It-Resource Kit) Microsoft Windows 2000 Server Resource Kit by Microsoft Corporation


My review

rating: 5 of 5 stars
This remains still one of the most in-depth and complete collections of material on Windows server. Many of the basic concepts and design of Active Directory, basic TCP/IP technologies, and much more, are discussed in great technical detail, and it remains an extremely valuable reference source for me, even for Windows 2003, and I bet for 2008 also.

I also have the 2003 resource kit, but they cover different aspects of the sever product. I don’t know if there is a technical reference from MS on Windows server that equals the ground covers in this kit.

I recently through out many of my 2000′ books, but these will remain on the shelf for a long time.

View all my reviews.

———————-
Microsoft  Windows Server(TM) 2003 Resource Kit Microsoft Windows Server(TM) 2003 Resource Kit by Microsoft MVPs and Partners


My review

rating: 5 of 5 stars
This is basically a bundled collection of books that are also available separately. It contains some of the most in-depth books available on Windows server, including the very excellent “Windows Internals 4th edition” by Mark Mark Russinovich. Also the Troubleshooting and Performance guide are extremely good and in-depth.

This collection goes a lot farther than just about anything a Windows professional will have come across in MS course material. It is meant mostly for enterprise administrators as many of the skills needed to use the knowledge of these books lend themselves particularly well the large-scale enterprise environment.

View all my reviews.

December 26th, 2008 Posted by | In The Trenches, Sysadmin, Tech | no comments

Unixplaza Blog Site

Unixplaza Blog Site

My friend and former collegue Mohamed recently launched a Unix blog: “Unixplaza”. Looks like he is writing about his own Unix sysadmin adventures. He really knows his stuff, so that should be cool to watch.

August 14th, 2008 Posted by | Sysadmin, Tech | no comments

When you touch that server you touch me

They turned off the HPSIM and general management and alerting server this morning, or at least, unplugged it, cause it was causing this huge network spike at a remote site

I know for a fact that no one besides myself knows what it is exactly that machine does, as its only usefull to me and what I do.

That doesnt mean it isnt explained in the server list in Sharepoint that I made and painstakingly try to keep up to date, that no one bothers to ever look at.

And of course no one bothered to ask during the day what exactly the impact is that they unplugged the server.

I mean, who cares about hardware and remote monitoring of servers anyway. It is, after all, only the most basic part of my job.

That made me feel really appreciated.

HPSIM was reinstalled a few weeks go by one of my collegues. When I explained it took me 2 days to set it up last time I installed it, he was suprised.

I will admit, it doesnt need to take that long. But it was new software to me at the time, and I was carefull, and ran into some awkward service account issues.

Its a very messy collection of software, basicly, so you need to be carefull and precise.

I read the manuals first.

I ended up needing 3 different service accounts. With different levels of rights and access. 

He reinstalled HPSIM in about 1 hour. Its his way, he loves to impress with how fast he can do things.

I havent logged on to it in the meantime, because my time was needed elsewhere for the last few weeks. Build activities that go first. Project. Bids. Money.

I warned them in a long email 2 weeks ago, that no one was now doing any active systems administration. No one was keeping an eye on things. No one was cuting the grass.

Fast forward to this morning…

So, I cant dispute that HPSIM or something on that server killed that sites 2mbit WAN line for an hour, daily, between 10 and 11.

I went in over the ILO to have a look, after I asked them to at least plug -that- back in.

HPSIM service wouldnt start, as it couldnt authenticate its domain service account, cause it had no network. This was expected.

What wasn’t expected, was the fact that it was using this collegues domain admin account to start.

And so was the OpenSSH service.

And so was the Sofware update repository service.

I curse myself for not having reinstalled it myself, for one. And I curse myself for not having managed that server myself the past few weeks.

They ask me now, wtf was that server doing? I honestly dont know. I havent managed it for the past few weeks, due to me being allocated to build activities, as they well know.

I hate it. I hate the fact that I dont know.

Even though I have no need to feel responsible, I so very much do. This server was mine, it did this on my watch, at least that is how it feels.

I cant be sure what caused the network spike, and I will never know because they wont let me plug the server back into the network.

This weekend I will reinstall HPSim on a different server. A server that I had racked as spare, for this exact kind of scenario.

It will be reintalled slowly, carefully, with the appropriate documentation at hand, as I did last time.

It will be stable. It will be secure. It will be managed.

It will be beautifull.

And I am not gonna let anyone else on that server. If it ever misbehaves again, they can hold me personally acountable, I want them to, god knows I want them to.

There is only one person in my department with a sense of responsibility for our enviroment.

There is only one person in my department who actually cares things are done correctly.

Every time I place my trust in another technical person, I am dissapointed.

No one else is touching that server from now on.

Happy Sysadmin day.


July 25th, 2008 Posted by | Sysadmin | no comments

Datacenter Move post 4

Youtube videos are worth a thousands words, so I will let them do the talking.

Progress TCR Move May27 part 1 (the old location)



Progress TCR Move May27 part 2 (the new location)



What Mustafa thinks of IBM rackmount kits:

And some pics from the last 3 days:
(Click for larger versions)


IBM xseries 336, bout 3 years old now

IMG_3452
ServeRAID 6M controller (in the PCI slot bay). Its IBM branded but its basically an Adaptec.
This comes out of one of the 2 xseries 336 servers that, together with the EXP400 shelf, served as a Windows 2003 cluster. The ServeRAID controllers are needed to provide failover control of the shared disk shelf.

IMG_3453
Mainboard of an xseries 336, with the PCI card bay/thing removed.  The blue bracket at the top is where usually an RSA-II management card would be sitting, but this one doesnt have one 🙁

IMG_3454
ServeRAID 6M removed from PCI bay of the 336 server

IMG_3456
The rack is slowly emptying. I remember when I was building it all up, 3 years ago! Check it out

IMG_3459
Installing windows on an IBM xseries 336. Its been a while. I noticed the IBM Serveguide CD has a few more options now.

IMG_3460
Picture I needed to have to illustrate where to connect everything.

IMG_3461
Ready to move to new location

IMG_3464

IMG_3465
Not the most ideal way of moving servers, but its better than nothing. At least they are softer  here than in the back of the car.

IMG_3467
Richard, our project manager, trying to get more work in.

IMG_3469
Temporary cabling 😉

IMG_3472
Its slowly growing

IMG_3473
They are not done with the rack interconnects, damnit. I cant finish my patching like this.

IMG_3474
Our new firewall cluster

IMG_3475
I love the blue glow of the console. Kinda wierd to have that out-of-place IBM in there, squashed between the HP.s.  The cable rail for the server is different than HP aswell, so that will be fun to cable.

IMG_3476
Moved some servers around, getting to our final config now.

IMG_3477
WAN comms rack in the new location

IMG_3478
LANcoms rack in the new location

IMG_3480
Khalid on servicedesk duty

IMG_3481
Gertjan is helping us decomission

IMG_3482

IMG_3483
Mustafa hard at work decomissioning servers


IMG_3486
A lot of servers where decommissioned today, these are all basically being scrapped.



May 28th, 2008 Posted by | In The Trenches, Sysadmin, TCR Move 2008, Tech, Video | no comments

The Vegas SuperNAP

Datacenter Knowledge has 2 posts up about Switch Communications new datacenter in Las Vegas, which they are claiming is the highest-density datacenter in the world.

http://www.datacenterknowledge.com/archives/2008/May/27/the_vegas_supernap_a_data_center_revolution.html

http://www.datacenterknowledge.com/archives/2008/May/27/1500_watts_a_square_foot_a_look_at_tscif.html

switch-tscif-aisle.jpg swith-tscif.jpg

Switch Communications says it is successfully cooling a section of its Las Vegas data center running at nearly 1,500 watts per square foot using air cooling. How are they accomplishing this?

The key to Switch’s high-density cooling is a design known as Thermal Separate Compartment in Facility (TSCIF), according to company co-founder Rob Roy. The ingredients in this approach include high-capacity AC units placed outside the data center area, and a tightly integrated hot aisle containment system for the racks. Here’s an overview:

    * The cabinets are set on a slab, with no raised floor.

    * Chilled air is delivered into the cold aisle near the ceiling rather than through the floor, and enters the cabinets through the front.

    * Each cabinet fits into a slot in the TSCIF unit, which encapsulates the rear and sides of each cabinet, while the open front extends beyond the enclosure.

    * The hot aisle containment system delivers waste heat back into the ceiling plenum, where it can be returned to the chiller.

 

Very cool video of the SuperNAP setup:

http://www.switchnap.com/pages/products/the-supernap-video.php

More pics of their T-Scif cooling system: http://www.switchnap.com/pages/tech-specs/thermal-scif.php

The statistics off their site:

407,000 square feet of space
 
250 MVA Switch owned substation
 
146 MVA of generator capacity
 
84 MVA of UPS supply
 
30,000 tons of system plus system cooling
 
4,500,000 CFM

30 cooling towers

100% heat containment using thermal-scif™

Designed for 1500 watts per sq. ft. density
 
7000+ cabinets
 
Armed 24/7/365 military trained
Switch employed security staff

 


May 27th, 2008 Posted by | Sysadmin | no comments

Desicionmaking on the new Proxy solution

For your enjoyment, here is a, slightly edited, email I just sent to the department head and various other decision makers. It goes over some of the options we need to consider to solve the current issues with our internet access.

Names and places have been changed to protect the guilty 😉

And please exuse the spelling. I was in a hurry and I really dont care about spelling as much as I do content.

—————————-

Hi all,

We are currently faced with some decisions that need to me made in regard to the Internet Proxy solution for the Netherlands and Belgium.

This is the current situation in regard to the proxy servers in Lala City and Chipville.

Server Lala City: LA-Server-S99
Server Chipville: CHIPVILLE-Server-S99

Both servers are HP DL360 G2 servers, and are now approaching 8 years of age. They are very out of warranty, and no hardware support can be expected from HP anymore regarding these.
Both servers run Windows 2000 standard
The Proxy software on both servers is ISA server 2000, running on the SQL MSDE engine. This software is still supported by Microsoft, but has been superceded by 2 newer versions.
In addition, we currently run the Surfcontrol web-filtering software, as a plug-in for ISA.
This software allows us to tightly control web-behaviour, for example to allow certain users access to certain sites, and to block entire catagories of websites, or web-protocols.
We have built up a pretty extensive rule-set over the years on both machines, and both rulesets are largely identical.
The company “Surfcontrol” was aquired by Websense in 2007, and since that time the Surfcontrol software is no longer supported, no patches or service packs are being offered for download, and no licences are being extended or sold, forcing all former Surfcontrol customers, including us, to look for alternatives.
The software combination on these servers has causes us some issues in the past. Some elements of Surfcontrol have always been buggy, and as the hardware has aged, it has become unreliable.
Furthermore, the decision to use SQL MSDE has causes problems, because of its inherrent 2gb limit.

Lala City
The Lala City proxy server is due to be replaced with new hardware, located in SiteB. This action is outstanding as part of the TCR move project.
As part of this, a new server was purchased, together with W ISA server 2006, and SQL 2005
At the moment, no replacement for Surfcontrol has yet been purchased, although Dick Dickerson did get a cost estimate for the Websense software, based on a single server, 500 users, and 3 years of licensing. (included as attachement)
A decision on this has been on the back burner, due to the fact that we where also planning on moving the current ISA server to SiteB anyway, and using the Chipville ISA server as a backup.

Chipville
The old Proxy server in Chipville is in a similair state to the one in Lala City. Although one of its 2 disks (that run in a mirror) has failed since last week.
This causes a serious risk to internet service continuity. It also represents a risk to the TCR move project, as this server is now no longer a reliable fallback while we move the Lala City server.

We need to decide how to proceed going forward.

The time factor
We have only a limited time to come up with a solution. Currently the situation in Chipville is more pressing, because of the hardware failure of the server there.
The big-bang server move from TCR Lala City is sqeduled less than a month from now, and we need a stable and supportablesolution at the very least in Chipville before that time, and idealy a solution for Lala City aswell.

There are a number of options:

Option 1. Keep the current servers
The Lala City server can be moved to SiteB and continue to operate from there, serving Internet users (non-citrix) in the Netherlands.
However, the hardware and software is no longer supported, the software is in an unstable state due to past problems with Surfcontrol, and the ISA MSDE database.
Due to the advanced age of the hardware, it is only a matter of time before it fails. Moving it might actually break it too.
The Chipville server cannot operate as-is, on a failed hardware mirror. This absolutely needs to be replaced, more or less disqualifying this option.
Due to the above, I cannot recommend this option in any way.

Option 2. Outsource the Proxy service to European Datacenter / UK
This would involve redirecting all internet traffic from Netherlands and Belgium to an outside, centralised Proxy system for internet access.
This would simplify our support model somewhat, and remove the technical burden of supporting the solution ourselves.
The downside though, is that we no longer have direct control over what is allowed/disallowed over the Internet.
By default, as far as I have heard, no rules are in place for both the UK and European Datacenter proxy solutions, meaning that there are no limits on what people can do with the Internet connection, it would be a free-for-all, whereas right now, we have strict limits on usage.
This option should be considdered. But the question has to be asked why the web-filtering function was ever needed in the first place. If web-filtering and control remains a business requirement, that this options cannot be considdered.

Option 3. Hybrid In-country hosting / European Datacenter hosting
I have been made aware of a version of the European Datacenter hosting scenario, that includes re-directing in-country internet traffic to European Datacenter, but in combination with a local Proxy/web-filter server, running the Websense software. This would involve installing a local server with the “Websense” filtering software, and “chaining” it to the Websense Proxy server in European Datacenter. Many countries apparently already follow this model.
This has the advantage of retaining local control of a rulebase, allowing us to continue to restrict internet use where nessesary, but with the advantage of not needing local Internet line for basic Internet use anymore. MEGACORP(TM) also can retain an amount of corperate internet-use control, via the gateway in European Datacenter, as all internet fraffic eventually moves through there to get out. Currently MEGACORP(TM) does not pose any global restrictions on the Internet gateway in European Datacenter, as far as I have heard.
This option should be considdered, however it will take some time to study and set up properly. The support model may be complicated because of the fact you are dealing with possible web-filtering and proxying in 2 different locations, supported by 2 different organisations. It would however, also require that local websense software be purchased and supported. I have also been told by some, that the connection via European Datacenter is very slow and not that usefull for many operational tasks.  This could hurt us, as we run a number of line-of-business web-based applications over the internet. (Hp Shipview, etc)
We would also benefit from the fact that the websense software can be centerally managed from 1 console, making it very easy keep the netherlands and Belgium ruleset identical, and simplifying reporting and failover.
I would recommend this option if we can be sure the performance is adequate for our business needs, and if the support model can be agreed apon quickly. The major downside of this solution currently is that it will take time to set up, and we dont have much time anymore.

Option 4. New installation In-Country
This involves basicly rebuilding the 2 Proxy servers on new hardware, and installing fresh, current and supported Proxy and web-filtering software.
In this scenario we would use our own local Intranet lines in SiteB and Chipville.
We would directly support the solution, and maintain direct control over the web-filter ruleset, this is the most simple support scenario.
Hardware for this is already available: The replacement of the Lala City server was already part of the TCR move project, as is the licence for ISA 2006 and SQL 2005.
Hardware for Chipville is also already available on site, in the form of a 3-year-old IBM server, however, this server may soon fall out of hardware support (needs to be checked).
Apart from the ISA and SQL license that would be needed for the Chipville server, we need new web-filtering software for both servers, again, IF the business still deems this a requirement.
If they dont, then this solution would provide unfiltered internet access to all (non-citrix) internet users in Netherlands and Belgium.
For the web-filtering requirement, I would at this time advise to als go with the Websesne software, as they are currently regarded as the market leader, and their software is well supported ans well known in the industry. (they are incorperating a lot of the Surftcontrol concepts as part of the aquesition )
We need to look at the current available hardware for this. Almost all the hardware we have is 3 years old or older, so it may be advisable to considder purchasing a new piece of hardware for this solution in Chipville.
This option should be considdered. It has the advantage of retaining central control and will be quick to set up, once the software has been purchased. The downside is that the Websense software is expensive, so we may want to considder looking at alternatives, even though it has becomes a defacto standard within MEGACORP(TM). Again, we have a time-constraint problem here.
We would also benefit from the fact that the websense software can be centerally managed from 1 console, making it very easy keep the netherlands and Belgium ruleset identical, and simplifying reporting and failover.
I would recommend this option first and foremost, and it is the prefered solution technically, considdering the circumstances.

Again, i wish to stress the timeconstraints we have, less than a month before big-bang, we want a new solution up and running within the next 3 weeks!

————————-


May 26th, 2008 Posted by | Sysadmin | no comments

Participated in Nlighten.us podcast

Parker Snyder aka iToast is working on a podcast aimed at techies, and with some emphasis in Sysadmins.

Besides the current and very good Casting from the Server room, this would be the only other podcast that I am aware of that targets Systems Administration in some fasion.

Last night I spent about 5 hours chating to Parker on his live Ustream, which was also recorded for use in the podcast. The podcast should be done by this evening, and I am looking forward to it. RSS feed should be back then aswell, I will post about it here.

I also encouraged him to ally himself with the Friends In Tech network, as any admin podcast would be a natural fit there. He could also easily get other co-hosts to feature on the podcast.

I hope this works out, it would be nice to offer the tech community another admin-oriented bit of media, there are so few out there.

May 12th, 2008 Posted by | Social Media, Sysadmin | no comments

Sysadmins on Twitter, lack of groups and Seesmic issues

So I have been trying to find and add other System Administrators on both Twitter and Friendfeed.

I am a bit picky though. I looked for people that seemed to Tweet at least some of the time about their work, tweeted regularly, and in English. Also preffering Windows Sysadmins over Unix for now, but I might reconsidder that.

So far the results have been good, and with results I mean that I can get little conversations going about tech stuff.

What I would love to see happen at some point, is a discussion where multiple of these guys get involved. Its not grown to that level yet, and I am not sure if Twitter lends itself well for that, as the dicussion is public and all your follows get to “enjoy” it.

This brings me to current BIGGEST annoyance about Twitter and Friendfeed (and Seesmic, to an extent)  The total lack of any kind of groups feature.

Now it would be nice if Twitter supported groups, and made that stuff available via the API so clients like Twhirl can use it. But to be honest, Twhirl and Alertthingy could just as easily build in group support themselves.

That would have the added advantage of applying to any other service they choose to support. I already suggested this to Howard Baines of Alertthingy, and he found the idea “interesting” but its not high on the to-do list.

With groups, you could, at the very least, sort your “friends” into groups of your choosing, adding a powerfull filter to the lifestream that comes in.

Conversely, if Twitter itself supported this, perhaps it would be possbile to Tweet to just the members of a particular group. This would solve the above problem of irrelevant tweets being recieved by followers that might not be interested in the subject matter at hand.

It would make the experience overall more valuable and encourage more discussion.

Seesmic currently suffers from the same problem. There they have the added issue of the focus of content flow still being mainly about the main public feed of all videos people post.

This is a leftover from when the Seesmic community was very new and very small, but that is eroding now as the service gains users and the public feed becomes impossible to follow.

However, many people there, especially of the old gard,  still feel the need to “discuss” any and all videos crossing the public stream. This might well include any video I post that is directed at Sysadmins.

Its has been my fear of spamming these people and getting low-quality feedback from them, that prevents me from using the service much currently.  

However, this is changing very fast with the brilliant move by them to produce blog plugins that allow video commenting. My blog, as well as big ones like Techcrunch now support these, even though they are not used much yet.

It was interesting to note that they deliberately are not including the comment videos in the Seesmic public feed. But they are including all the blog posts that people make, using the same plugins.

This is quickly going to make the main public feed unfollowable, much like Twitter, and I consider this a good thing.

Like Twitter, the faster the usage model of Seesmic changed to revolve around you and your own followers, and those who you follow, the faster the uptake will be.

The reason this is not happening already is because the user base is still too small, and the service is still closed alpha. I cant, for example, find even as much as 5 of the people I follow on Twitter and Friendfeed on Seesmic.

Once they open up to public beta, the influx should quickly re-arange the usage and then I will be using it a lot more.

Now to convince all the already aloof Sysadmins to start recording video of themselves…   lol .. thats a differnt problem altogether 😉

 

May 11th, 2008 Posted by | Social Media, Sysadmin, Tech | 2 comments