Lukas Beeler’s IT Blog

Office 2007 is out for sale since the 31. January. I’ve got my hands on a new MLK/OEM CD set today, and it seems to be a rather interesting situation.

The official OEM Version of 2007 is no longer called “OEM”, instead “MLK” is used. MLK stands for “Media Less Key”. You get a simple box, with a key inside, but no CDs. As a reseller, you can order OPK media kits - where OPK stands for OEM Preinstallation Kit. These are needed in order to install it on the customers machine. But they’re marked “NOT FOR RESALE”. The customer can still order Backup CDs by Mail, but this costs 30CHF, requires sending in several bills (from your computer, and from the MLK version). And it probably takes several weeks till you get the actual media.

This is a bit of a stupid situation, because if the customer doesn’t have his own CDs, recovery in case of problems gets very, very interesting. I wondered how other resellers handled this, and looked at digitec, where i usually buy my consumer-grade stuff. And this is were things get very, very interesting. Office 2007 OEM with CDs is offered by digitec. But how?

I’ve asked our distributor why we can’t get OEM versions with CDs. He told me that digitec was wrong. I looked at the MS Partner Info, regarding Office 2007 licensing. And really, there is no licensing option which allows OEM pricing but comes with media. Our distributor is now investigating with Microsoft what the deal is. Apparently digitec is doing something wrong, but it’s hard to tell from my point of view. Maybe there is another option, or digitec pre-orders the backup CD (which would look rather irritating in this packaging), or they are reselling OPK kits.

Our distributor explicitly states that you can’t get any OEM versions without CD. Thankfully they even communicate this quite well, as you can see on the screenshot to the right - if you work in switzerland you’ll even know which distributor i’m talking about. I’m wondering how this all turns out - will update this information as soon as i know more.

UPDATE:

digitec fixed their website. They now state that it’s a “license only” sale.

I really like playing early adopter with our internal systems - usually to the dismay of all my coworkers.

After installing IE7 on our server, McAfee’s ProtectionPilot console decided to stop working. I wasn’t able to logon anymore.

Fortunately McAfee issued a patch for this. Unfortunately, after applying the patch, the console didn’t even start anymore. It displayed lots of IE7 scripting errors, for no reason. I decided to go the easy route, and installed the console on a VM running IE6.

But this evening i had enough time on my hand to fix this issue. The fix is quite simple. I’ve downloaded the full PP install package and the 1.1.3 patch again, extracted the HTMLSource Directory from the setup package, overwrote some of the HTMLSource directory with content from the 1.1.3 patch sources, copied it into the program directory, and everything worked fine.

But why did it break the time i installed the patch?

Because i didn’t RTFM (excerpt from the 1.1.3 Patch install notes):

NOTE:
On systems running Microsoft Windows XP SP2 or
Windows 2003 SP1 (or later), using the
built-in Microsoft Windows Zip extractor or
WinZip 10 on NTFS partitions can result in
script errors being displayed in the
ProtectionPilot console. McAfee recommends
using a different Zip extractor, such as
7-Zip, or previous versions of WinZip.

That’s more or less what a customer told me.

This particular customer upgraded his old AS/400 Model 150 to a new System i5 520, and also purchased Small Business Server 2003, upgrading from 2000. He also got new PC’s, now running XP instead of 2000. All this happened a few months ago, and since then the customer had this particular problem - i didn’t really believe this till i saw it.

They were using OSP - a way to integrate our ERP software DIAS-iS with Microsoft Office (a revamped version for Office 2007 is currently in development). So, my first guess was that the problem was most likely related to our software, because it happened to a whole load of older documents, but not newly created ones.

So i logged in with the local administrator profile, which didn’t have OSP enabled. But the problem persisted. I tried two other machines, which showed the exactly same problem.

I had one last card to play, i installed the Microsoft Word Viewer 2003. A really nice way to rule out any and possible macro/extension related troubles. But again, the problem even happened with word viewer.

At that point, i didn’t really know what to do anymore. I opened the word document with Notepad, and looked through it, hoping if finding something suspicious. And there it was - \ \ S E R V E R 0 1 \ P A T H \ F I L E . J P G (with spaces and all, probably unicode). Server01 was the name of the old SBS 2000 machine.

Okay. The name was still available through WINS and DNS, but the machine didn’t exist anymore. I started Filemon, and unticked all the local drives and then opened one of the affected documents with Word, and got me a coffee. 10 minutes later, the document was open in Word. Word never really hung - it was just trying almost forever to open said files (What’s the reason that this isn’t async? That’s just stupid behavior!). Filemon verified my assumptions.

At that point, the solution was easy. I changed the WINS and DNS entries to point to the new machines, created an appropriate share, and even copied the images to the required places. Everything worked again.

In the end, i don’t really understand why Microsoft does such interesting processing with unavailable file locations. There should be at least a status bar / progress bar.

If you’re using a System i5 in a SMB environment, you usually don’t have a HMC. From time to time, it’s still necessary to access the service processor’s information, and for this you will need the ASMI.

If you’ve never heard about ASMI before - go look it up.It’s close to HP’s iLO or IBM’s RSA II cards - except without the remote console feature, but i will save this for another rant.

You can access the ASMI using a simple web browser - or so it seems, according to IBM’s ASMI Documentation. However, when you’re using the newest Versions of the common browsers like Firefox 2.0, Internet Explorer 7, or Opera 9, you can’t access the ASMI, because it uses old (and insecure) versions/ciphers of the SSL protocol.

ASMI worked fine with IE 6, and continues to do so. It even worked with Firefox 1.0. But the newest browser disable these ciphers from the SSL protocol, leading to the problem we currently have. Of course, the solution is easy, one might think. I’ve tried all the SSL related settings in all three browsers in order to enable the legacy SSL protocols so i can access the ASMI - but it didn’t help. Played with alle the settings in about:config in Firefox, but it still didn’t work.

Since i didn’t have much time, i choose the sledge hammer solution - i’ve just used Netscape 4.8 to access the ASMI. This worked flawlessly, and there was even some nostalgia.

And the ASMI really looks like it was designed for Netscape 4.8. I do wonder what IBM is doing - this problem has been around for quite some time now, with no solution in sight. Yes, there probably aren’t that many people using the ASMI directly, since most bigger corporations have a HMC, but this just leaves a bad impression.

UPDATE: I’ve found a document by IBM proposing a Workaround for this issue. It’s rather crude, but better than installing Netscape.

Yes.

Vista isn’t the greatest thing since sliced bread. Vista isn’t revolutionary. Vista isn’t Wow. But it is a lot better than Windows XP. It’s evolutionary, not revolutionary.

I’ve been using Windows Vista for over half a year. There are several very cool improvements in Windows Vista, which you might not have heard of. I don’t really care about Aero, but i do care about all the other, important enhancements in Windows Vista.

• Virtual file store
  
  Windows Vista allows broken or legacy programs to run without admin privileges, by creating a virtual store for programs that try to write to %ProgramFiles% or %SystemRoot%. This is much more important than one might think, because many SMB businesses run all their users with admin rights, because they don’t have and can’t afford a dedicated IT staff which would make sure that all programs have compatible permissions for a limited user.
• Better integrated firewall
  
  The integrated firewall from SP2 was okay. It worked, but it wasn’t very flexible. GPO managment was so-so. With Windows Vista, this has changed. You can create custom rules, distribute them through GPO. The firewall also takes advantage of Windows Vista’s network location awareness, allowing you to make rules depending on the location of the machine - domain network, home network or public network. It also has integrated support for RPC, allowing you to allow and disallow seperate RPC calls - e.G. allowing file share access, but not access to remote registry, services, etc.
• Working internationalization
  If you have ever worked with Windows XP MUI, you will know that it was an incomplete piece of shit. IE7 still isn’t available for XP MUI, and there were severe problems with Outlook Express (unable to open attachments directly). With Windows Vista, there are no more native language versions, everything is MUI now. This is a good thing, because MUI is a first class citizen now. Even the file system has symlinks (called Junctions) to the internationalized name. This means less hassle with Vendor preloads (I’m thinking of you, Lenovo).
• Better offline files support
  Offline files finally work 100%. While XP was almost there, Vista now has fully working Offline Files without unnecessary problems. Laptop users, rejoice!
• User Account Control
  Every power user complains about it. I don’t understand why, honestly. But i’m used to sudo, so i might be biased. I even configured UAC through group policy to always ask for a user name - this imitates sudo well, and makes the user even more aware that there is an important decision to be made.
• Deployment Toolkit
  Well, i hated RIS. It always reminded me at the good old times, when we still used DOS. With Windows Vista, Microsoft made Imaging with ImageX the new default for network deployment, allowing more flexibility. Windows PE is now available for normal people like me. This is a good thing.
• More group policies
  Managment for 802.1x on WLAN, but also on wired networks has been extended. There are many, many new GPO settings, allowing easier customization of your deployed machines. Also, the new centralized GPO store will solve some problems in the near future.
• Many updates to admin tools
  Like the new eventvwr, there are very many improvements to the Vista administration utilities. It’s now also possible to make partitions smaller in Vista, eliminating the need for 3rd Party Partitioning Software.

For home users on the other hand, i don’t see much reasons for vista adoption. Of course, when buying a new PC you should buy Vista. But if you’re not interested in the OS itself.

DATALINE AG has recently acquired parts of another company, including office rooms in Lyss, including about 5-10 employees.

The DATALINE IT infrastructure was never designed with multiple sites in mind. However, it’s easy to migrate this, if you’re willing to dig through some docs, and had your GPOs sorted neatly from the beginning. You will need to assign some Site-based GPO’s, for WSUS Servers and similar local caches likes proxies, switch your file sharing infrastructure to DFS, make sure that replication works (still easy with just two sites), etc.

While it is easily possible for a remote branch to use our central Exchange server, thanks to Outlook’s Cached Exchange mode, this is not the case with file shares. Luckily, Microsoft has an excellent technology available to deal with this problem, called DFS. DFS can both provide replication for identical file shares, hosted in multiple sites, and also allow clients to automatically choose the closest server.

All this works using Active Directory sites. There’s also the need for some non-DFS replicated shares, containing for example heavy multimedia content.

For connection, a business ADSL connection, for example from Init7 is more than enough, because user’s don’t have to access file shares in the remote location. I’ve made several good experiences with OpenVPN for site-to-site VPN setups. A machine running Linux just offers so much more flexibility as a router for a small price - at least compared to gear from Cisco or Juniper. Using SOHO equipment like ZyXEL ZyWALLs will usually lead you to a wall, since these products often don’t have the flexibility that might be needed.

But what about infrastructure at the remote location? Yes, this is where we leave the purely technical side, and also get to deal with budget problems. Using IBM’s Standalone Solutions Configuration Tool, i’ve calculated what the minimum acceptable configuration that would be needed.

Yes, that’s about 40′000 CHF list price. I’ve tried to save as much as i can, but for a proper infrastructure, the prices can’t get any lower. I’ve tried to get comparable quotes using Dell’s Online Configurator, but didn’t come out much cheaper.

Getting money for this infrastructure is going to be a lot of work, but that’s also part of my job.

Without money, it is impossible to build a setup which is designed to last. And good equipment is expensive. You can save on a tape library, replacing it with a tape drive. But then you get the situation that backup reliability drops since administrative personnel never really cared about proper IT infrastructure. You can buy cheaper servers without remote console capability, risking long outages. You can save on redundancy, and remove the second PSU, further enhancing the risks for outages.

mppe_decompress[1]: osize too small! (have: 1400 need: 1401)

This message from dmesg familiar? The PPTP connection works fine using ping, until you try to send or receive a packet near the MTU?

It’s a bug in older versions of the linux kernel’s PPTP support. You can update your kernel to the latest version, and this problem will go away, or as a temporary solution, you can manually specify a lower MTU in windows. Note that using pppd’s options to achieve this won’t work.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters\Protocols\0]
"ProtocolType"=dword:00000800
"PPPProtocolType"=dword:00000021
"TunnelMTU"=dword:00000514

With this simple .reg file, you can lower the windows MTU, and get successful connections. This is especially useful if you can’t upgrade the kernel for one reason or another.

Windows group policies can be assigned to Active Directory sites. But you already knew that.

I’ve seen many setups where machines were put into OU’s according to their location, for configuring a local WSUS server, or an install source. Why? I have no idea, but maybe this feature just isn’t prominent enough to get recognized.

You will need a proper active directory site structure already in place (Which is easy to do. Just assign IP ranges to a site). This won’t work if you use the same subnet across your sites (long story, but it’s possible with virtual ethernet bridges - customer did this for licensing reasons).

Go to the . If you don’t have it, install it right now. I couldn’t imagine administrating Active Directory without it.

You will see a “Sites” option on the left side - but it is empty, and there are no sites inside. Just right-click and click “Display sites”.

And that’s it. You can then assigned policies to a site. And this even works with roaming laptop users, which change sites often.

DATALINE AG uses E-Mail addresses in the style f.lastname@domain.tld - i was rather irritated that the MMC console of Exchange 2007 didn’t offer a way to create custom address templates. Most of the advanced functionality is now PowerShell only - which i don’t see as a bad thing, it just takes some time getting used to.

Set-EmailAddressPolicy -Identitiy 'Default Policy'
-enabledPrimarySMTPAddressTemplate "%1g.%s.@exchange2007.local"

And there it already is. You even view this from the MMC, but you can’t change it. I still hate the PowerShell tab completion - it just doesn’t offer as many features as the zsh i’ve customized over the years.

Setting up new IP attached IPDS printers can be a bit tricky, because IBM’s documentation doesn’t always tell you everything you need. There are a few common pitfalls which I’d like to show.

First, for IP attached IPDS printers to work flawlessly, you will need 5722SS1 Option 36 - also called “PSF 1-45 IPM Printer support”. Without this option, you can’t use AFP (for overlays and similar graphical output), but you also can’t use *PSFCFG objects as user defined objects on the printer - which has severe drawbacks.

• Printer prompts for paper
  FORMFEED in the *DEVD probably isn’t set to *AUTOCUT. Note that this behaviour depends a lot on the IPDS implementation in the printer - i’ve seen this problem happen with both IPDS and HPT printers.
• Can’t print from windws when the printer writer is running
  If the printers doesn’t have a *PSFCFG for this printer yet, it’s necessary to create one now. The important part of the *PSFCFG for this to work is the RLSTMR value, which should usually be set to *SEC15.
• Printer can’t print jobs with more than 100 pages
  ACKFRQ in the *PSFCFG is probably set to 100. Most IBM/Lexmark workgroup printers i’ve encountered handle such a value. Set it a lot lower, i usually set it to 5. This also means less problems with paper jam recovery.
• The print writer dies without reason when idle
  This especially happens over VPN connections, or with flaky internet connections. It’s necessary to enable the automatic reconnect in the *PSFCFG. There are three values controlling this behaviour: RESTRTMR, RETRY and RETRYDLY. I usually set them to *IMMED, *NOMAX and 15. This makes printer writes more resistant to a flaky connection - in fact they will retry forever to get a connection, filling up the QSYSOPR *MSGQ, but this is a small price to pay for less calls because of dead printer writers.

As in interesting side note, you can’t change a *PSFCFG as long as it is in use by a printer - that’s why i usually create a seperate *PSFCFG for each printer, so i can end the print writer to change the configuration.