Lukas Beeler’s IT Blog

Despite previous beliefs, something interesting happened today. A customer tried to do a manual Save 21, which was halted by an uninitialized tape.

At first, i was stumbled by the keyboard layout the user had, because he told me he had a Twinax console - after i figured out that he had a Thin Console, i was already near the solution to press the System Request key sequence. However, CTRL-ESC didn’t work.

Turns out the Thin Console uses SHIFT-ESC for the System Request. I also found out that you can enable the menus in the 5250 emulation which offers menu buttons for those escape sequences. The ez-Connect manager can be accessed by CTRL-ALT-END.

See the pictures to the right on how to view the keyboard layout and how to turn on the menus in the 5250 Emulation screen. Remember that applying these options requires a restart of the 5250 emulator

There’s a great post about Capturing application crash dumps from the guys of the Windows Performance Team.

In other words, i found nothing to write about today.

Thawte offers so called SSL123 certificates, than can be issued in minutes. At least in theory.

These certificates are validated against the WHOIS records. This works fine, but SWITCH has removed all email addresses from their WHOIS records, probably to fight spam. Now, there’s an easy way out. Just change your Surname to an email address, before submitting the Certificate request to Thawte. After you have your certificate, you can change your WHOIS record back.

I would really like to see SSL certificates provided by domain registrars - i think GoDaddy even does that for some of their Domains. But SWITCH doesn’t.

ExcelliPrint is an IPDS to PCL converter that runs on Windows, and is mostly implemented in Java. It’s an excellent alternative to IPDS Dimms (because you can use it with any PCL capable printer), and it isn’t printer specific. The price of ExcelliPrint is quite hefty, but anyone using a System i is used to such pricing.

ExcelliPrint uses a web interface for administration, that is secured by it’s own username and password. Why they didn’t use Windows Integrated Authentication is beyond me, but let’s assume you’ve lost your ExcelliPrint Password. There is no official procedure to reset your password, and reinstalling the application and creating a new configuration is just very cumbersome.

ExcelliPrint uses a SQLite database as it’s config backend, in a file called config.db located in %ProgramFiles%\Brooks Internet Software\ExcelliPrint. We can modify this database by using freely available open source tools.

Here’s what you have to do:

• Disable the ExcelliPrint service
• Create a backup of the config.db file
• Download the SQLite commandline client
• Execute sqlite3 config.db (after cd to %ProgramFiles%\Brooks Internet Software\ExcelliPrint)
• Execute this query:
  sqlite> select * from userdb
...> go
1|admin
  Now you see all the users that ExcelliPrint knows about.
• Execute this query:
  sqlite> select * from userdb_props
...> go
1|admin|password|0466BF8633D56DACBA7EE39D3A4C6C3341664804
2|admin|role|admin
  It’s important that you know which uid the column has where the account you want to reset is specified. In this case, the column uid is 1.
• Execute this query:
  sqlite> update userdb_props set value=”0466BF8633D56DACBA7EE39D3A4C6C3341664804” where uid=1
  This will change the password field for the uid field you know from before. Your password should now be “dataline01″.
• Start the ExcelliPrint Service
• Write down your ExcelliPrint password for future use

I’ve never been a big fan of ProtectionPilot, but the offerings of their competition are usually even worse. Today i’ve installed a new instance of McAfee ProtectionPilot 1.5, and i’ve used a special character when entering the password. After completing the setup routine, i wasn’t able to login. If that was caused by the special character, or because i mistyped the password (twice!), i don’t know.

Anyway, i wasn’t able to login into PP, receiving the error message that the password is wrong (or the server isn’t running). I’ve verified that the PP server was up and running (naimserv.exe listening on ports 81, 82 by default). I’ve had a look at the server logfile (in the PP install path, called server.log), showing the familiar HTTP 403 error message whenever i entered the wrong password.

McAfee’s official statement is that you have to reinstall PP to reset the password. But i was to lazy for this.

In case you didn’t know, ProtectionPilot is basically a castrated version of McAfee’s ePolicy server. So when looking around the web for what i could do now, i’ve found an interesting McAfeehelp.com forum post, that showed how you can reset the password in McAfee ePolicy.

The MSDE that ships with PP didn’t have neat database access tools, and the solution is also distributed along the thread.

Basically when dealing with MSDE, you’ll have to use commandline tool osql to access the ProtectionPilot database. osql is located in %ProgramFiles%\Microsoft SQL Server\8.0\Tools.

First, look how the database is called. You can use osql -E -l to do this. You’ll then see your database instances in the format of MACHINE\EPOSERVER. The ProtectionPilot database instance is usually called EPOSERVER.

Then, use osql -E -S MACHINE\EPOSERVER to connect to the ProtectionPilot database instance.

Next, you need to the name of the ProtectionPilot database (not the instance name). Having not had much experience with Microsoft’s SQL products, i just searched for *.mdf files, which do correspond to the database name. Usually the database name is EPO_MACHINE (where MACHINE is the name of the machine running ProtectionPilot).

Then, enter the following commands:

USE EPO_MACHINE
UPDATE UserTable SET Password='YheZGOiKbpSa6Zza9uYlLxtW/XI=' WHERE UserName='admin'
GO

I’m not sure if the field names are correct (they’re from memory), you can use SELECT * FROM UserTable to see the field descriptions.

If you’ve done this, your ProtectionPilot password will be “epo”. You should now be able to login correctly.

While i don’t get paid for this post by Symantec, it will probably still read like an ad. But i really like their product.

A long time ago (at least in IT terms), Symantec bought Veritas. I hated this, because i really do not like Symantec because they brought crap like Norton 360 to the market. I was afraid that they would turn the only backup program that I somewhat liked into crapware (like they did to Norton AntiVirus).

Luckily, at BackupExec at version 11d (the d stands for Disk) is still good - though the licensing scheme now requires activation at the Symantec homepage.

BackupExec 11d even improved in several areas, like providing the continuous protection service, and enabling single mail/mailbox restore from Exchange Information Store backups.

BackupExec in it’s full license version is quite expensive if you need agents for SQL Server, AOFO (essentially ShadowCopy support), Exchange and Sharepoint. Luckily for the Small Businesses out there, there is a Small Business version which covers almost all needs of a Small Business (it doesn’t have AOFO/ShadowCopy support - but that’s not a big problem since small businesses do not operate 24/7). In Switzerland, BE SBS retails for about 1050 CHF, this is about the same that SBS Premium costs. In my opinion, this is a highly competitive price.

For full licenses, you will need to calculate about 1000 CHF per Server, per Role. So if you have four machines, two DCs, one Exchange, and one SQL & MOSS, you would be at 5000 CHF.

The alternative might be to start scripting ntbackup, or use premade scripts like ntbackupscript. I do not think that this approach is sensible, but it might be the only way if you’re working under serious budget constraints. Remember that SBS already comes with a prescripted ntbackup, that isn’t all that bad.

Symantec offers a 60 day testversion of BackupExec, that you can license for full production use. I would suggest you to check it out, especially if you’re currently using ntbackup.

Today i’ve passed Microsoft exam 70-237, Designing Messaging Solutions with Microsoft Exchange Server 2007.

I didn’t spend too much time preparing for this one, mostly because i wasn’t able to find many referneces on the web related to this exam. This is also why i decided to write this post.

While the 70-236 exam was clearly focused on the technology itself, with many EMS and EMC questions, this exam tested the other half you need to know.

Basically, what Microsoft shuffled into on Exam in the Windows Server 2003 series (70-290, et. al.) is now split into two or more exams - one focused on the handling the technology in detail, and others handling the planning and limitations of the product. This is already explained on the New Generation of Microsoft Certificates page, it’s amazing how this worked out in practice. I really do like this approach, as it makes it easier to prepare for an exam.

I found the 70-237 way easier than the technical exam 70-236, mostly owed to the fact that when knowing all the base rules of Exchange 2007 deployment, you will have a lot of questions in 70-237 covered. But other topics also get their share, like Message Management, Auditing, Archival. None of them to deep. I even got a single question about Unified Messaging, which was not the case in the previous exam.

I honestly didn’t really learn for this exam - i’ve read How to Cheat at Configuring Exchange Server 2007 about a month earlier, but didn’t do anything else.

Now i’ll have to wait till 70-238 is out to complete my Exchange 2007 certification.

Active Directory is based on three pillars - LDAP, Kerberos and DNS.

A long time ago, i’ve written some documentation about DNS.

Okay, so when you setup Active Directory for a new domain, you will have to choose your namespace. It is theoretically possible to change this later, using the Windows Server 2003 Active Directory Domain Rename Tools, but this will cause you a lot of pain - something one usually wants to avoid.

The problem with choosing your namespace is that it sometimes drifts off into philosophical discussions, and when having to setup a new AD this isn’t high on any list.

Things that are universally recognized as wrong

• Choosing a single label Active Directory DNS namespace (like “company”). While it is possible to support a single label Active Directory namespace, it involves unnecessary hassle. If you did this in the past, consider building a new domain or renaming it - if you’re a small environment, the first is usually easier. Use ADMT to migrate accounts and settings.
• Choosing somebody else’s namespace as your Active Directory DNS namespace - for example, naming your Domain “slashdot.org”. While this might sound stupid at first, i’ve actually seen this in reality - they weren’t able to get the name they wanted from switch, but hey, it worked internally. Don’t do this.

Things that I and some other people recognize as wrong

• Choosing a made-up TLD for your Active Directory DNS namespace. For example, “mycorp.local”. While this probably won’t cause any problems in reality, it’s doesn’t look nice - and there’s still the theoretical chance that you have to establish a trust to a company that has the same namespace. While i haven’t seen that problem yet in the field, i know two companies that use “activedirectory.local” - they couldn’t establish a trust to each other.
• Choosing your official second level domain as your Active Directory DNS namespace. For example, “projectdream.org”. This approach actually isn’t that bad, but it lacks a clear distinction between your internet presence and your Active Directory. In reality, this configuration is likely to cause problems when you switch web hostings.

Things that I and some other people see as being correct

• Use a subdomain from your official second level as your Active Directory DNS namespace. For example, “ad.projectdream.org”. You can choose anything instead of “ad”, as long as it makes some sense. I’ve seen “ntds”, “int”, “corp”. As a complaint i’ve seen here is Exchange than generates the wrong addresses - but that’s just the default recipient policy, which you will need to modify. And if you want to logon using your email address, you will need to add an UPN suffix for the second level domain. I do not really know a disadvantage of this strategy.

So, there are many ways which will lead you to your goal. I would be interested in how other people handled this, and especially if you know of any disadvantages of my approach.

The System i has a lot of SRC codes. However, IBM does not document all of them extensively enough to perform diagnostics on your own. Here’s what i’ve gathered in reality.

C600 4031

IBM’s Description:

Destroy IPL task, DST has been started

How i’ve seen it:

If you see this code for more than a minute, the system is not able to find a console device. If you see this without doing any hardware modification, something has gone seriously wrong. If you shuffled around some cards previously, reverse that.

2844 B935

IBM’s Description:

Unknown hardware detected

How i’ve seen it:

Either you have really installed unknown hardware, or you’ve forgotten to apply the necessary PTFs. The other problem could be that you installed an IOPless only IOA behind an IOP, which will lead you to this SRC code

B200 3141

IBM’s Description:

System log entry only, no service action required
The IOP in the slot used for the last successful IPL of the operating system was replaced with an I/O Adapter. The IPL will continue by searching for a valid load source device.
Check the LPAR configuration if required, and ensure that the tagged I/O for the partition is correct.

How i’ve seen it:

This happens when you replace an IOP with an IOA, and some card (most likely the embedded disk controller) is no longer under IOP control, but that is needed for the system to successfully IPL. Even though IBM’s description doesn’t see this as a serious problem, the system will stay at this error message indefinitely until you place the IOP back to it’s old place.

My first post at another blog.

Read my System i 515 Hardware Review.