Lukas Beeler's IT Blog

A few months ago, i did beta exam 71-649.

Finally, Microsoft posted the results – and i passed. This is great :)

Recently, Microsoft released exam 70-638 (no official info page yet, but it’s all in Trika’s Blog).

As you might know, i’ve played with OCS 2007 in the past few days, and i’ve got a few leftover exam vouchers anyway. So yesterday, i decided to sign up for 70-638, and do the test this Saturday morning. This was possible because my favorite testing center (Digicomp in Zurich) is now offering Saturday testing.

I didn’t really expect to pass this exam, but i did (with more than 800 points). Okay, so what did happen at this exam?

First, the hard facts:

• 1.5 hours of time (didn’t even need half of that)
• 40 questions
• Only multiple choice questions, no PBT, no drag and drop, no nothing

What did i do to prepare myself for this exam? Not much, really. I’ve deployed OCS 2007 internally in the past few days, and crossread a few deployment guides.

First off, the exam was structured completely different than what i expected after taking the 70-236 Exchange 2007 MCTS. The exam varied widely from installing, to configuring and design. As such, it was a more classical approach, covering all topics of OCS 2007 use.

The questions were well written, and a few of them were more or less exact duplication of content from the available deployment guides, with even the same names and everything.

There also were several design questions, for which you need to understand the general architecture behind OCS 2007 – that isn’t as difficult as it might sound, because OCS 2007 is rather well structured, and the infrastructure design is easy to learn.

No talk about hardware requirements, some questions about upgrading from LCS 2005, etc.

This exam is easy – not as easy as 70-620, but also less difficult than the Exchange 2007 MCTS/MCITP exams.

So i’ve been playing with Office Communication Server 2007 to pass time. Thanks to the Microsoft Partner Licensing Program we can use this software internally, in production, without paying anything.

After playing with it in VMs for a few days, I decided to deploy it internally. Of course, the current deployment is not very integrated – our PBX is years old, and we have no chance to get any decent sort of integration, and we’re not yet on Exchange 2007 (though this is planned). As such, I didn’t expect to much usefulness out of. Boy, was I wrong.

OCS 2007 is several products in one, and it has a few drawbacks in a small business deployment (because it was designed for bigger environments). The price of the product isn’t prohibitive for a small business – 1500 CHF for the server, and 100 CHF per CAL (for Standard versions – the Enterprise versions are more expensive).

So, what features can one expect from OCS2007?

Services

Instant Messaging

One of the OCS2007 functions is an internal Instant Messaging server, with all the standard features you probably already know from ICQ, MSN et al. This part could easily provided by using e.G. an internal Jabber server and a Windows Jabber client like Pidgin. So why use OCS2007 for instant messaging? The reason is easy: Integration. The server software integrates into your Active Directory environment. You extend the AD schema, and all the user information is stored directly in Active Directory, with no need to maintain yet another user database. While that’s an advantage, it not much of a selling point (because the CEO usually doesn’t care if need 3 more minutes to add a user).

So let’s talk about integration on the client. After installing Office Communicator (the IM/VOIP client for OCS) on the client, you will notice full IM integration into Outlook, see the status of all the recipients and senders of the mail. This is a very nice feature, because it offers you information at a glance, without having to open the IM GUI to see whether someone is available for a quick follow up or not. But it gets better: this Integration also works in Sharepoint Services 3.0 and MOSS 2007. Also, the Unified Messaging part of Exchange Server 2007 integrates nicely into OCS 2007. You can check your voicemail using OCS 2007, with a fully graphical interface (similar to how the iPhone handles it’s voicemail)

Besides the ability for instant messaging, there is another very important feature – at least in our company: availability and presence. We have a HQ and a branch office, and our HQ is split over three floors. So usually it’s not easy to tell if someone is at his workplace or not. While Outlooks calender helps to establish the general whereabouts of a person, its not at-a-glance, and it doesn’t help if the person just isn’t at his desk (for whatever reason).

Office Communicator sets your presence to away at the instant you lock your machine, which people do when they walk away from their desk. As such, you can tell whether someone is currently working at his desk or not. This is very cool, and helps to save time on unnecessary phone calls to which no one answers.

There’s also a web client – Office Communicator Web Access. At the first glance, it is indistinguishable from the full desktop client, so the web interface is very nicely done.

Voice over IP (SIP)

OCS 2007 is also a fully blown VoIP solution. I can’t talk about this part too much – i haven’t worked with the mediation server or more enterprise VoIP integration (as said, our PBX doesn’t support that).

The Softphone client, integrated into the Office Communicator works nicely though, the voice quality is normal, and we didn’t have much problems using it over WAN lines.

You can also connect hardware IP phones to OCS2007, which should work with standard SIP phones – not having one, i didn’t test this. There are some very nice looking OCS specific IP phones out there.

Live Meeting

I’ve attended a few Webcasts done using Live Meeting 2005. With OCS 2007, you can now host Live Meetings (using the 2007 client) directly in your company, with no need for any hosted services. This feature might not be terribly useful if you’re working for a single-location Small Business, but it can be a timesaver when spread across the country (or world). Live Meeting also integrates into Outlook (see the above screenshot).

It works flawlessly, and i had few problems using Live Meeting. Didn’t really deploy this into production yet, though.

And more

OCS 2007 can also do a lot more stuff than i mentioned here. Most of this, like CDR and Archival is not necessary (or financially viable) in Small Businesses, so I didn’t invest too much time.

Drawbacks

So, what are the drawbacks of OCS 2007 in a Small Business? The main point i see here is that you need at least three servers – a Standard Server (hosting all the services), a mediation server for connecting to your PBX, and an Edge server offering internet connectivity. These are at least three OS instances that need to be maintained. Add to that the cost of either a proper virtualization server, or a few 1U boxes, and you’ll get into unviable price regions pretty soon.

For basic functionality, you can leave both the Mediation and the Edge server away. This means no integration with your PBX, and no external access to your server – at least in theory.

If you just need external access to IM, you can create appropriate SRV records in your public DNS, and forward port 5061. This will not result in a clean service, but it’s better than nothing. But without a proper edge server, you won’t be able to access other IM networks. Not cool.

Microsoft should really make single-server deployment possible, but probably we’re too small of a market to make this financially viable.

So what’s my conclusion? If you’re an SMB, give OCS2007 a try. It’s a very cool software, and the basic IM functionality isn’t that expensive.

If you have a few printers, you usually want to take good care of them. There are many network administration tools that can help you do that, and here i’m talking mostly about HP’s free offerings. Let’s start with the biggest one first.

HP Web Jetadmin

HP Web Jetadmin is HP’s enterprise tool for printer management. It is free though, so i gave it a try. Turns out it really is an enterprise tool, and much too convoluted for SMB use. I like that it has the ability to at least manage some features from printers made by different manufacturers (in my case, Lexmark). You don’t see that every day. I can’t give a full review of the product, because i only invested half an hour in it, only to find out that it is too big for our environment.

It offers all the features one could possibly need – it can monitor toner, media, configuration, time firmware upgrades and can even be used to configure and maintain print servers. With all these features, deployment of this tool is most likely not going to be a short process. You’ll need to invest a few days to find out about all the kinks, functionality and integrate it into your environment meaningfully.

HP Easy Printer Care

HP Easy Printer Care is HP’s Small Business printer management tool. It only supports up to 15 printers, which is not a problem if you’re a small business that uses workgroup printers. For companies that are using a printer on every desktop, 15 might be too low.

The software is meant for use on a desktop computer, not on a server. I see this as a bit of a drawback, as we usually use Microsoft Small Business Servers at our smaller customers, but you can also install the software on a server – it just can’t send emails and notifications (though most of the larger HP printers can mail notifications!).

The tool can not manage the printer firmware, which is a huge drawback. But it allows easy configuration of several settings even by end users, which are sometimes intimidated by the printer menu or the printer web interface. It also allows rudimentary printer accounting on selected (not all) printers (If you’re looking for a more complete printer account software, i can recommend PaperCut NG).

While i think that Web Jetadmin is overkill for any SMB, Easy Printer Care is sometimes too light on functionality. But i like it’s end user oriented design. If HP adds a few nudges to EPC (like mail, firmware management and minimal third party printer support), it could very well become a good tool for SMBs.

HP Download Manager

Using HP Download Manager is like stabbing a fork into your eye. It’s not pleasant, and after the pain stops you’re blind. Okay, so this might’ve been a bit colorful, but the point still stands. This software is junk, mostly because it doesn’t work. HP Download Manager is a firmware management solution for JetDirect print servers that are either stand alone or embedded into printers. It can’t manage printer firmware, which HP Web JetAdmin can.

Internet mode is broken since ages, there are numerous references about this on the web. Using Wireshark, a web server, and the hosts file will get the software to at least download firmware, but it won’t be able to install the software, complaining about “no firmware file”. It could download the file just fine, and manually applying the file using the JetDirect Webinterface worked just dandy.

As such, i can’t recommend this tool. Don’t install it, it doesn’t work right, and will probably eat your eyes.

Conclusion

HP’s Easy Printer Care is a step in the right direction, HP Download Manager doesn’t work, and HP Web Jetadmin is most likely overkill. My hope is that HP improves Easy Printer Care, allowing it to takeover the functions that HP Download Manager should do.

ExcelliPrint is an excellent tool for IPDS->PCL conversion, and i’ve written about it many times before.

But it is only as good as it’s users. A customer called me with a strange problem, related to ExcelliPrint. He told me that he can print on the System i just fine, but the print job just vanishes into thin air. The System i showed the file as being printed, but it was nowhere to be seen on the Windows machine.

I asked the customer if he changed anything recently, he told me no. I’ve used Netviewer to access the customers servers, and have a look at ExcelliPrints logfiles.

At that point, the problem was obious: ExcelliPrint complained that the printer name was invalid. I checked this against the installed printers, and of course the printer ExcelliPrint had another name. After selecting the correct printer, ExcelliPrint continued working just fine and reliable as always.

When asking the customer why he renamed printers, and didn’t tell me that he just said “I didn’t think it mattered”. So much.

Did you know that you can enable Remote Desktop/Terminal Server to use SSL?

Configuration authentication and encryption for Terminal Services

It is generally good practice to configure any machine which has Remote Desktop or Terminal Services enable to at least have an SSL certificate that can be used with RDP. It’s easy to do, and it will allow RDP to use better encryption.

This is especially important if you’re running RDP directly over the Internet (for which special care needs to taken in many more aspects), but it also makes sense to use this in local LAN.

If you don’t have any legacy clients, it also makes sense to set the accepted keystrength to “High”. This will cause all older RDP clients to fail. If you can’t risk that, you can still use “client-compatible”, and use SSL with newer clients and RDP’s builtin encryption with older clients.

Debugging Wireless LAN has always been a rather difficult item. And it was even more difficult on Windows, because you didn’t see many things that other operating systems showed you at point blank range.

But Microsoft has a commandline tool available that many people do not know about, but might make your life a lot easier if you do.

netsh wlan show networks mode="bssid" interface="Drahtlosnetzwerkverbindung"

You’ll have to replace “Drahtlosnetzwerkverbindung” with the name of your wireless adapter. Here’s a snippet of example output:

SSID 1 : dataline
Netzwerktyp : Infrastruktur
Authentifizierung : WPA-Enterprise
Verschlüsselung : TKIP
BSSID 1 : 00:19:07:90:91:00
Signal : 100%
Funktyp : 802.11a
Kanal : 116
Basisraten (MBit/s) : 6 12 24
Andere Raten (MBit/s) : 9 18 36 48 54

Nice and detailled, isn’t it? Much better than the GUI. I would strongly recommend any Windows admin to read up on netsh. It offers many possibilities and debugging option, yet this tool isn’t as well understood as it should be.

The Microsoft Performance team published a new great article about the Vista eventviewer and saved logs.

With Windows Server 2008 at the door, this is interesting. I would also strongly suggest to read all other articles in the Askperf blog – while updates are rather sparse, the content is extremely interesting and well written.

Branding sucks.

McAfee formerly used the name “Network Associates”. So many of it’s files were positioned in %ProgramFiles%\Network Associates and %AllUsersProfile%\Network Associates.

At some time, McAfee started to rebrand it’s program path. Program upgrades do not change the path, but new installations do. This means that you’ll have a nice mixup of paths if you have machines installed from different sources. The new pathnames use McAfee instead of Network Associates.

IBM has the same problems – they currently have suite of programs called “iSeries Access”, which gets installed to %ProgramFiles%\IBM\Client Access (which is the former name of the suite). But as the program should be called “System i Access” by now (or “i5/OS Access”), and the next rebranding will probably be coming up.

I’ve been using OpenVPN for a few years on Linux to establish site to site VPNs. It has never let me down, and i was always able to get the configuration working in the way I wanted it, without much effort and fiddling. Another nice ability of OpenVPN is that it can work it’s way through almost any firewall, which can be especially nice when working with restricted internet access.

A few days ago, i’ve got into a situation where I needed to get to a site to site VPN up as quickly as possible, behind a restrictive firewall. I’ve started with the obvious route, and found a few resources referring to OpenVPN on the net.

One of them is the OpenVPN GUI, which is mostly aimed at roadwarrior scenarios. The Windows installation notes and the Windows section in the howto are quite sparse. As such, my expectations weren’t high.

Installing OpenVPN results in the creation of a virtual ethernet adapter, that’s backed by the TAP driver (which is not signed). The install went fine, and configuration was the same as on Linux.

The Windows installer automatically installs as service that defaults to a disabled state, which when started launches OpenVPN for all *.ovpn files in %ProgramFiles%\OpenVPN\config. Simple, but efficient. Logs get written to %ProgramFiles%\OpenVPN\log.

After creating an appropriate configuration, i put it into the config dir, started the service, and everything just worked. Right out of the box. Without thinkering. Without error messages. It just worked.

As such, the application clearly shows it’s Linux/Unix origin, but it works nicely. Windows administrators that have never worked with a unix-like operating system might be put off by the application. I would still suggest everyone to take a look at OpenVPN for some low cost VPN improvisations.