WindowsNetworking.com Monthly Newsletter of August 2010 Sponsored by: SolarWinds
Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
When you get together with a group of IT pros these days, it seems there's always a lot of fear, uncertainty and doubt in the air. And no wonder - in a continuing "down" economy, jobs have been cut and those who are still employed are finding themselves spread even thinner than usual. There's too much to do and not enough time to do it. There are big changes happening, and even bigger changes on the horizon. If you are worried about the future, you are not alone.
On the face of it, you could ask; what's really new? IT admins have always been overworked and (at least in their own estimations) underpaid. Computer and networking technology has always been fraught with constant change, and those who couldn't handle always having to learn new things have been well advised to stay out of the field. So what's different now?
One thing I'm hearing is that many admins feel that they're losing control of their networks. Some feel that way because of poor planning and networks that "just grew that way" and now contain a confusing mix of technologies, with ancient Windows 2000 domain controllers on the same network with Exchange 2003 servers and new Windows Server 2008 R2 Hyper-V servers. Support for Windows 2000 has ended so they're looking at the daunting task of upgrading those, and at the same time their XP clients are getting long in the tooth too.
But that's not all. The new "consumerization of IT" trend is making things even worse. Users are not only bringing in their own laptops; they also want to connect their smart phones to the corporate network, too. We're talking about a plethora of different phones and platforms - iPhones, Android phones, Windows Mobile, Symbian, Palm (and soon, HP WebOS and Windows Phone 7). And it's not just phones, either. Now we have iPads to contend with, and IT admins are anticipating (with dread) a flood of competing tablet devices running different operating systems in the near future.
Some companies just prohibit these outside devices altogether, but more and more are seeing benefits from allowing them. Workers are more productive when they can stay connected wherever they go, and it can save the company money when employees buy their own devices. But it can also create a nightmare for IT. Not only are you expected to support and troubleshoot connectivity for all these devices, but you're also responsible for ensuring that they don’t compromise the security of the network.
As if this weren't bad enough, floating there in the distance (but getting closer all the time) is the Cloud. It promises to save you from all these problems, but many IT pros are not welcoming cloud computing with open arms. Rightly or wrongly, they believe it's a threat to their jobs; after all, the whole premise is that companies will no longer need their own IT departments if they put all their apps and data "in the cloud". And even if the company does keep their IT personnel, the job will change. You'll now be acting as more of a liaison between your users and the cloud provider. You might be needed to troubleshoot problems when users can't get connected to the cloud or when their (thin client?) desktop systems have other problems, but you'll no longer have control of your servers. And most IT admins are, by their very nature, control freaks.
If you feel that you're losing control, what can you do about it? The first step is to have a plan. That applies both to your network and to your career. You might not be the one who makes the big decisions - when/how to upgrade your operating systems, whether to allow consumer devices to connect to the network, and so forth - but you will probably have some input into how those processes are to be implemented. For any big change, it always pays to do a pilot program first, so you can detect and anticipate problems that may arise during the transition.
Another way to ward off confusion and regain a sense of control is to document everything. This will make it much easier for you to work through changes in the future. If you don't have a change management system in place already, implement one. Change management software is available to help automate this process.
Update policies to reflect the new situation. Allowing consumer devices on the network doesn't have to mean chaos. Define standards and rules for those connections, put policies in writing and require employees using the devices to sign off on them. The devices may belong to them, but the network belongs to the company, and it's the company's right and responsibility to control how and when employee-owned devices access company resources.
Don't fear the Cloud. Despite the hard push to "cloudify" everything, most analysts believe that most companies will end up with a mixture of public and private cloud computing. Due to security and reliability concerns, some assets will never go into the cloud. Most companies will still need IT personnel to maintain those private clouds (a.k.a. datacenters running "cloud" technologies such as virtualization technologies). Focus on learning those technologies. Become a virtualization pro - and we're talking about a lot more than just server consolidation here. Application virtualization and desktop virtualization will be a big part of the private cloud. Master VDI technology and be ready to help your company keep its feet on the ground while its head is in the cloud.
Look at these changes as opportunities rather than threats. You have the chance to get in on the ground floor with the new technologies, at a time when most IT people don't know much about them. The more you do know, the more valuable you are to your company and the more likely you are to come through the transitions ahead of the game.
By Debra Littlejohn Shinder, MVP
3. WindowsNetworking.com Articles of Interest
Free Utility: Boot from a USB Flash Drive
Here's a handy utility from HP that you can use to boot from USB flash drives.
This can be used for example to perform a blazingly fast install of Windows 7 from a flash drive.
For more administrator tips, go to WindowsNetworking.com/WindowsTips
Everyone loves step-by-step information. It’s one thing to read a concept document and learn a bunch of new terms and ways to do things - but it’s quite another thing to actually do the things described in a concept document. Your users love step-by-steps, too, because they’re really worried about clicking the wrong button or selecting the wrong option. But do you know what’s better than step-by-step description? Of course, it’s a step-by-step description with pictures!!
So how do you get those screenshots into your step-by-step documentation? One tool that I’ve found invaluable is the snipping tool that’s built into Vista and Windows 7. Just click Start and type Snip into the Search box and you’ll find it. I have mine pinned to my taskbar; that’s how often I use it. Sure, there are other more powerful screen capture solutions such asSnagit, but I’ve found that most of the time, I just need quick and clean screenshots. The snipping tool does that for me.
What would be even better? If I could have someone else take the screenshots for me. Well, that’s not going to happen, but the next best thing is the Problem Steps Recorder. Just click Start and enter psr in the Search box and you’ll see the link to the Problem Steps Recorder. Just start the PSR and click Start Record. At that point the PSR will record each step you carry out, including a text explanation of what was done. There is also advanced information included that gives more details about the applications and steps. Give it a look - it might help with your step-by-step documentation.
I found your Windows Networking article “Certificate Revocation Checking in Test Labs” content to be interesting and relative to a deployment issue I faced several months ago. Working at a small University, I was tasked with a project to implement a Microsoft System Center Configuration Manager 2007 infrastructure.
To prepare for the project I researched numerous web site articles and read lots of blogs, viewed lots of TechNet Webcasts presented by multiple Microsoft evangelists on implementing (SCCM 2007). I discovered from my research that the installation of SCCM 2007 consisted of two install approaches. One secure, using a PKI, and the second not using PKI which decreased security. My SCCM 2007 test server environment was Windows Server 2008 (VM’s).
Before launching the initial install of SCCM 2007, I spent lots of hours working on the implementation of a PKI, which I found to be very difficult and complex and not really sure if the PKI was properly configured. I soon found out my PKI was not correctly configured when I attempted several times to install SCCM 2007 using the secure PKI approach. SCCM would abort the install if the PKI was not setup correctly. You know, still to this day, I don’t know what a correct PKI implementation is. So, to move my project forward I settled for the less secure install approach of SCCM 2007 which installed without any problems.
So, with all that said, if I was to follow your instructions on “configuring the CRL Distribution Point settings on the Certification Authority” would I be able to install SCCM 2007 with PKI?
Thank you, Aubrey
This is an interesting question and I don’t know whether I have a definitive answer for you. The challenge with putting together a PKI is that there are both server side (certificate servers in the PKI hierarchy) and the client side requirements. Overall, while the server side of the equation can be complex, the client side (server applications and client applications) can be even more so, since the client and server applications consume the products of your PKI (certificates) differently.
For example, the approach I provided in that article showed you how to turn off publishing CRL distribution point information which is included in the certificates. This works in some scenarios (such as with DirectAccess) but doesn’t work in other scenarios where apparently there must be a CDP available or else there is a hard failure (you’ll see that with NAP if you try to turn off the CDP information included in the certificates).
A better solution for you is to publish your CDP, which was the second solution I presented in that article. This is something that you can easily do, and might be the solution to your PKI worries. It might be that your SCCM failure was related to the CDP not being available. If that’s the case, the CDP publishing approach I described in that article will work fine for you. Check out this link for more information on the details.
You might also find the article Step-by-Step Example Deployment of the PKI Certificate Required for Configuration Manager Native Mode: Windows Server 2008 Certification Authority helpful. Overall, once you get a feel for things, you’re find that installing and configuring a simple PKI isn’t that difficult. Things can get complex, though. You might want to check out the excellent Designing a Public key Infrastructure doc over here to get more familiar with the most important issues.