Tuesday, January 26, 2010
Sunday, December 6, 2009
I recently migrated a customer from SBS 2003 to SBS 2008. I've done a few of these. There is no in place upgrade as SBS 2003 is 32 bit and SBS 2008 is 64 bit. Because of this I've recommended to my customers to stay with 2003 until they replace their existing hardware. The migration is easiest if you're moving to new hardware at the same time. This time I decided to give the Swing method from sbsmigration.com a try. I'd heard a lot of good things about it. Last year I met Jeff Middleton, the owner, at an SBS event at Microsoft. I was impressed that the MS guys seemed to respect his deep knowledge of SBS. The Microsoft way is a series of documents and help files that walk you through installing the new SBS 2008 server in migration mode which joins it to the domain. Then in a series of steps you move Exchange, Sharepoint, user data, third party programs, and everything else that's on the old server over to the new server. Once this is complete you decommission the old server and clean up active directory. The Swing method is a little different. You create a third server, promote it to a domain controller in the existing SBS domain, then physically remove it from the domain. You migrate from this temporary domain controller to SBS 2008. This allows you to use the same server name, IP address, and other settings that the old SBS 2003 server used. This can greatly ease migrating some Line of Business applications. It also means you save a lot of time with the workstations. They essentially think it's the same server only with Exchange 2007. With the Microsoft method you have to touch every workstation as the new server has a different name and IP address.
To keep a long story short the Swing migration worked great on the customer's server. I did have a problem when I ran a test migration with my own SBS 2003 server. Here is where sbsmigration.com really kicked butt and why I now recommend it over the Microsoft way. Jeff's support was excellent. He was answering emails within minutes most of the time. Even on a weekend evening with him being in a time zone three hours ahead of me he was still answering emails. The problems I was experiencing were totally of my own making. As this was just a test I took a few shortcuts. My SBS server has seen many experiments over the years. Just recently I was testing IPv6 and had removed IPv4 from it for a while, I've had Blackberry Enterprise Server installed on it – things like that. The server is a bit of a mess let alone Active Directory. Jeff was very patient and helped me through my problems. I eventually gave up on the test migration as I was running out of time and I had learned enough to comfortably go ahead with a live customer migration. I picked up the customer's server on a Friday afternoon and returned Monday with the new SBS 2008 server. It took 17 hours over Friday evening, Saturday, and Sunday, then another five hours Monday at the customer's site. It was by far the cleanest SBS 2003 to 2008 migration I've done. Jeff's documentation on how to clean up Active Directory both before and after the migration is excellent. Sbsmigration.com – highly recommended.
Thursday, October 22, 2009
I usually don't recommend everyone immediately upgrade to a new version of anything. I'm firmly in the wait for others to find the bugs camp. I like to run the latest myself but for paying customers if it ain't broke why fix it. I don't recommend they upgrade until version 1.1 or possibly with a hardware change. I'm changing this position for Windows 7. It's not that different from Vista. Vista's now at Service Pack 2 and is very stable. For whatever reason many people are still running XP. The security benefits of Windows 7 compared to XP far outweigh any cons about upgrading. The Internet is worse than the wild west was. Surfing the net with XP is like showing up at the OK Coral naked with a water pistol. It doesn't matter what you do, you're probably going to lose. When you do lose you will become a zombie bothering the local townies until they finally put you out of your misery. Windows 7 puts you in the game. You've got as good of a chance as the bad guys. For this reason alone Windows 7 is worth upgrading for. All the fancy UI, networking, media enhancements, etc, are just gravy. Security is the number one reason to upgrade. Heck, even the Linux and Mac crowd should be urging the Windows crowd to upgrade. The Internet will be a much better place when XP is forgotten.
Wednesday, October 21, 2009
A while back I wrote a blog post comparing computer security to walking in the rain. This morning it was raining pretty hard during my morning walk. It wasn't raining quite as hard as when I wrote the previous post but west coasters know what "raining pretty hard" means. For the rest of you, it was raining as hard as you'll probably ever experience unless you live in a rain forest. For some reason I decided not to use the same gear as in the blog post. I had the Halti jacket and Tilley hat on. I didn't take an umbrella, wear gloves, or wear rain pants. I ignored my own advice from this blog post about security being a marathon where we can never relax. In half a block my pants were soaked through. A few minutes later my hands were cold. I had to cut my usual walk in half because I was getting cold and wet. Computer security is similar. Use the appropriate tools. Don't take shortcuts. Never relax or get complacent.
Monday, October 19, 2009
IPv6 is coming. We'll all have to learn how to deal with it. With this in mind I've set out to educate myself about IPv6. I learn better by doing than by reading. I like to read enough that I have a very basic understanding of the subject then play. After playing with it I generally find I need to do some more reading or possibly even take some courses. With IPv6 I'm at the playing stage. I decided to setup a Server 2008 R2 virtual machine as a test bed for IPv6. I needed a second domain controller on my SBS 2003 network so I made it a DC and a DNS server. It's probably not the best idea to use a DC for an IPv6 experiment but I figured I may as well go whole hog and learn by making mistakes.
The reason for the DNS server is so once I figure out IPv6 it can answer IPv6 queries from the workstations. Plus it's a DC which implies a DNS server. This is the first place I ran into a problem. There is a bug in the 2008 R2 DNS server implementation. It wasn't resolving some queries. NSlookup microsoft.com worked but nslookup www.microsoft.com didn't. It was very perplexing and took a lot of Bing-foo and Google-foo to fix. The fix is here in Scott Forsyth's Blog. It appears it's a combination of some DNS servers not returning EDNS results properly and the way Server 2008 R2 DNS deals with that.
The server was now setup as a DC and a DNS server. To play with IPv6 I needed to set up a tunnel. My ISP doesn't support IPv6 and neither does my router. I decided to activate a free IPv6 tunnel at tunnelbroker.net. This was relatively straight forward. I was happily testing IPv6 over the tunnel thinking that was too easy. I was right, it was too easy. I decided to run a port scan of the IPv6 tunnel. Imagine my surprise to find out that as far as the Windows firewall was concerned the tunnel was part of the local network. I had just put a DC on the Internet with no firewall. Not good to say the least. I quickly disabled the tunnel. I spent the next several hours Googling and Binging to no avail. So far I haven't found any way to block incoming ports on the IP6Tunnel interface while leaving ports open for the local network. I'm stuck for now. I need to use the Windows firewall because the tunnel by definition bypasses the firewall in my router. I'm sure there's a way but until I find it no IPv6 for me. Once I get past this setback I'll continue this blog series.
It looks like the only way to do this is to add a second NIC for the IPv6 tunnel. I should be able to set the firewall profile for the second NIC to Public which would solve the problem. I don't want the headaches caused by a multi-homed domain controller. I'd probably need to setup a VLAN as well, which my router doesn't support. The project is temporarily on hold while I rethink things.
Wednesday, October 14, 2009
My other problem is my Blackberry. I haven't found a way to sync the BB and Exchange in Linux. I could setup a Blackberry Enterprise Server. This will sync Exchange and the BB over the cellular carrier in real time. It would cost me more money. I'd have to upgrade my wireless plan from BIS to BES. I'd also be running another server. Even virtualized it seems like overkill.
Other than the Exchange problems the experiment has been a success. VPN and RDP access to the networks I manage hasn't been a problem. I've recieved some Excel attachments that Open Office had no problems with. I received some .PDF files that weren't a problem. So far I have to say I prefer Windows 7 over Fedora 11 but it has nothing to do with the OS. It's all about the applications and it seems as long as I'm married to Exchange I'll be running Windows.
Tuesday, October 13, 2009
I'm leaving this morning for a three day trip to Ottawa for a CIRA board meeting. I depend on my Blackberry and my laptop to run my business while I'm on the road. I'm going to do an experiment this trip. I'm going to run Fedora 11 exclusively on my laptop. I've always had a multi-boot setup on the laptop of Windows Desktop, Windows Server, and Linux. The current setup is Windows 7 Ultimate, Server 2008 R2, and Fedora 11. I've set the default boot to Fedora 11 and hope to keep it that way for the next three days. I've tried this in the past with various distros of Ubuntu and OpenSuse. Neither worked out. For some reason I always had to boot into Windows sometime during the road trip. It was usually something to do with Exchange or my Blackberry. I rely on my Blackberry and Exchange to manage my time, email, and basically my business. I'll try to keep this blog up to date with my experiences and at the end I'll post the results.