SBS 2003 to 2008 Migration

I recently migrated a customer from SBS 2003 to SBS 2008. I've done a few of these. There is no in place upgrade as SBS 2003 is 32 bit and SBS 2008 is 64 bit. Because of this I've recommended to my customers to stay with 2003 until they replace their existing hardware. The migration is easiest if you're moving to new hardware at the same time. This time I decided to give the Swing method from sbsmigration.com a try. I'd heard a lot of good things about it. Last year I met Jeff Middleton, the owner, at an SBS event at Microsoft. I was impressed that the MS guys seemed to respect his deep knowledge of SBS. The Microsoft way is a series of documents and help files that walk you through installing the new SBS 2008 server in migration mode which joins it to the domain. Then in a series of steps you move Exchange, Sharepoint, user data, third party programs, and everything else that's on the old server over to the new server. Once this is complete you decommission the old server and clean up active directory. The Swing method is a little different. You create a third server, promote it to a domain controller in the existing SBS domain, then physically remove it from the domain. You migrate from this temporary domain controller to SBS 2008. This allows you to use the same server name, IP address, and other settings that the old SBS 2003 server used. This can greatly ease migrating some Line of Business applications. It also means you save a lot of time with the workstations. They essentially think it's the same server only with Exchange 2007. With the Microsoft method you have to touch every workstation as the new server has a different name and IP address.

To keep a long story short the Swing migration worked great on the customer's server. I did have a problem when I ran a test migration with my own SBS 2003 server. Here is where sbsmigration.com really kicked butt and why I now recommend it over the Microsoft way. Jeff's support was excellent. He was answering emails within minutes most of the time. Even on a weekend evening with him being in a time zone three hours ahead of me he was still answering emails. The problems I was experiencing were totally of my own making. As this was just a test I took a few shortcuts. My SBS server has seen many experiments over the years. Just recently I was testing IPv6 and had removed IPv4 from it for a while, I've had Blackberry Enterprise Server installed on it – things like that. The server is a bit of a mess let alone Active Directory. Jeff was very patient and helped me through my problems. I eventually gave up on the test migration as I was running out of time and I had learned enough to comfortably go ahead with a live customer migration. I picked up the customer's server on a Friday afternoon and returned Monday with the new SBS 2008 server. It took 17 hours over Friday evening, Saturday, and Sunday, then another five hours Monday at the customer's site. It was by far the cleanest SBS 2003 to 2008 migration I've done. Jeff's documentation on how to clean up Active Directory both before and after the migration is excellent. Sbsmigration.com – highly recommended.

Why you should upgrade to Windows 7

I usually don't recommend everyone immediately upgrade to a new version of anything. I'm firmly in the wait for others to find the bugs camp. I like to run the latest myself but for paying customers if it ain't broke why fix it. I don't recommend they upgrade until version 1.1 or possibly with a hardware change. I'm changing this position for Windows 7. It's not that different from Vista. Vista's now at Service Pack 2 and is very stable. For whatever reason many people are still running XP. The security benefits of Windows 7 compared to XP far outweigh any cons about upgrading. The Internet is worse than the wild west was. Surfing the net with XP is like showing up at the OK Coral naked with a water pistol. It doesn't matter what you do, you're probably going to lose. When you do lose you will become a zombie bothering the local townies until they finally put you out of your misery. Windows 7 puts you in the game. You've got as good of a chance as the bad guys. For this reason alone Windows 7 is worth upgrading for. All the fancy UI, networking, media enhancements, etc, are just gravy. Security is the number one reason to upgrade. Heck, even the Linux and Mac crowd should be urging the Windows crowd to upgrade. The Internet will be a much better place when XP is forgotten.

Walking in the Rain Revisited

A while back I wrote a blog post comparing computer security to walking in the rain. This morning it was raining pretty hard during my morning walk. It wasn't raining quite as hard as when I wrote the previous post but west coasters know what "raining pretty hard" means. For the rest of you, it was raining as hard as you'll probably ever experience unless you live in a rain forest. For some reason I decided not to use the same gear as in the blog post. I had the Halti jacket and Tilley hat on. I didn't take an umbrella, wear gloves, or wear rain pants. I ignored my own advice from this blog post about security being a marathon where we can never relax. In half a block my pants were soaked through. A few minutes later my hands were cold. I had to cut my usual walk in half because I was getting cold and wet. Computer security is similar. Use the appropriate tools. Don't take shortcuts. Never relax or get complacent.

Experimenting with IPv6 – Part 1

IPv6 is coming. We'll all have to learn how to deal with it. With this in mind I've set out to educate myself about IPv6. I learn better by doing than by reading. I like to read enough that I have a very basic understanding of the subject then play. After playing with it I generally find I need to do some more reading or possibly even take some courses. With IPv6 I'm at the playing stage. I decided to setup a Server 2008 R2 virtual machine as a test bed for IPv6. I needed a second domain controller on my SBS 2003 network so I made it a DC and a DNS server. It's probably not the best idea to use a DC for an IPv6 experiment but I figured I may as well go whole hog and learn by making mistakes.

The reason for the DNS server is so once I figure out IPv6 it can answer IPv6 queries from the workstations. Plus it's a DC which implies a DNS server. This is the first place I ran into a problem. There is a bug in the 2008 R2 DNS server implementation. It wasn't resolving some queries. NSlookup microsoft.com worked but nslookup www.microsoft.com didn't. It was very perplexing and took a lot of Bing-foo and Google-foo to fix. The fix is here in Scott Forsyth's Blog. It appears it's a combination of some DNS servers not returning EDNS results properly and the way Server 2008 R2 DNS deals with that.

The server was now setup as a DC and a DNS server. To play with IPv6 I needed to set up a tunnel. My ISP doesn't support IPv6 and neither does my router. I decided to activate a free IPv6 tunnel at tunnelbroker.net. This was relatively straight forward. I was happily testing IPv6 over the tunnel thinking that was too easy. I was right, it was too easy. I decided to run a port scan of the IPv6 tunnel. Imagine my surprise to find out that as far as the Windows firewall was concerned the tunnel was part of the local network. I had just put a DC on the Internet with no firewall. Not good to say the least. I quickly disabled the tunnel. I spent the next several hours Googling and Binging to no avail. So far I haven't found any way to block incoming ports on the IP6Tunnel interface while leaving ports open for the local network. I'm stuck for now. I need to use the Windows firewall because the tunnel by definition bypasses the firewall in my router. I'm sure there's a way but until I find it no IPv6 for me. Once I get past this setback I'll continue this blog series.

Update

It looks like the only way to do this is to add a second NIC for the IPv6 tunnel. I should be able to set the firewall profile for the second NIC to Public which would solve the problem. I don't want the headaches caused by a multi-homed domain controller. I'd probably need to setup a VLAN as well, which my router doesn't support. The project is temporarily on hold while I rethink things.

Windows 7 vs. Fedora 11 - Part 2

Well the experiment to only run Linux while on a road trip was a partial failure. I had to boot into Windows to get some work done that involved email and Exchange. I can't seem to wean myself from Exchange. I thought I had Evolution working but it keeps locking up on me. I've always had problems with Evolution but I had high hopes for the current version and Fedora 11. It works flawlessly while directly connected to my Exchange 2003 server. Working remotely is another story altogether. It works sporadically. There will be long pauses of up to five minutes where it seems to be locked up then suddenly it's working fine for a few minutes. Eventually it will lock up completely. I switched to using OWA (Outlook Web Access) instead. The OWA experience with Firefox is not the best. OWA in Exchange 2003 really needs IE with ActiveX to be productive. I've tested Exchange 2007 and it has a much better OWA Experience with a non IE client. I'll be updating my Exchange server to 2007 in the near future. Hopefully the combination of OWA, Exchange 2007, and Firefox in Fedora 11 will be more productive.

My other problem is my Blackberry. I haven't found a way to sync the BB and Exchange in Linux. I could setup a Blackberry Enterprise Server. This will sync Exchange and the BB over the cellular carrier in real time. It would cost me more money. I'd have to upgrade my wireless plan from BIS to BES. I'd also be running another server. Even virtualized it seems like overkill.

Other than the Exchange problems the experiment has been a success. VPN and RDP access to the networks I manage hasn't been a problem. I've recieved some Excel attachments that Open Office had no problems with. I received some .PDF files that weren't a problem. So far I have to say I prefer Windows 7 over Fedora 11 but it has nothing to do with the OS. It's all about the applications and it seems as long as I'm married to Exchange I'll be running Windows.

Windows 7 vs. Fedora 11 - Part 1

I'm leaving this morning for a three day trip to Ottawa for a CIRA board meeting. I depend on my Blackberry and my laptop to run my business while I'm on the road. I'm going to do an experiment this trip. I'm going to run Fedora 11 exclusively on my laptop. I've always had a multi-boot setup on the laptop of Windows Desktop, Windows Server, and Linux. The current setup is Windows 7 Ultimate, Server 2008 R2, and Fedora 11. I've set the default boot to Fedora 11 and hope to keep it that way for the next three days. I've tried this in the past with various distros of Ubuntu and OpenSuse. Neither worked out. For some reason I always had to boot into Windows sometime during the road trip. It was usually something to do with Exchange or my Blackberry. I rely on my Blackberry and Exchange to manage my time, email, and basically my business. I'll try to keep this blog up to date with my experiences and at the end I'll post the results.

Facts vs. Beliefs

Last night I was on my deck watching the Perseid meteor shower. I started wondering what our ancestors must have thought about events like this. I was thinking that they must have had all sorts of weird superstitious beliefs about omens and such. Laying there watching the sky gave me lots of time to think. The more I thought about it I started wondering what someone several thousand years in the future would think about my beliefs regarding the meteor shower. To me they are facts that I know. I am sure that to our ancestors their beliefs were also facts that they knew with absolute certainty. This means that my facts may in fact be only a belief and not really a fact. In the future they may think that our current beliefs about space, meteor showers, etc. are quaint, superstitious beliefs because they have discovered some new facts.

What does all this have to do with computers? Many people have beliefs regarding computers that they see as facts. One example of this is the fact that OS X is more secure than Windows. An alternate fact, just as wrong, would be that Windows 7 is more secure than OS X. My belief about this fact is that you can't measure how secure an OS is so the question is moot. My point is we all have many beliefs about computers. Many of these beliefs, which currently are thought of as facts, will probably change over time. Don't get too comfortable with the facts.

Windows 7, Vista, and the Blogoshpere

Windows 7 is about to hit the RTM milestone any day now. I've been playing with it since the public beta release last fall. I like it. As soon as it hits RTM I plan to install it in on both my laptop and desktop. I'll only run Vista in virtual machines for testing. That said I can't believe all the hyperbole about Windows 7. Yes, it has some nice new features but come on people it's really not that different from Vista. The vast echo chamber of the blogosphere which dissed Vista is praising Windows 7 like it's the second coming. I've been trying to analyse why.

Resistance to change and resistance to admitting you may be wrong is my best guess. Vista was a huge change from XP. I was in on the beta testing of Vista quite early. It was still called Longhorn. I knew immediately there was going to be a lot of resistance. It was actually reasonably secure and forced users and programmers into a better security model. Anyone remotely interested in security knows that increased security always means increased inconvenience. How often did we hear new Vista users saying things like "I'm the administrator dammit. I can look after my security myself." Well you know what? 99.9% of us can't. If you're running XP it's probably impossible. Amongst other things I enjoy figuring out how malware works. I don't make much money at it but I remove malware for customers when I have time. I do this so I can see real world infections and figure out how the malware works. I see malware all the time on the computers of network administrators and highly sophisticated users. You want to know why this is? It's because they run an insecure OS as administrator all the time. The programs they use expect to have administrator rights. The services and drivers running in the background have carte blanche to do whatever they want. XP is a security nightmare people became used to. There was no way to fix it thus Vista came into being. Vista while mitigating a lot of the problems forced everyone to change their habits in a way that wasn't convenient. More importantly it took a while to figure out these changes. It took even longer for a moderately competent geek to figure out new ways to bend the OS to their will. Couple this with the fact that Vista required significantly more hardware than XP and it was a recipe for disaster. This caused much angst and bad press in the blogosphere. This angst was endlessly echoed until it was the "truth" that Vista was flawed. Once this "truth" was out there it was impossible for any blogger to argue against it. There is still no better way to get click throughs than by writing a blog that disses Vista and links to other blogs as proof. Many of the bloggers and experts over time learned that this "truth" wasn't really true. They were afraid to say anything for fear of admitting they'd been wrong. Along comes Windows 7. It has a few cool new features. The UI has been tweaked a bit. It's been highly optimized to appear faster to the user. Most people now have hardware capable of running Vista. Windows 7 runs great on this hardware. More importantly all the bloggers and moderately competent geeks can get up to speed very quickly as they already climbed the learning curve with Vista and it's not Vista. They don't have to admit they were wrong in order to say they like it. It's a recipe for good press in the blogosphere.

Don't get me wrong. I really like Windows 7. Some of the new features are really cool. The new taskbar is a huge improvement. Aero peek has become indispensible. The UI really is more intuitive most of the time. There are a few things I don't like. The libraries feature is a great idea that isn't fully implemented. It has tremendous potential but as it is implemented in Windows 7 it doesn't work for me. The Homegroup networking feature is a security problem. It makes it very hard to share one folder in your profile. If you share a folder in your profile the whole \USERS tree is automatically shared. I had a good discussion about this with someone from Microsoft and in the end we agreed to disagree. He said the default ACLs and Access Based Enumeration locked down the folders well enough for home use. I felt they didn't, especially for a very small business many of which run the Home version of Windows.

So what's my conclusion? I'm somewhat grumpy about the fact that Vista will go down in history as Windows Me the second. The blogosphere is praising Windows 7 which will cause a lot of people to finally move away from XP. That's a very good thing. The Internet will be a better place.

Security is a never ending journey

I'm at the 2009 Microsoft MVP Summit. Around 2000 MVP's descend on Microsoft's Redmond Campus for four days of sessions with various product teams. The sessions include a lot of two way feedback, which can be brutal from both sides. It's a lot of fun. Today I went to several security sessions. I got to hear Steve Riley talk and then answer questions from an audience that included Jesper Johansson. It was amazing. At one session Ziv Mador and Steve Adegbite were talking about the Conficker worm and Microsoft's response to the vulnerability the worm initially used to spread itself. It was fascinating to hear the process they went through to identify the vulnerability and patch it then have to wait and see the exploits developed when the bad guys reverse engineer the patch. During the session Steve Adegbite said something that really resonated with me. He said "Security is like a never ending marathon." I think that is one of the best statements I've heard regarding security. Security is hard work. You have to give it 100% all the time. There are no shortcuts. You will never be finished. To some that sounds depressing. Steve Adegbite said it was a challenge he and his team relished. I got the sense that almost everyone in the room agreed. I realised I was sitting in room full of the cream of the crop in the Windows security world. It was fun hobnobbing with the cream of the crop. Thank you Microsoft.

Computer Performance - Perceived vs. Absolute

With the public beta of Windows 7 in full swing many people are talking about performance and comparing different versions of Windows. I see many posts in forums and on newsgroups exclaiming Windows 7 boots x seconds faster than Vista. They carefully measure how long XP, Vista, and Windows 7 take to boot or shutdown. Others measure how much RAM each OS uses when at idle. Some people run benchmark software comparing various OS's. There are web sites dedicated to performance with tips on which services and scheduled tasks can be disabled to improve performance.

Most users are more concerned with perceived performance rather than actual performance. If I click on something is there a pause before something happens? If that pause is longer than x (I don't know what x is but I suspect it's less than a second) the computer or application is perceived as slow. If it's faster than x then the computer or application is perceived as fast. There isn't really any in between. There is no perception of medium performance for most people. It's either acceptable or too slow. Most current operating systems take all this into account and are optimized to give a good user experience. Sometimes this perceived better performance comes at the expense of actual performance. The operating system is doing things in the background like indexing files, optimizing the file system, pre-caching disk sectors, and more. These background tasks may cause benchmarks to run slower. Some people jump on this and disable these background tasks then proudly post benchmarks proving how much faster their computer is. The problem is that disabling these background tasks quite often makes the computer less optimized for the user experience. Programs may actually run slightly faster but loading the program or loading/saving files from within the program take longer. Finding the email you sent to Joe Smith about next week's hockey game takes impossibly long as you have to manually open each email. Over time Windows slows down because the disk is fragmented.

When tuning or measuring computer performance you have to take many things into consideration. It's very similar to a car. Most of us don't want to drive a souped up hotrod that's temperamental and needs constant attention. Most us want a car that starts up when we turn the key. The heat or the air conditioning comes on quickly not several miles down the road. We want power locks, windows and seats. We want comfort. It's the same with computers. There are enthusiasts who enjoy eaking out every millisecond of performance and don't care about the comforts or ease of use. Unfortunately many people listen to their advice and think that if they apply the same tricks their computer will be faster. It will, but the catch-22 is that their day to day computing may actually seem slower.