I am an avid Sonos fan, I think the product is awesome, I am only at the beginning of my Sonos Collection.  Lets be honest in terms of HiFi equipment Sonos isn’t the most expensive out there but at the same time it is not the cheapest either. For this reasons the CR-200 has always been one of those items that would have been nice to have but not essential.

I understand with the introduction of remote app’s for tablets and mobiles why Sonos have taken the decision to remove the product from their portfolio but at the same time I can’t help but feel they have left us will a hole in the market.

I don’t mind controlling my couple of Play3’s with the mobile app’s, the wife however hates it, she often leaves the phone in another room or on another floor which means its not so easy to flick the radio on in the Kitchen. It is also not without its limitations, I have found both with the iphone and android devices in order to preserve power they often switch wifi off when in standby this means when you pull them out of your pocket to adjust the volume or switch a track sometimes you can have a 15-30second delay while the phone re-connects to the wireless before you can adjust your Sonos.

So enough was enough I needed a dedicated remote, only to find they are now pretty much out of stock in most places. So I had a couple of old devices floating about could I use one of these as a dedicated remote for Sonos.

My first thought was to use an old Android handset, with the later Sonos controller apps you can join the Android handset to Sonos.net and also the OS is more open leading to easier customization. After a bit of research I decided that at the moment I don’t have the time to embark on customising an image and uploading it to a rooted handset and all the testing involved in that, secondly (and the killer of the idea for me) was that you could not by a desktop charging stand for the particular spare handset I had and the generic ones were too big.

I also happened to have a Gen 3 ipod touch that doesn’t get much use as the battery life isn’t great and I stream music to my mobile. After a bit of research looking for a kiosk mode (I believe this is now an option in iOS6 but this isnt supported on my touch) I came across application profiling, this is designed by Apple to allow corporates to lock down Apple devices for security reasons. But it can also be used for my application, this profile when installed will lock the ipod / iphone / ipad to the first application that is opened after reboot by disabling the home button.

Installing the profile is simple, just open safari and browse to this URL : http://ipadhire.co.nz/res/lockdown.mobileconfig

You will then be prompted to install the profile.

After reboot open the Sonos controller and then thats it. Locking and unlocking the ipod will take you straight back to the Sonos app where you left it, because the Sonos app is always open there is no waiting about for wireless or connection to your devices, it is on and ready to go, and you can pick up a really cheap charging dock from amazon or ebay, before I installed the profile I also disabled the lock screen timer so the ipod never locks or turns the screen off unless you press the button the top, and because the App is always on and the ipod mainly in a charging dock the wireless doesnt turn itself off either.

Should you wish to remove the lock down this can be done with the following procedure.

  1. Reboot
  2. Open the settings app FIRST – don’t open anything else or you will need to reboot again
  3. Settings->General->Profiles->Home Button Lock remove it.
  4. Reboot

I know this doesn’t have all the functionality of the CR-200, it doesnt wake on pick up and there are no dedicated buttons to adjust the volume but seeing as you can pick up a touch pretty cheaply second hand on ebay you can make yourself a pretty good alternative for under £100 quid.

I am still looking in to the options for an android device, there are some kiosk apps that will lock a device down to one app, but I think tweaking to get other functionality like wake on g-sensor movement could be worth it. If I get anywhere I will let you know.

Advertisements

WDS is a great tool for deploying Operating systems to your desktops, but if you like secure passwords like me. Then having the right system locale on your boot and capture images is a must. So you know your special characters are going to be in the right place when you come to type those secure passwords.

In order to change these settings on the images you will need to have the DISM tool installed on your machine, this is part of the Windows Automated Installation Kit (WAIK) that can be downloaded from here.

Once you have the WAIK installed you can set the locale on your images with the following procedure.

  1. Create a mount directory e.g. c:mounted
  2. Mount your boot image: dism /mount-wim /wimfile:C:RemoteInstallBootx64Imagesboot.wim /index:1 /mountdir:c:mounted
  3. Set the System Locale to UK: dism /image:C:mounted /Set-SysLocale:en-GB
  4. Set the User Locale to UK: dism /image:C:mounted /Set-UserLocale:en-GB
  5. Set the Input Locale to UK: dism /image:C:mounted /Set-InputLocale:0809:00000809
  6. Set the Time Zone to GMT: dism /image:C:mounted /Set-TimeZone:"GMT Standard Time"
  7. Un-mount image and commit changes: dism /unmount-Wim /MountDir:c:mounted /Commit

Job Done 🙂

I recently came across this issue when trying to install a Standby server in a HA pair for Blackberry Enterprise Server (as part of a migration). After following KB22499 I got to step 9 to find that I could not log in to the Administration service.

It should be noted that at Step 7, where I was supposed to enter a new name for the Administration Service Pool, this option was greyed out, and the installation completed with the existing name. Unfortunaly the existing name was the FQDN of the Primary BES server, this would need to be changed.

After changing this in the Blackberry Server Confirugation Tool (Administration Service – High Availabiliy Tab) and restarting the BAS-AS and BAS-NCC services on the primary server the pool had a new name, (BESHA.domain.local). I then created a DNS record for this in my local DNS server and pointed this for the time being at the Primary Server IP.

Checking the BAS-AS logs on the new server showed me a java.net.BindException: Address already in use: JVM_Bind error.

After some troubleshooting and with the command netstat -ano | findstr ":443" this showed that a process with id of 4 was using the port. This is the Windows System process and through a considerable amount of googling I was unable to identify which roles was causing System to listen on port 443. IIS was not installed on the server.

I changed the port of the BAS to 663 using the Blackberry Server Confirugation Tool (Administration Service – High Availabiliy Tab) and restarted the BAS service on the Primary server. Still no Administration Service on the Standby server.

Checking the BAS-AS logs showed the following errors:

java.io.IOException: Error initializing server socket factory SSL context: null
[org.apache.coyote.http11.Http11Protocol] [ERROR] Error initializing endpoint
[org.apache.catalina.startup.Catalina] [ERROR] Catalina.start LifecycleException: Protocol handler initialization failed:

Checking the BAS-NCC logs showed the following errors:

[org.jboss.system.ServiceController] [WARN] Problem starting service jboss.security:service=JaasSecurityDomain,domain=SSLAdvanced
[org.jboss.system.server.Server] [ERROR] Root deployment has missing dependencies; continuing

After a lot of digging I found that these errors were related to the SSL certificate that the Administration Service is trying to use an incorrect certificate. Checking the Administration Guide this shows how to import a new certificate for the site, looking at Step 10, parts, 1-3 I noticed that if you change the certificate it needs to be copied to other servers in the BAS pool.

As the BAS was working on the primary server I did the following steps to fix the issue.

  1. On Standby server log in a BES Administrator account (Same account used by Blackberry Services)
  2. On Standby server stop the BAS-AS and BES-backup the <program files>Research In MotionBlackBerry Enterprise ServerBASbinweb.keystore file
  3. On standby server backup the following regkey: HKCUSoftwareResearch In MotionBlackberry Enterprise ServerAdministration ServicesKey Store
  4. On Primary Server log in as BES Administration account and copy the <program files>Research In MotionBlackBerry Enterprise ServerBASbinweb.keystore over the same file on the Standby server
  5. On Primary Server export: HKCUSoftwareResearch In MotionBlackberry Enterprise ServerAdministration ServicesKey Store, import in to Registry on the Standby server
  6. Start the BAS-NCC service and then BAS-AS service on the Standby server
  7. In DNS update the A record for your BAS pool address (BESHA.domain.local) to point to the IP address of your Standby server.
  8. On the standby server flush the dns (ipconfig /flushdns) and check to see if the Admin service is now working. Check netstat -ano | findstr ":663" look for process ID, then use task manager (processes tab) add PID column and check that the ID number for the process resolves to java.
  9. If you want BAS work in round robin on DNS, create a second A record pointing to the standby server instead of changing the address.

I recently provisioned some new servers at a client site, these were the first Windows 2008 R2 servers and because of this WSUS did not have any updates downloaded for them.

As I mistakenly forgot to install relevant Windows Updates before I joined the computers to the domain I then had trouble trying to update the servers because Windows stated that:

Windows Update cannot currently check for updates, because updates on this computer are currently controlled by your system administrator

In order to bypass this I temporarily disabled my Server WSUS group policy and this removed the registry settings specifying my update targets etc… (for more information on these registry settings and using GPO for configuring WSUS clients please see Microsoft KB328010)

However I was still unable to run manual updates, after some more rummaging I found the following key

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoWindowsUpdate

When I set the above Dword to 0 I could then run manual updates on the server

Update – 24/07/2012
I came across this problem again the other day and did a bit more digging, the above reg key is controlled by the following setting in Group Policy

Disable and remove links to Windows Update
(User ConfigurationAdministrativeTemplatesStart Menu & Taskbar)

This information was found on Technet – Group Policy Registry Reference

Posted by: David | October 19, 2011

Backup Exec Best Practices for getting Reliable backups

Any Sys-Admin worth their salt should understand the importance of backups. Within the last 10 years of working in the industry I have come across a multitude of backup products some good some aweful however the one I have probably come across the most is Backup Exec.

Currently on Version 2010, Backup Exec is from my experience one of the most widely used products in the SMB sector. However its not without its nuances. I have put together this post to share my experiences of the product and what I deem to be the best way to configure your backups to ensure that your backups are reliable a easy to troubleshoot.

The most common mistake (in my mind) I see when it comes to the configuration of this product what I like to call “The One Job Fits All” approach. This is where when the application is installed someone has gleely clicked next all the way through the application installation and the configuration and then thrown all their selections in to the one job to have done with it. Now this approach will work so I am not saying it is wrong, but it will most likely to contradict Symantec’s Best practices.

So if it does work why change it, well reliability is my main reason from wandering away from the “The One Job Fits All” approach, and another is ease of troubleshooting. From experience I have found that where everything is backed up under one job, these fail more often and have a much lower reliability then when you split out your jobs and match up with Best Practice.

So how do I configure my jobs:

First off, if you have more than one server seperate them out in to their own jobs, they can all still run everynight but have a seperate job for each server, then should there be a problem with a server this doesnt make it look like you have lost a whole days worth of backup, but just backup for one job.

Second, seperate out your file jobs from your database jobs, if you read the Best Practices for AOFO and SQL you will see that Symantec’s reccomendations for these jobs are that they should not be configured under the same job. So if you have a server that has SQL or SQL Express that you wish to backup split these out in to seperate jobs. Have your file job with AOFO enabled and then move the SQL selections in to a seperate job with the SYSTEM State and maybe exchange.

Then there is Exchange, this should not be included in a file jobs where AOFO is enabled, especially if you are using the GRT option. If you configure a backup job with Exchange, GRT and AOFO its not going to work, and you will find that although Exchange is backed up you will not be able to restore individual mailboxes or emails. This is because the Snapshots taken for AOFO will stop the information store being backed up in “full” mode, this will in turn stop the GRT technology from allowing you to restore individual items.

So taking in to account all of the above I have put together a little scenario to show how this should work:

EGSRV01 – File / Print / DC
EGEXC01 – Exchange
EGSQL01 – SQL Server
EGAPP01 – Application Server with SQL Express

For the above scenario I would set up my backup jobs as follows:

EGSRV01: Job 1: File Job with AOFO enabled, Job 2: System State job (AOFO Disabled)
EGEXC01: Job 1: File Job with AOFO enabled (Making sure exchange database files have been excluded), Job 2: Exchange Server and System State (AOFO Disabled)
EGSQL01: Job 1: File Job with AOFO enabled (Making sure SQL database files have been excluded), Job 2: SQL Server and System State (AOFO Disabled)
EGAPP01: Job 1: File Job with AOFO enabled (Making sure SQL database files have been excluded), Job 2: SQL Server and System State (AOFO Disabled)

Scheduling of jobs:

When scheduling multiple jobs to run overnight you need to take care with the media overwrite settings, you should make sure the first job scheduled to run is set to overwrite media and then all other jobs are set to Append and terminate if no over-writeable media available. If you do not do this you will end up overwriting the other backups taken that night. If I have multiple jobs scheduled I set up the first job to run 10-15 minutes before the rest of the jobs which are all scheduled to then start at the same time. You also need to make sure the job end time for all subsequent jobs is set to the time of your entire backup window.

Additionally to this if you are using media overwrite protection on your media sets you should make sure that your append period is long enough to cover the backup window.

I was recently asked if it was possible to remove all printers from a Workstation that were networked via a script. I figured this would be a fairly simple thing to do.

There are a number of ways you can interface with Printers from VBS but in the end I found the most successful to be through WMI, the script below can be run remotely by putting a computer name in the value strcomputer = “.” line.

The script will enumerate all printers on a computer and then if the printer is marked a networked by the OS (i.e. Installed from a printer share \PRINTSERVERPrinter1) it will be removed. The script will also look at the port a printer is set up on, if is the port is a TCPIP port point to an IP address or a WSD port it will also remove these printers.

The Code:

' Title: Remove all Networked printers
' Last Updated: 28/06/2011
' Written By: David Gardner
' Version: 1.0
' Description: VBS Script to Delete all network printers
' This includes printers installed locally with a TCP/IP or WSD port
' tested on Windows XP and Windows 7

'Set to run on local machine
strComputer = "."

'Create WMI Object
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\" & strComputer & "rootcimv2")

'Get all printers installed on Computer
Set colInstalledPrinters = objWMIService.ExecQuery _
("Select * from Win32_Printer")

'Loop through printers and delete network ones
For Each objPrinter in colInstalledPrinters
if (objPrinter.network) or (checkfornetwork(objPrinter.PortName)) then
objPrinter.Delete_
end if
Next

'Function to check if printer is a network printer by looking at Printer port properties
function checkfornetwork(printerport)
splitport = split(printerport,".")
if (ubound(splitport) = 3) then
if (splitport(0)*1 < 255) and (splitport(1)*1< 255 ) and (splitport(2)*1 < 255 ) and (splitport(3)*1 < 255) then
checkfornetwork = TRUE
end if
elseif (ucase(left(printerport,3)) = "WSD") then
checkfornetwork = TRUE
else
checkfornetwork = FALSE
end if
end function

I Recently installed Acrobat Professional on some Citrix servers the other day, after completing the installation I found that the installation had reset the default PDF Viewer for all users to Acrobat Professional.

As this application was restricted to specific users this caused a few problems, after some searching on the Net I could only find how to set file associations via group policy on Windows 2008 servers. In this particular environment the Citrix servers were running Windows 2003.

So in order to default the application back to Acrobat Reader for all users I created a REG file with the following content:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pdf]
"Application"="AcroRD32.exe"

I then copied the reg file up to a replicated folder (SYSVOL or NETLOGON) and set up a GPO to run REGEDIT with paramaters /S \NETLOGON{NAMEOFREGFILE}.REG and made sure that my lockdown group policy for the Citrix server allowed regedit to run silently.

Then when each user logs in Acrobat reader gets set as the default application for PDF’s.

If you are looking at setting other applications as defaults for a particular extension this can also be done through these REG keys. When changes are made by the administrator account for File extensions this will only affect users who do not have a roaming profile and have not logged in to that particular Server or Workstation before. Invidual user preferences on applications are stored in the HKEY_CURRENT_USER hive which in turns gets written back to the NTUSER.dat file in their profile.

If you wish to change defaults for all users you will need to use a script or reg file to change the appropriate file extension under the following key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerFileExt

There is then a corrosponding key for each recognised extension, to set the default application for that extension simply create a String Value (REG_SZ) called Application and set the Value to the name of the program executable used to open the file, e.g. AcroRD32.exe for Adobe acrobat reader.

For Windows 2008 R2 environments this is much simple to do and can be done through File Associations in Group Policy (See Microsoft Technet fore more information).

I had to migrate a network away from Symantec AV today and over to Trend.

After a couple of test installs I found that Trend wasn’t at all reliable at removing SEP before installing Trend, so with lots of PC’s to migrate I took to the vbs. This script will search the Registry for the Symantec Product GUID and then invoke the MSI uninstallation.

The return code for the uninstallation is also logged, allowing you to keep track of results.

Once the uninstallation is complete the Trend installer is invoked to install the Trend MSI (this was created from the Trend Console, but I also tested this using the Autopcc method but this proved less reliable on the Windows XP machines)

If the script does not detect Symantec is installed it will install the Trend client if it is not already installed, so you can leave this running on your network to ensure all machines are covered by AV.

I set the script up as a Computer Start Up script as this is invoked with the local SYSTEM account and has permissions to install / remove software.

The Code:

' Title: Script to Migrate from SEP to Trend
' Last Updated: 12/06/2011
' Written By: David Gardner
' Version: 1.0
' Description: VBS to Uninstall Symantec Endpoint Protection and install Trend

'Set Constants for Various HKEY
Const HKCU = &H80000001
Const HKLM = &H80000002

'Obtain Computer Name for Logging
Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )

'Set Debugging Level
DEBUG_LEVEL = 3 ' set to -1 to disable debugging messages
DEBUG_FILE = "\avsrv01trendinstlog" & strComputerName & ".log"

sep = "Symantec Endpoint Protection"
trend = "Trend Micro Worry-Free Business Security Agent"
x64inst = "\dcsrv01netlogontrendtrend64bit.msi"
x86inst = "\dcsrv01netlogontrendtrend32bit.msi"

softwarekey = checkforsoftware(sep)
If softwarekey FALSE then
DEBUG 2,"Running MSI uninstall of SEP"
Set WshShell = WScript.CreateObject("WScript.Shell")
OsType = WshShell.RegRead("HKLMSYSTEMCurrentControlSet" _
& "ControlSession ManagerEnvironmentPROCESSOR_ARCHITECTURE")
DEBUG 2,"OS Type =" & OsType
removalstring ="c:windowssystem32msiexec.exe /x" _
& softwarekey & " /quiet /norestart"
DEBUG 2,"Uninstall command: " & removalstring
intReturn = WshShell.Run(removalstring, 8, TRUE)
DEBUG 2,"SEP Removal Complete, Return code: " & intreturn
DEBUG 2,"Installing Trend Client"
Set WshShell = WScript.CreateObject("WScript.Shell")
if OsType = "x86" then
DEBUG 2,"Running installation for 32-Bit Architecture"
trendinststring="c:windowssystem32msiexec.exe /i" _
& x86inst & " /quiet /norestart"
else
DEBUG 2,"Running installation for 64-Bit Architecture"
trendinststring="c:windowssystem32msiexec.exe /i" _
& x64inst & " /quiet /norestart"
end if
intReturn = WshShell.Run(trendinststring, 8, TRUE)
DEBUG 2,"Trend Installation Complete, Return code: " & intreturn
else
DEBUG 2,"Symantec Endpoint Protection Not Installed"
DEBUG 2,"Checking for Trend"
softwarekey = checkforsoftware(trend)
DEBUG 2,"Trend Check Key: " & softwarekey
If softwarekey = "False" then
Set WshShell = WScript.CreateObject("WScript.Shell")
OsType = WshShell.RegRead("HKLMSYSTEMCurrentControlSet" _
& "ControlSession ManagerEnvironmentPROCESSOR_ARCHITECTURE")
DEBUG 2,"OS Type =" & OsType
DEBUG 2,"Installing Trend Client"
if OsType = "x86" then
DEBUG 2,"Running installation for 32-Bit Architecture"
trendinststring="c:windowssystem32msiexec.exe /i" _
& x86inst & " /quiet /norestart"
else
DEBUG 2,"Running installation for 64-Bit Architecture"
trendinststring="c:windowssystem32msiexec.exe /i" _
& x64inst & " /quiet /norestart"
end if
intReturn = WshShell.Run(trendinststring, 8, TRUE)
DEBUG 2,"Trend Installation Complete, Return code: " & intreturn
else
DEBUG 2,"Trend Installed"
end if
end if

function DEBUG(intMessageLevel, strMessage)
if (DEBUG_LEVEL >= intMessageLevel) then
select case intMessageLevel
case -1 strSeverity = "CRITICAL"
case 0 strSeverity = "ERROR"
case 1 strSeverity = "WARN"
case 2 strSeverity = "INFO"
case 3 strSeverity = "DEBUG"
end select
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objlogfile = objFSO.OpenTextFile(DEBUG_FILE, 8, True)
objlogfile.WriteLine(now() & " - " & strSeverity & ": " & strMessage)
objlogfile.Close
SET objFSO = NOTHING
SET logfile = NOTHING
end if
end function

function checkforsoftware(software)
'Create object to open regisrty on local computer
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\" _
& ".rootdefault:StdRegProv")

'Set location and Software name to look for
strKeyPath = "SOFTWAREMicrosoftWindowsCurrentVersionUninstall"

'Enumerate all subkeys of strkeypath
DEBUG 2,"Enumerating Software from Registry"
objReg.EnumKey HKLM, strKeyPath, arrInstalledSoftware

'Search to See if Endpoint Protection is installed
For Each subkey In arrInstalledSoftware
strFullPath = strKeyPath & "" & subkey
objReg.GetStringValue HKLM,strFullPath,"DisplayName",strSoftName
If Not IsNull(strSoftName) Then
if instr(ucase(strSoftname),ucase(software)) > 0 then
DEBUG 2,"Found: " & strSoftName
DEBUG 2,"MSI: " & subkey
sepmsi = subkey
checkforsoftware = subkey
foundsoft = 1
end if
end if
If foundsoft 1 then
checkforsoftware = FALSE
end if
Next
end function

I came across and issue today with SP1 for Windows 7 taking forever to install.

Installation was running but progress bar stopped at about 50% for about 1h30mins (probably longer if I hadn’t got impatient). I checked taskmanager and the trusted installed was running and using CPU about 7%.

I had this running on two laptops and both were exhibiting the same symptions, after some fustration I disabled SEP by right clicking the icon and choosing disable and then the flood gates were opened and both laptops whipped through the rest of the installation.

Posted by: David | May 13, 2011

VBS Script to disable Outlook Anywhere

So today I came across a requirement to disable Outlook Anywhere on all desktop computers.

From what I could find there isn’t an option to does this in the office adm templates and Microsoft did publish a hotfix (KB961112) adm to allow the setting of RPC details, when specifying ‘no flags’ this does not seem to disable the check box for use Microsoft Exchange HTTP proxy.

Further research led me to discovering the aforementioned check box is controlled by a binary registry value in the HKEY_CURRENT_USER hive. If the value is present, the box is checked. So here is a little script to search for the value under each Outlook profile and delete it if present.

' Title: Disable RPC over HTTP
' Last Updated: 12/05/2011
' Written By: David Gardner
' Version: 1.0
' Description: VBS Script to Disable the check box for
' Connect to Microsoft Exchange using HTTP,
' tested on Outlookt 2007

'Set Constant for HKEY_CURRENT_USER
Const HKCU = &H80000001

'Create object to open regisrty on local computer
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!" _
& "\.rootdefault:StdRegProv")

'Set location and Binary Value when present enables checkbox
'in Outlook for "Connect to Microsoft Exchange using HTTP"
RPCBinaryValueName = "00036623"
strKeyPath = "SoftwareMicrosoftWindows NTCurrentVersion" _
& "Windows Messaging SubsystemProles"

'Enumerate all subkeys of strkeypath
objReg.EnumKey HKCU, strKeyPath, arrOutlookProfiles

'Disable RPC/HTTP for each Outlook profile
On Error Resume Next
For Each subkey In arrOutlookProfiles
On Error Resume next
strFullPath = strKeyPath & "" & subkey _
& "13dbb0c8aa05101a9bb000aa002fc45a"
Err.clear
objReg.GetBinaryValue HKCU,strFullPath,RPCBinaryValueName,arrValue1
arraysize = ubound(arrValue1)
if Err.Number 0 then
Wscript.quit 'If error code then RPC Value not present quite script
else
'disable RCP/HTTP
objReg.DeleteValue HKCU,strFullPath,RPCBinaryValueName
end if
Next

Then I create a GPO and linked it to my Desktops OU enabled loopback processing and set the script as user log on script. Now none of my desktop users are configured for Outlook anywhere.

Older Posts »

Categories