Tuesday, December 11, 2012

FileVault 2 on OS X

Yesterday, I finally got around to enabling FileVault 2 on my MacBook Air. I don't have any top-secret information on it, but if it were ever lost or stolen, I now have the peace of mind that comes with whole disk encryption.

Enabling FileVault is pretty straight forward, you just go into the System Preferences pane, click on the Security applet and turn it on. It took about 1 hour to encrypt my 2011 MacBook Air with 128GB SSD and didn't require me to be plugged in.

Tuesday, November 27, 2012

Why you shouldn't use .local in your Active Directory domain name.

This post was updated on 14 November 2013

There are an awful lot of .local, .corp, and .lan Active Directory domains out there for many reasons. Sometimes, there is no easy way to change this due to things like Exchange, custom apps that integrate tightly with AD, or just the massive amount of testing that a domain rename requires. I can understand if you walk into a situation like this that you did not create, but please don't ever do this on a new domain.

The correct way to name an Active Directory domain is to create a subdomain that is the delegation of a parent domain that you have registered and have control over. As an example, if I ever started a consulting business and used the Internet-facing website mdmarra.com as my company's site, I should name my Active Directory domain ad.mdmarra.com or internal.mdmarra.com, or something similar. You want to avoid making up a TLD like .local and you also want to avoid the headache of using mdmarra.com for the Internet-facing zone and the internal zone.

Thursday, November 8, 2012

Comparing installed hotfixes on Windows Server using PowerShell

I recently had to track down a configuration issue between our production and dev environments. One of the first things that I looked at were installed hotfixes. Since we have a lot of dev machines that are supposed to mirror production, I decided to whip up a little PowerShell script to compare the installed hotfixes of the two servers.

Monday, September 17, 2012

Don't give up on your poor cabling jobs

One thing that I neglected to ask during my interview at $newJob was for a tour of their datacenter. I had asked a ton of questions about procedure, team structure, political divisions, etc and everything sounded great. I figured they really had their ducks in a row, the datacenter must be tip top too and let it slide. If I had taken a tour I probably would have declined the offer, but I'm glad that I didn't! This is a picture of the core switch (a Catalyst 6513) and the patch panels for our servers and 4th floor data drops:

That picture was taken in July. Since then, I've been part of a project that's migrated the core to a Nexus 7k and moved all of the workstation data lines to a separate stack of Catalyst 3750Gs with a Catalyst 3560 24-PoE powering access points and phones that don't have power available.

It was a very frustrating project for me to work on, because I felt like I was cleaning up a mess that I didn't make. My flex hours had turned into being up at 5am to catch the early train. I was hired to be an AD and vSphere specialist, and here I am running cable, coordinating switch cutovers and that sort of thing. It actually turned out to be one of the more rewarding things I've ever done, because of how thrilled my coworkers are with how it turned out.

Sunday, September 16, 2012

When vendors start making up terminology

I recently had to call Dell, because we had one drive fail and then three others go into "predictive failure" mode during the rebuild on a PowerVault MD1000. The 14 disks were in RAID 5 with two hotspares (this predates me, put your nooses and torches away. The box now runs RAID 6 with 1 hot spare).

While Dell was doing their normal routine diagnostics before shipping out 4 disks to me, they informed me that my array had a "punctured stripe." Punctured stripe? What the heck is that, I asked? They proceeded to explain how RAID 5 works with striping and parity, which I already knew. Then they said that in large volumes sometimes during a rebuild the stripe punctures because of inconsistent parity data and the whole volume needs to be completely re-initialized and restored from backup. "Oh, so you mean it's a URE?" "A what?" "An unrecoverable read error during the rebuild." "Um, I guess?"

The Dell storage "engineer" had never heard of a URE - which is an industry standard term! Upon further googling, it seems that Dell support is really the only company that uses this term. I had to make two follow up calls and got two different engineers and every single one said "punctured stripe." If there is an industry standard term for something, please don't try and coin a new phrase! It confuses your customers and makes us think that your storage engineers are clueless, because they don't know them.

Thursday, June 28, 2012

What is Active Directory? How does it work?

Do you have a shaky grasp on the AD fundamentals? Are you unsure of what is meant by "operations masters?" Are you not sure if you should use .local or not in your internal AD FQDN?

Boy, do I have a treat for you! I just wrote a pretty long Q&A on ServerFault about these very things. You should hop on over and take a read!

Check it out here!

Also, if you're not a member of ServerFault, you should be! Sign up, suckers.

Sunday, June 17, 2012

Things are different

Welp, it's been two weeks, so I think it's time to make it official on the Internet. I no longer work in higher education. I've moved on to a great opportunity at a non-profit. I'm still in Philadelphia and I still have ties to education, but I'm not working at a university anymore.

It was a great experience, and maybe I'll be back in the higher-ed game one day, but for now I'm moving on! I still hope to write posts that are relevant to everyone, so stay tuned!

Saturday, May 19, 2012

Automating the deletion of orphaned users' network folders with PowerShell

We have a process that deletes the network folders of a user as they leave the university, whether it be a student graduation/transferring or an employee leaving/being terminated. Generally speaking, this process is pretty well tuned, but occasionally hiccups do happen and sometimes folders are left behind for users that don't exist anymore. I wrote a little PowerShell script to handle that. It needs to be run as a user that has access to remove these folders as well as one that can read AD user objects (any domain user by default).

My users' home folders are laid out in \\server\share\first_letter\username 
My folder would be at \\folder\share\m\marra for example. If yours is different, you'll have to tweak the line that starts with $directories. It relies on the folders having the exact same name as the user's username, which is really quite common. It also makes use of -exclude, because there are a few directories on the top level that are for shared folders that I needed excluded for obvious reasons. If your share only contains the user's folders, then you can drop the -exclude switch.

Also, as with any script that uses rm, del, or remove-item, COMMENT IT OUT FIRST! Run it once with the output going to the console only. Dry runs are always important to do when you're running any script that you find on the Internet!

Thursday, May 10, 2012

Deleting very long file paths on NTFS volumes

It's the end of the Spring semester here, and that means that it's time to clean up the year's mess. Typically, this means disabling AD accounts for graduates, removing their network shares, etc. We have a monolithic home-grown VB program for this (gross, I know), but occasionally some oddities slip though the cracks.

One such oddity was the network folder of one of the computer science students. The path on the server looked like this:


except that it went on FOREVER. There we no files in place, there were no hard links or junctions in play. There were just a ton of folders of the same name nested inside of each other. I, literally, have no idea how the student was able to do this, but it happened.

I tried navigating deep using \\?\E:\users\u\username\ blah blah blah, but even using that syntax, I couldn't delete it. After about an hour of trying to use subst (over and over), to shorten the path and trying to find a command-line delete tool that works with long file paths, I finally decided to give robocopy a try.

I ended up using the /mir switch to mirror an empty folder into the screwed up one. The command looked like this:

robocopy c:\empty e:\users\u\username\csc290 /mir

This took a little while to run, but eventually the top csc290 directory was emptied and I was able to delete the user's folder without a problem.

Friday, February 24, 2012

Bomgar: keeping your helpdesk staff at their desks

We had a staffing problem a while ago (who hasn't) and the perception was that we were short on helpdesk technicians. We didn't have the dollars to spend on new hires, so we looked at streamlining operations. Our helpdesk techs were running around all day trying to keep up with the demand and it just wasn't working, so we started looking at remote support solutions and ended up with Bomgar.