Mike Poulson's Thoughts on lots of stuff

Getting WDS to listen on more than 1 network adapter

http://www.mikepoulson.com/archive/2008/05/13/getting-wds-to-listen-on-more-than-1-network-adapter.aspx

Blog moved to new home http://www.mikepoulson.com

Well I am back at Microsoft.  :) 

 I will start posting new things but it will be at http://www.mikepoulson.com not here (blogs.msdn.com) unless I think it is super cool.

 Mike

Managing Microsoft IIS, Active Directory and DNS from .net

Today I am posting sample code on how to manage IIS 6 and Active directory using ADSI in VB.NET.

And managing DNS (creating zones, records and enumeration) using WMI in VB.NET.

There are four separate projects. 

This code is posted as-is!  It is to be used as a sample on how to do the work.  It is not intended to be used in production!

 http://www.mikepoulson.com/code/web.zip - ADSI management of IIS 6 Sites and AppPools

http://www.mikepoulson.com/code/DNS.zip - WMI management of Microsoft DNS Zones and Records

http://www.mikepoulson.com/code/ActiveDirectory.zip - ADSI management of Active Directory contacts, Groups, Users, Recipient Policies, Accepted Domains objects (Exchange 2007)

http://www.mikepoulson.com/code/IISSiteID.zip - C# code on generating IIS SiteID

My last post

Today is my last day at Microsoft.  In an attempt to save time by not crossing the 520 bridge I am taking a job at a company in Seattle.

 I will continue to post future items at http://www.exmsftblog.com/blogs/mpoulson

Media Center 2005 and the DirecTV D11 Set-top-Box (getting IR to work) v2

I have had lots of people ping me for additional help on my original post at http://blogs.msdn.com/mpoulson/archive/2006/03/09/548255.aspx.

So here are some updates. 

The path that has the STBCode key will not be the same for everyone.  MCE generates a random GUID for your tuner. For my tuner the path to the key is under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Video\Tuners\{A799A800-A46D-11D0-A18C-00A02401DCD4}\{6DD37A97-7981-4CEC-ACDE-A5F1624E5714}\UserSettings

Your will have a diffrent location under the Video Tuners location.

If you have two tuners that you want to setup for two D11s then follow the MCE steps below for each one before you go into the registry.

The steps to get this to work (most of the time)

1. Use the 10' UI to setup your tuner source. 
2. When it fails to find your remote it will ask if you want to teach it the IR commands (say YES)
3. When you are teaching MCE you need to make sure your cover the front or unplug your D11 SetTop Box. 
4. MCE will have you teach each button twice (more if it does not get a good read)
5. Once it is done learning MCE will have you enter a channel to see if it changes correctly (SAY YES, even if it does not)
6. Once that is done it will try to adjust the speed of the blast.  Say it changed correctly on the first screen.

Once you are done with those steps now we have to customize the regkey.

1. Close MCE
2. Open regedit.exe
3. Go to the key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Video\Tuners\
4. Look for the first one that has UserSettings subkey (if you have a dual tuner card or more than one tuner) you will have to make the changes in two locations.
5. Modify the UserSettings string value. The value below is directly from my value.
6. Stop the key Ehome services ehrecvr and ehsched
   1. net stop ehrecvr && net stop ehsched
   2. net start ehrecvr && net start ehsched
7. Then make sure things work.  If not send me some mail

<stb> <codeseturl>\user\S_learn1</codeseturl> <keyinterval>700</keyinterval> <keyduration>400</keyduration> <channelpause>400</channelpause> <useenter>False</useenter> <numdigits>4</numdigits> <target>\\?\usb#vid_045e&amp;pid_006d#ms0rw6eh#{7951772d-cd50-49b7-b103-2baac494fc57}\*</target> </stb>

Things to note:  the <target> attribute tells MCE what IR blaster to send the codes from.  You will see at the end of the string "\\?\usb#vid_045e&amp;pid_006d#ms0rw6eh#{7951772d-cd50-49b7-b103-2baac494fc57}\*" there is a *.  That tells MCE to send the blast out both IR blasters.  If you have more than one STB replace the * with \irport1 or \irport2.

The <codeseturl> attribute tells MCE where the IR codes are stored inside of the file under C:\Documents and Settings\All Users\Application Data\Microsoft\eHome. I have attached user.zip to this post.  It contains the two .ird files from my C:\Documents and Settings\All Users\Application Data\Microsoft\eHome directory

From my past post

RedvsBlue Season 4 DVDs arrived

Today out of the blue I got a DHL box delivered to me that contained a few copies of redvsblue Season 4 (http://www.redvsblue.com).  My team does some work for the redvsblue people so it was quite nice to get free copies of the shows. 

For those of you who do not know what Red vs Blue is please go to their site at http://www.redvsblue.com and download some videos. 

ISP Scenario hosting team is Hiring a Full time Operations Administrator

Shoot me mail mpoulson at microsoft dot com with your resume.

Full job description:

Do you want to be part of a team that helps deliver on the hosting story for Microsoft?  We interact with product teams, hosting evangelists, marketing and customers to provide internal hosting services.  Driving feedback into Microsoft products like IIS, ASP.NET, SharePoint, SQL and more.  If you want to be part of a well-integrated, diverse, and highly collaborative team that values hard work, respect, and strong motivation… we want you!  As an operations administrator, you will be responsible for managing the IIS and SharePoint servers as well as working with product teams when you encounter bugs.

Core responsibilities would include managing IIS, ASP.NET, SharePoint web servers and assisting network engineer with daily tasks.  Additional duties include assisting in writing internal automation of management tasks.  Qualifications include a strong understanding of IIS6, a strong understanding of TCP/IP networks, and programming skills in C# or VB.NET.  Excellent communication skills, ability to work well with other teams and strong problem solving skills are required. 

Position Responsibilities

•         Maintain the existing web servers with 2,000+ web sites each

•         Troubleshoot server side issues with IIS and ASP.NET

•         Create deployment plans and implement pre-released products into production

•         Assist in maintaining network infrastructure and security

•         Report bugs and work with product teams to resolve critical issues

•         Assist planning, upgrading and installing new hardware

Qualifications

•         Ability to be highly self-directed and also work closely within a team

•         Must understand IIS management and ASP.NET server configuration (including trust levels)

•         Must have experience with Cisco devices

•         Must have experience with network technologies including IPv4, VLans, EtherChannel

•         Working knowledge of Active Directory and DNS

•         Experience in programming using VBScript, C# or VB.NET a plus

·         Experience with the following technologies is a plus: IPv6, enterprise class firewalls, intrusion detection systems, debuggers

For the love of god Encrypt your hard drive!

How much more personal information must be stolen or miss placed by companies before people learn to encrypt their data (http://www.msnbc.msn.com/id/12916803/) .  It is NOT hard to do.

Windows offers you EFS(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx) and new BitLocker in windows Vista (http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx)

I was very shocked to see that companies like law firms do not encrypt their data on laptops.  Law firms that use to carry the notes and documents of all their clients on that one computer. 

EFS is a checkbox!  Check it on the folder and away you go.  **You should backup your encryption key just in case your hard drive dies**

PGP whole disk encryption is a great way to keep your entire hard disk secure.  It allows you to have a physical fob that must be plugged into the USB port on boot and a pass phrase entered before the disk will even boot windows.  This is a FULL encrypt of the partition and all its data.  http://www.pgp.com/products/wholediskencryption/index.html

If you don't want to spend the money on PGP disk you can also use http://www.truecrypt.org/.

If you do anything with personal information (even your own) please please please encrypt it!

How to hard reset a Tornado based Smart Phone (Cingular 2125 or TMobile SDA)

These are the steps to do a hard reset of your HTC tornado/Faraday based Smartphone.  When you do this all custom data on the phone will be removed and the default setup will be put in place

You have 2 options on doing this.  The first way requires you to be able to boot the phone and get to the start menu.  The second is if you cannot do this (ie forgot PIN or will not boot all the way).

First way:

Start -> Accessories -> Clear Storage

Second way:

1. Remove Battery
2. Replace battery
3. Hold down right and left soft keys
4. Press Power button for ~1.45 seconds then release Power button only
5. Confirm prompt to reset

How to speed up those Queries to MicrosoftDNS with WMI

So there are many key things to remember when creating your WMI queries make them as specific as you can.

For example if you have ~5000 zones on your Microsoft DNS server and you are looking to see if a single record exists in one of those zones the wrong query could take 1 min+ to complete.

Why?

If you do a query like Select * from MicrosoftDNS_AType where ownername="www.mydomain.com" it is going to take a while.  Because you did not specify where to look for this record it is going to look in the RootHints and in the DNS Cache also.  So if you have a public DNS server that does recursive lookups it could have a few hundred thousand extra records.

So a better query would be Select TextRepresentation from MicrosoftDNS_AType where containername="mydomainname" and domainname="mydomain.com" and ownername=www.mydomain.com

You can use a vbscript like the one below to test your queries.  This will show you the correct domainname and other settings to use in your query.  You can remove the where clause to show all the data on the server.

The containername will be the name of the zone that holds the records that you want to query for (Ie mydomain.com).  If you leave the containername empty it will also search through the DNS cache. 

The domainname specifies the child folder (don’t know how else to describe it).  So if you have www.user.mydomain.com the domainname is user.mydomain.com

Now the domainname will change depending on if there are sub domains to the subdomain (ie www from example above).  So if www does not exist then the domainname is mydomain.com.  And of course there are exceptions to this rule.  If there ever was a child to the sub (you deleted www but left user.mydomain.com) then the domainname is user.mydomain.com.  If you don’t want to attempt to do the logic around making sure you have the correct domainname you can omit it.  But if you have a large number of records it could make it slow. 

Like SQL the order of the statements in the query is also important.

If you know the full record info (hostname, TYPE, data) it is fastest to generate the text representation and query on that.  You can do that by adding changing your query to something like:

Select * from MicrosoftDNS_AType where  containername=”test.com” and domainname=”test.com” and TextRepresentation="test.com IN A 192.168.0.1"

<code>

on error resume next
servername = "."
domainname = "test.com"

recordtype = "A"

set dnsserver = Getobject("winmgmts:{Authenticationlevel=pktPrivacy}!\\" & servername & "\root\MicrosoftDNS")

query = "Select * from MicrosoftDNS_" & recordtype & "Type where containername=""" & domainname & """"
wscript.echo "Query=" & query

Set colItems = dnsserver.ExecQuery(query,,48)
if colitems.count <> 0 then
For Each objItem in colItems
Wscript.Echo "ContainerName: " & objItem.ContainerName
Wscript.Echo "DnsServerName: " & objItem.DnsServerName
Wscript.Echo "DomainName: " & objItem.DomainName
Wscript.Echo "OwnerName: " & objItem.OwnerName
Wscript.Echo "PrimaryName: " & objItem.PrimaryName
Wscript.Echo "RecordClass: " & objItem.RecordClass
Wscript.Echo "RecordData: " & objItem.RecordData
Wscript.Echo "TextRepresentation: " & objItem.TextRepresentation
Wscript.Echo "Timestamp: " & objItem.Timestamp
Wscript.Echo "TTL: " & objItem.TTL
Next
end if

</code>

DSL testing on campus Part 2 of 2 (the NEW way)

This is part 2 of a 2 part post.

Post two: The NEW way of doing DSL on campus

About 2 years ago me and a co-worker were approached by 2 teams on campus that had a large number of DSL lines and did not want to pay the fee that Verizon charged.  So I came up with the new way. 

**Brief info on how DSL works (from a telco like Qwest)**

You have a DSL modem

This modem links via the phone line to a device called a DSLAM (Digital Subscriber line access Multiplexer)

The DSLAM then linked to the ATM or Frame-Relay network

The ISP (could be Qwest or any other ISP that has links to the ATM/Frame-Relay cloud) would have a link into the ATM/FR network

The ISP then routes the packets to the internet via its normal Path

**End of Brief info**

So Verizon in our case charged for the Analog line the DSL line and the ISP.  This was about $2,000 per line per year.  So what we were going to do is buy the DSLAMs and keep them in house then link them to the internet using our already internet access methods (MSN).  So this would allow the test teams to have DSL lines with an upfront cost for hardware but never have a re-occurring cost. 

The first issue we ran into in the beginning was the cost of a Cisco DSLAM was > $12,000 for ~24-48 lines (don’t remember the exact cost).  So that price  would hit into the cost savings if we had to throw out a huge amount of money just to get the hardware.  So one day I was in a meeting with the networking team talking about another issue when someone mentioned they found a 24 port DSLAM for ~2,500.00.  So after some looking I found Corecess (http://www.corecess.com).  They have the DX6524 which is a 24 port DSLAM that goes from DSL to Ethernet.  It removes the ATM/Frame-Relay requirements that other DSLAMs also had.  So this allowed us to put in 4 DSLAMs into a single lab and connect them to our existing Internet taps.

The DSL modems we had with Verizon were DMT modems so they worked with this device.  No new modems were required for the move only growth.  So for the cost of 1 year of service on our normal DSL line we were able to get a device that would provide us 24 ports of DSL access.  I was so happy the day I was able to place ~100 DSL disconnect orders with Verizon (Telcos are almost as bad as the cable company and Oil companies).   

The ROI was so high that a 24 port DSLAM would pay for its self in only a few months.  And when it comes time for the lab to move all they have to do is make sure there is an Internet tap installed in their new lab to connect their DSLAM to. 

Testers could also in real-time (automated or manual) change the speed allotted for a DSL port.  They could have it 128k/128k then up to 8mb/1mb within a few seconds.  The DSLAM also provided VLAN support on a per DSL port basis.  So we could have one DSL line connected to a PPPoE Access concentrator while another is on a Native IPv6 link.  These VLAN assignments could also be changed automatically (SNMP).

From a security stand point this allowed Corp IT to monitor all internet traffic on the DSL lines (place IDS/IPS devices also), limit access to HIGH risk services (that are not used at 99.9% of homes), and removed the ANALOG line that could allow un-restricted dial-in access.  If an inbound attack was detected corp sec could at least act on it now.  Where with the OLD way they did not even know it happened.

This solution still provides all the requirements to capture the “Home Scenario” while lowing the cost and increasing security.  So for those of you that need to do DSL testing but hate paying the super high costs owning your own DSLAM is the way to go.  You can even add a spool of 3,000 feet of copper between your DSL modem and the DSLAM to simulate the copper length between most homes and the DSLAM. 

DSL testing on campus Part 1 of 2 (the old way)

This is part 1 of a 2 part post. 

Post one: The OLD way of doing DSL on campus.

So for the past few years I have been part of a team that provides DSL access to various test teams on campus.  For a company like MSFT testing the "home scenario" is very important.  So to do that test teams pulled in DSL lines from Verizon or Qwest.  They had two ways of connecting to the internet once they line was provided by the telco.  They would use MSFT as the ISP or the Telco (Verizon online).  

Some teams used MSFT and some used the telco and did not even think about what this involved.  From a SECURITY stand point the telco provided internet was very bad.  This would mean a team would have internet access in/out that was not monitored by our Corp IT security team.    It was unfiltered and a huge whole.  It also cost more money. 

For the MSFT ISP.  We pulled in lines (Frame-Relay/ATM) from the telco to Datacenters and the DSL lines would then link to these lines.  Internet egress would then go through MSFT’s normal internet access (Via MSN).  This allowed us to limit some high risk ports while still providing the test teams the “home scenario”. 

With MSFT ISP there is a fine line between what could be offered to a test team and what MUST be limited for security reasons.  For example Windows File and Print Services, SQL, VPN, FTP.  Test teams normally bitch with any mention of ACLing ports.  But most of this bitching is just because they don’t know any better.  They did not know what ports their product used or required and most of them don’t have a clue how networking or even DSL works.  They just want something is like what they have at home.  There is also the issue that the phone line (analog) that the DSL came on could be connected to a modem and allow un-authorized dial in access to the corp network.

The cost of providing this service to teams was also VERY expensive.  It costs about $2,000 per line per year for a DSL line that goes to the telco for internet access.  This was a huge hit for some labs that have 100+ DSL lines.  It also was expensive for the install.  Verizon would slap on a ~200.00 charge per line for a tech to come out and verify it worked.  I cannot count how many times I had to walk the Verizon tech through how to verify the DSL line was working over the phone, and Verizon was charging us for this visit.  It was amazing! 

The reason why the DSL costs ~$2,000.00 per year is these are Business class DSL lines not residential.  Along with the cost of the analog service (Verizon does not offer DSL only like Qwest) and ISP services.

Lab moves happen all the time on campus.  So a lab with a bunch of DSL lines would have to pay to have new lines installed in their new lab and the old ones disconnected.  Again paying the install fees and the tech visit fees. 

With the change in DSL services nationwide the default 256k/256k (or 768k/128k for Verizon) was out in most major cities.  So the ability for the testers to keep a bunch of DSL lines that had various speed settings was a pain and expensive.   Another option was to call Verizon when you need a line speed changed.  This would require a 5 day delay and about $100.00.

So with this original version security holes were a major issue.   It cost a lot of money and just did not scale/move well.

Hotfix required to get Exchange OWA to work on Vista

Vista removed some DHTML support that was used in Exchange 2000/2003 OWA.  To get it to work correctly you need to update all your exchange servers (frontend and backend) with KB 911829 (http://support.microsoft.com/kb/911829). 

Once you install this update you will be able to do more with OWA and IE7.

Enjoy

Limiting what databases users can see in SQL 2k5

Live Bald Eagle Cam

So up in Canada (one of the best places on earth) there are 2 Bald Eagles with 2 eggs.  There is a project that put a very high quality web cam up to watch the nest.  As of yesterday my team assisted in providing this project some additional bandwidth. 

You can watch the eagles at http://www.infotecbusinesssystems.com/wildlife/default.asp

Enjoy!