AD Recycle Bin – New in Server 2008 R2

This week I continued with disaster recovery testing in our lab, the first machine restored from tape being one of our domain controllers. While checking over the health of the restored Windows 2003 active directory, I remembered that we are using a third-party tool in production to aid in the recovery of deleted items – Quest’s Active Directory Recovery Manager. To be honest, we haven’t had a reason to use the software since we installed it, which I suppose is a good thing. But it is a stress reliever to know that it’s there for us.

Restoring this product in our test lab isn’t part of the scope of this project, but it does have me looking forward to planning our active directory migration to Server 2008 R2, which includes a new, native “recycle bin” feature for deleted active directory objects. You can find more details about how this feature works in Ned Pyle’s post on the Ask the Directory Services Team blog, The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting.

While the native feature doesn’t have the ease of a GUI and requires your entire forest to be at the 2008 R2 functional level, it’s certainly worth becoming familiar with. Once I’m done with all this disaster testing, you can be sure this feature will on the top of my list to test out when I’m planning that upgrade.

Check Out TechNet Events

Today I enjoyed a morning at the Microsoft office in SF attending an event in the current series of TechNet Events. Through the months of September and October, the TechNet Events team is traveling around the US providing tips, solutions and discussion about using Windows 7 and Server 2008 R2.

Today’s presentation was given by Chris Henley, who led some lively and informative discussions on three topics – Tools for migration from Windows XP to Windows 7, Securing Windows 7 in a Server 2008 R2 Environment (with Bitlocker, NAP and Direct Access) and new features in Directory Services.

I was excited to see specific information on Active Directory. If you missed the blogs about Active Directory Administrative Center back in January like I did, you’ll like some of the new features in this 2008 R2 tool, including the ability to connect to multiple domains and improved navigation views.

If there isn’t an event near you this time around, check back after the holidays when they’ll head out again for another series.

64-bit ImageRight support? – The "drivers" are in control.

The disaster recovery testing is touching more areas then I even though possible related to what options we can consider in our production and emergency environments. It’s bringing to light how interconnected software has become, and how those connections can sneak up on you, even when one is dealing with them everyday.

A basic premise of our recovery plan is to provide access to our recovered systems remotely, until we can make office space and desktop systems accessible to everyone. In order to keep things “simple” and provide the quickest possible up time, the plan calls for using Windows Terminal Services (aka “Remote Desktop Services” in 2008 R2) technology.

Due to the improvements in the offerings available directly by Microsoft related to remote access and the relatively small number of applications we need to make available, we determined that bringing terminal services up initially would be faster than recreating our Citrix environment during an emergency.

In conjunction with this (and the fact that we have only a small amount of remote use in production) we are currently planning to reduce licensing costs by only providing access using Microsoft products. Windows Server 2008 (and now R2) has many of the features we were looking to Citrix for in the past. While it’s possible for us to meet most of our needs with Server 2008, we’d much prefer to use 2008 R2.

While I was at the Vertafore Conference, one of my goals was to find out their schedule for 64-bit support. As one of our main enterprise applications, its important that it’s available on our remote access solution. Since I was unable to run the software on my 64-bit Windows 7 computer, I wanted know how far they were from addressing that.

Turns out, it all comes down to third-party drivers for peripherals. ImageRight works with several popular hardware vendors when it comes to scanners, including Kodak, Canon and Fujitsu. This allows customers to take advantage of more of the built-in scanner features that come with the hardware, instead of writing a generic scanner driver that could reduce the functionality native to the device. They also use the drivers to provide desktop features that allow end users to import documents directly from their PC.

Because of this, 64-bit support for the ImageRight software is directly related to how quickly scanner vendors make 64-bit drivers available. ImageRight claims that the makers of these key peripheral devices are complaining that Microsoft didn’t give them enough warning between Windows Server 2008 and the release of Server 2008 R2 regarding the official “death” of the 32-bit version of the OS to provide 64-bit drivers for all their devices.

ImageRight is planning to have support for 64-bit operating systems by the end of this year. We aren’t planning on a widespread upgrading of desktop hardware to 64-bit any time soon and will be able to wait without too much suffering. However, it does alter our plans for our remote access changes in the next 3-6 months. A disappointment for sure.

Also, the delay doesn’t help existing ImageRight clients or upcoming new ones that hope to run (or at least begin to test) an important software product on the most current hardware and operating systems available. An interesting domino effect that ends in needing to reconsider what I’ll be using for remote access during my recovery testing this month.

Windows 7 Tidbits

I found some interesting Windows 7 things online recently and wanted to share.

For those of you wanting to administer servers using a Windows 7 workstation, here is the list of tools currently available in RSAT for Windows 7. The chart lists out the differences between managing Windows 2003 and Windows 2008.

Check out the agenda for the Windows 7 Online Summit being held on October 7th. I’m hoping I’ll be able to keep people from interrupting me at work for a few hours that day.

Finally, if you haven’t had a chance to demo Windows 7 and you aren’t a TechNet/MSDN subscriber or a volume license customer, the Enterprise version is now available as a 90-day trial, from the TechNet Springboard.

Britian’s Blast from the Past

The National Museum of Computing in Bletchley Park is pushing aside the mothballs and reassembling a computer they’ve had in storage since 1973. Check out the Harwell WITCH story on Wired.com’s Gagdet Lab.

If you are looking for something more modern, take a look at the story behind the new Wired.com office kegerator, dubbed the Beer Robot. The exterior design was done by my husband – I’m not ashamed to flaunt his design skills.

Disaster Recovery Testing – Epic Fail #1

As I’ve mentioned before, my big project for this month is disaster recovery testing. A few things have changed since our last comprehensive test of our backup practices and we are long overdue. Because of this, I expect many “failures” along the way that will need to be remedied. I expect our network documentation to be lacking, I expect to be missing current versions of software in our disaster kit. I know for a fact that we don’t have detailed recovery instructions for several new enterprise systems. This is why we test – to find and fix these shortcomings.

This week, at the beginning stages of the testing we encountered our first “failure”. We’ve dubbed it “Epic Failure #1” and its all about those backup tapes.

A while back our outside auditor wanted us to password protect our tapes. We were running Symantec Backup Exec 10d at the time and were happy to comply. The password was promptly documented with our other important passwords. Our backup administrator successfully tested restores. Smiles all around.

We faithfully run backups daily. We run assorted restores every month to save lost Word documents, quickly migrate large file structures between servers, and to correct data corruption issues. We’ve had good luck with with the integrity of our tapes. More smiles.

Earlier this week, I load up the first tape I need to restore in my DR lab. I typed the password to catalog the tape and it tells me I have it wrong. I typed it again, because it’s not an easy password and perhaps I had made a mistake. The error message appears, my smile did not.

After poking in the Backup Exec databases on production and comparing existing XML catalog files from a tape known to work with the password, we conclude that our regular daily backup jobs simply have a different password. Or at least the password hash is completely different, yet this difference is repeated across the password protected backup jobs on all our production backup media servers. Frown.

After testing a series of tapes from different points in time from different servers, we came the the following disturbing conclusion: The migration of our Backup Exec software from 10d to 12.5, which also required us to install version 11 as part of the upgrade path, mangled the password hashes on the pre-existing job settings. Or uses a different algorithm, or something similar with the same result.

Any tapes with backup jobs that came from the 10d version of the software use the known password without issue. And any new jobs that are created without a password (since 12.5 doesn’t support media passwords anymore) are also fine. Tapes that have the “mystery password” on them are only readable by a media server that has the tape cataloged already, in this case the server that created it. So while they are useless in a full disaster scenario, they work for any current restorations we need in production. We upgraded Backup Exec just a few months ago, so the overall damage is limited to a specific time frame.

Correcting this issue required our backup administrator to create new jobs without password protection. Backup Exec 12.5 doesn’t support that type of media protection anymore (it was removed in version 11) so there is no obvious way to remove the password from the original job. Once we have some fresh, reliable backups off-site I can continue with the disaster testing. We’ll also have to look into testing the new tape encryption features in the current version of Backup Exec and see if we can use those to meet our audit requirements.

The lesson learned here was that even though the backup tapes were tested after the software upgrade, they should have been tested on a completely different media server. While our “routine” restore tasks showed our tapes had good data, it didn’t prove they would still save us in a severe disaster scenario.

Why Certify? Or Not?

Last night, I presented a brief overview of current Microsoft certifications at the PacITPros meeting. One of the questions that came up was how to determine the ROI of getting certified. Right now, I’m in the early stages of updating my messaging certification from Exchange 2003 to Exchange 2007. My office pays for exam fees, so I like to take advantage of that when I can. But why certify at all?

For me, it’s not a “bottom line” calculation. I do it as a motivator to keep learning. The nature of the business where I work means we tend to deal with a lot of dated software and don’t always have a need to upgrade to the latest or greatest of anything. We usually run about 3 years behind, particularly with Microsoft software, though that has been changing. If I wasn’t personally interested in staying current, I could easily let my skills lag behind.

Getting a certification in a specific technology gives me something tangible to work towards. By using some extra lab equipment at the office and making time to read, I can have a little fun and stay up to date on technology that will eventually get deployed in production.

Certification isn’t a perfect science. I know that the exams aren’t always in line with real production situations, but they have been improving over the years. And I know there are people on the ends of the spectrum -those that have great skills or experience with no certifications and others with limited experience and a series of letters after their name. I aim for balance. I stick with the topics and products that are in line with what I work with regularly so I can be confident that taking the time to study is going to provide value.

Right now, getting a certification doesn’t end in extra bonuses or a higher salary grade. But maybe one day it will be the item that stands out on my resume when compared to others with similar experience. Or show that I have the ability to set a goal and follow through. Or perhaps I’ll just enjoy challenging myself – certainly no harm in that!

PacITPros – Certifications, BranchCache and Office 2010

PacITPros will be having the September meeting tomorrow night at 6:30pm.

There is quite the line up of topics – Ed Horley, Microsoft MVP in Enterprise Security, will be presenting on Windows Server 2008 R2 and Windows 7 as a “Better Together” story. Specifically, what items are available only from Windows S2K8R2 with Windows 7 and how they would be compelling to use.

I’ll be doing a short presentation of what’s new with Microsoft certification tracks (specifically info about the MCITP and MCTS certifications) and Kathy Jacobs, Microsoft MVP in OneNote, will be doing an overview of some of the cool new features in Office 2010. Plus with the VMWare conference going on right down the street, there is sure to be a lot of chatter about what’s going on over at the Moscone Center.