Welcome to my blog...it is just a bunch of random notes to myself, for myself, and if it happens to help someone else...cool. I am currently working for a large consulting company which supports a national nonprofit organization with 23000 workstations and 250 configuration servers.
Friday, December 29, 2006
Two views of the 3D desktop
After trying XGL, I can't wait to see Croquet.
read more | digg story
Thursday, December 28, 2006
ATI x1300 and Ubuntu
display: :0.0 screen: 0
OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: Generic
OpenGL version string: 2.0.6234 (8.32.5)
but when I run fgl_glxgears I get this window and a listing of FPS
Using GLX_SGIX_pbuffer
3933 frames in 5.0 seconds = 786.600 FPS
4462 frames in 5.0 seconds = 892.400 FPS
4483 frames in 5.0 seconds = 896.600 FPS
Update: I was able to get the ATI card to work when ATI corrected their driver in version 8.33.6.
Thursday, November 30, 2006
Using OpenSSH with a ssh Proxy
Add this to ~/.ssh/config
Host internethost.com
ProxyCommand ssh -a -x sshrelay.com "nc internethost.com 22"
Where sshrelay.com is a ssh machine with better internet access to the remote host and internethost.com is the final destination. Now I just have to type 'ssh internethost.com' to get all the way through to the final machine. I can now forward X sessions, use scp, use FreeNX, with an easy configuration.
Wednesday, November 8, 2006
Reregister Windows Updates
net stop bits
net stop wuauserv
pause
rmdir /s %windir%\sdold
rename %windir%\SoftwareDistribution sdold
pause
net start wuauserv
Regsvr32 msxml3.dll
Regsvr32 wuapi.dll
Regsvr32 wuaueng.dll
Regsvr32 wucltui.dll
Regsvr32 wups.dll
Regsvr32 wuweb.dll
Regsvr32 qmgr.dll
Regsvr32 qmgrprxy.dll
Regsvr32 jscript.dll
echo Reset the proxy list
rem pause
proxycfg -d
proxycfg -u
net stop wuauserv
net start wuauserv
Here is a batch script that I wrote based off of an email from Microsoft Support. It has worked for me in every situation.
Friday, October 27, 2006
Googlepedia Mistake
The problem is that Google's advertising is gone. In it's place is where you see the Wikipedia article. Google will not stand for it and frankly, I don't think that it is really right. I don't mind choosing not to view ads by using an Ad blocker, I feel that everyone has the right to control what advertising they are being showed. I also believe that advertisers have the right to encourage people to view their Ad by offering content. I use a Tivo to skip most Ads, but I have the option to view the Ads that interest me.
If Google is smart, they will modify their search results and offer Wikipedia results but move it down enough to show their advertising. In fact, they could improve the intelligence of the Wikipedia search and if there was no match, they could have the Wikipedia article disappear. Right now my only complaint with the Googlepedia extension is when it brings up an article that is not related to my search.
Tuesday, October 24, 2006
Changing Registry ACL's EnMasse
Here is an interesting way to modify security permissions (ACL) on computer/servers through GPO policies.
Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:
[Registry Keys]
"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
We have some bad permission policies that were created when we still had Windows 98 and Windows NT. Back then, modifying the default permissions was a strong security stance but today it is giving us more grief than benefit. Especially since Microsoft has improved it's default configuration in regards to security.
We had an issue a few months ago when a Windows Update assumed that we had "Bypass Traverse checking" enabled for Everyone in secpol.msc. If you didn't have bypass traverse checking enabled for a user account, then you wouldn't see your desktop.
Automatically log off users
How to create an ADM file for winexit.scr
;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit
CLASS USER
CATEGORY !!Screen_Saver_Policy
POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY
POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
VALUEON "300"
END POLICY
POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY
END CATEGORY
[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."
Wednesday, October 18, 2006
Rails and Plugins
I thought that Agile Web Development with Rails: Second Edition was going to repeat a lot of information from the first edition. I was wrong; the second edition updates a lot of techniques using conventions that have developed since the last book.
For example, one of the best ways to start a rails project is by using migrations. This book works with that and I assume even more. Personally the migrations section was well worth it. As an added benefit, I'm getting different information going through the depot example a second time because I understand how rails works and can understand better why the examples do this or that.
Quick notes: The book uses Edge Rails which I refused to install (my only problem with the book). The migrations model uses a :decimal call that is not available in rails 1.1.6 I was able to use my first rails plugin called dollars_and_cents. Radrails made the install very easy. The hard part was modifying the code to use this plugin.
Here is my notes:
Migration line: add_column :products, :price_in_cents, :integer, :default => 0
I ran 'ruby script/generate scaffold Product' which created a new products view. I used this code to modify the views and then copied them into the admin view.
list.rhtml:
<table>
<tr>
<% for column in Product.content_columns %>
<th><%= column.human_name %></th>
<% end %>
<th>Price</th>
</tr>
<% for product in @products %>
<tr>
<% for column in Product.content_columns %>
<td><%=h product.send(column.name) %></td>
<% end %>
<td><%=h number_to_currency(product.price)%></td>
<td><%= link_to 'Show', :action => 'show', :id => product %></td>
<td><%= link_to 'Edit', :action => 'edit', :id => product %></td>
<td><%= link_to 'Destroy', { :action => 'destroy', :id => product }, :confirm => 'Are you sure?', :post => true %></td>
</tr>
<% end %>
</table>
_form.rhtml (replace the last couple lines with this):
<p><label for="product_price">Price in dollars</label><br/>
<%= text_field 'product', 'price' %></p>
<!--[eoform:product]-->
show.rhtml (abridged):
<% for column in Product.content_columns %>
<p>
<b><%= column.human_name %>:</b> <%=h @product.send(column.name) %>
</p>
<% end %>
<p>
<b>Price in Dollars:</b> <%=h number_to_currency(@product.price) %>
</p>
Must Have for Integrating Linux in a Windows World
Novell's Ubuntu AD Samba Guide HOWTO: Configure Ubuntu for Active Directory Authentication
Note: Samba is hosted on Novell's servers because Novell is starting to seem pretty agnostic on what distribution people are running. Good for them
I was able allow my machine to authenticate on a Windows AD domain without joining it to the domain. The second step of setting up libpam-ldap and ncsd would require changes to the domain controllers, but I am only able to log on if the user account in /usr/passwd is identical to a domain account. If I had libpam-ldap installed and joined this computer to the domain, I would be able to accept anyone's domain account as a login on this machine.
I am now able to cruise network shares through Gnome (nautilus) with smb://servername without having to supply a password for each connection. Previously, my credentials would be encrypted to the nautilus keyring, so it may have seemed like authentication only happened once but it was really happening each time you connected. With a kerberos ticket, I am authenticated as myself until the ticket is closed or if the ticket is revoked by a domain controller. This truely becomes a single sign on Microsoft environment.
Now I have to work out how single sign ons for our intranet is handled (NTLM?) which was developed on .Net. When I go to the site with Firefox (Windows and Linux) I get asked for continuous passwords, it seems. I had heard from a Novell Open Audio Podcast that Suse had figured out a way to use Firefox with single sign on. I just can't remember if it was with a Firefox kerberos plugin, or if there was a special setting in the about:config.
Friday, October 13, 2006
Microsoft Support
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Riddle me this:
Here are the details:
After approving September's patches on Saturday for an install on Sunday at 9am, I got my first call of a netlogon service problem. The user was not able to logon because the netlogon service was not able to start. A second blank error message pops up with a big red "X" and a Okay button before sending you back to the ctl-alt-del screen. Logging in as that user, my domain account with local admin rights, or the local renamed administrator account all produces the same results.
Going into Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt. All cause a hard reboot right when the graphics card should take off. The last Known Good Configuration gives us the same results as starting Windows normally.
My first diagnosis was a roached OS and I re-imaged it. I found out late that someone else ran into the same scenario on Friday (before approval of updates) and solved it by re-imaging.
Now we start to get suspicious, when we start seeing our third, then fourth bad machine on Monday when we are able to keep a couple for studying (that's when someone figured out that Debug mode works) and start our call with Microsoft.
Booting into the Debug mode allows for normal logins of local administrators and domain accounts
I spent an hour making sure that memtest and Dell utilities determining that the hardware was okay.
To be continued...
Wednesday, September 27, 2006
GPL software for hosting multiple domains & websites
DTC has some Xen VPS abilities, however, it looks pretty new and I'm not sure how many features it has.
I came across the software when reading this howto for Ubuntu. I'm definitely not ready for installing it but I wanted to keep it in the back of my mind.
On a recent JAKattack episode, Jon mentioned some type of domain control panel and I'm not sure if this is what he meant.
After reading through some show notes, he was talking about cPanel and WHM. I'll link to them here and hopefully spend some time reading the articles.
Tuesday, September 26, 2006
Linux in the Workplace?
I've been trying to work with Linux as my desktop in an all Windows IT department. I still prefer Ubuntu to Windows and just recently I installed VMware on both a Windows 2003 server Dell Poweredge with 2 Xeons and also on my Ubuntu workstation with a single P4 processor (with hyperthreading for what that's worth). I dedicated a 40G physical drive for Windows XP professional on Ubuntu and get better performance on Ubuntu than Windows 2003, however, I have never dedicated a physical drive to a virtual environment before.
I do need to report a bug report with VMware because my entire system freezes when I try allowing the Windows environment bridged network access. Luckily, I believe that VMware Server (free product) is fully supported and will work with me in my Ubuntu environment which will be a first time I will get support on a Linux product.
Saturday, September 23, 2006
RTFM Education » Ultimate-P2V
After getting comfortable on VMware Server, I wanted to reinstall Ubuntu on my work PC and make a copy of my Windows workstation and run it in a virtual environment. I really have missed running Linux for my day-to-day Windows administration job. Previously, I had used RDP whenever needing a Windows only application (like SMS, or an IT Helpline exchange mailbox) but it always got in the way. It was hard to justify 2 machines for 1 user.
Now with this guide, I can use Bart's boot disk to make a clone of my working Windows workstation and throw it into a virtual environment. I wouldn't mind paying for P2V but I usually have a difficult time justifying what I'm trying to do and how it will help with our Windows servers. I have so far failed convincing the Vice President of IT how we can use virtual technologies to offer 2 compatible servers on the same hardware and save $6k. So far, I have only convinced him to allow virtuallization in a lab setting.
Wednesday, September 20, 2006
O'Reilly Radar > State of the Computer Book Market, Part 2
What interests me the most is Ruby as a programming language is making huge and fast jumps, MySQL is steady with MS sql rising on the database front and Postgres is making some movement.
Saturday, September 16, 2006
Home Value Balloon
This doesn't quite fit on my blog but it interests me and I think the information is important because I own a house.
27leon_graph2.large.gif (GIF Image, 862x700 pixels)
Friday, September 15, 2006
Ubuntu Laptops!
Power your next computer with the open source and easy to use Ubuntu Linux operating system. It works with your existing file types including Microsoft Word and Excel.Your operating system and applications are and will always be free and up to date.
:: system76 :: Linux Laptops, Linux Desktops, Linux Servers ::
Mongrel and Capistrano
So ever since I noticed that I’ve been wanting to use Mongrel to run my Rails apps. For those not familiar with mongrel, it’s a Tomcat-style application host for rails apps that avoids (huzzah) the FCGI palaver that we ordinarily have to deal with.
Sketchpad » Blog Archive » Capistrano, Mongrel, and Mongrel_cluster
My notes to follow.
technorati tags:Mongrel, Capistrano, Rails
Thursday, September 14, 2006
How I setup Subversion, Apache, and Capistrono
sudo vi/etc/apache2/mods-enabled/dav_svn.conf
--
#Comment out the following 2 lines with your repo path
#DAV svn <-Comment out this
DAV svn
#SVNPath /var/lib/svn <-Comment out this
SVNPath /var/local/svn
<LimitExcept GET PROPFIND OPTIONS REPORT>
#Require valid-user <-Comment this if you don't need basic authentication
Options Indexes
Order allow,deny
allow from all
</LimitExcept>
HOWTO : Subversion & Eclipse development environment - Ubuntu Forums
You should deviate from the above configuration if you are using this for rails development because otherwise you will allow for anyone to see your database password from the database.yml file. In fact, I wouldn't be surprised if Yahoo or Google crawls the web repository and make the password searchable.
From here, I followed these instructions to get Capistrano started.
On the client, check out the app
svn checkout svn://svnserver.com/app1 (enter user and pass as needed)
cd app1
capistranize the app:
cap --apply-to app1Now, to set up the app for capistrano deployment, configure deploy.rb(see example below) appropriately with the correct paths, servers,restart method to restart apache, etc.
On the client,
rake remote:exec ACTION=setup
This will setup the base structure ${deploy_to}/releases /current /shared
current is a symlink to the most recent release/YYYYMMDDHHMMSS/ directory. shared contains shared logfiles etc.
That should do it!
example deploy.rb used for app1 (comments removed):
##########
- set :application, "app1"
- set :repository, "svn://svnserver.com/"
- role :web, "yourserver.com"
- role :app, "yourserver.com"
- role :db, "yourserver.com", :primary => true
- set :deploy_to, "/home/rails/application_path/"
- desc "Restart the web server"
- task :restart, :roles => :app do
- sudo "/usr/local/etc/rc.d/apache2.sh restart"
- end
#########
PS: apache has to point to /home/rails/application_path/current/public for this to function properly.
Quick guide to setting up svn, capistrano, apache and radrails - Rails Weenie
And here is how I set up my svnserve script for /etc/init.d/svnserve. I didn't like trying to get inetd or xnetd to work. This is based off of the default one found in the same directory.
#! /bin/sh
### BEGIN INIT INFO
# Provides: svnserve
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Subversion server
# Description: This start svnserve on a particular port. Others can
# access it using svn://servernam/.
### END INIT INFO
#
# Author: Jeff Rasmussen <jeff.rasmussen at gmail.com>.
#
# Version: @(#)svnserve 0.0.1 11-Sept-2006 jeff.rasmussen at gmail.com
#set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Subversion Server"
NAME=svnserve
DAEMON=/usr/bin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
PORT=3690
REPOSITORY=/var/local/svn/
DAEMON_OPTS="-d --listen-port=$PORT -r $REPOSITORY"
# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0
# Read config file if it is present.
#if [ -r /etc/default/$NAME ]
#then
# . /etc/default/$NAME
#fi
#
# Function that starts the daemon/service.
#
d_start() {
start-stop-daemon --start --quiet --pidfile $PIDFILE
--exec $DAEMON -- $DAEMON_OPTS
|| echo -n " already running"
}
#
# Function that stops the daemon/service.
#
d_stop() {
start-stop-daemon --stop --quiet --pidfile $PIDFILE
--name $NAME
|| echo -n " not running"
}
#
# Function that sends a SIGHUP to the daemon/service.
#
d_reload() {
start-stop-daemon --stop --quiet --pidfile $PIDFILE
--name $NAME --signal 1
}
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "."
;;
#reload)
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
# If the daemon responds to changes in its config file
# directly anyway, make this an "exit 0".
#
# echo -n "Reloading $DESC configuration..."
# d_reload
# echo "done."
#;;
restart|force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
echo -n "Restarting $DESC: $NAME"
d_stop
# One second might not be time enough for a daemon to stop,
# if this happens, d_start will fail (and dpkg will break if
# the package is being upgraded). Change the timeout if needed
# be, or change d_stop to have start-stop-daemon use --retry.
# Notice that using --retry slows down the shutdown process somewhat.
sleep 1
d_start
echo "."
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
exit 0
technorati tags:Rails, Subversion, Capistrano, Ubuntu
Wednesday, September 13, 2006
RIS Install Notes
Users can create their own machine accounts (Low security) - For this option, modify the security on the container that will hold the new MAOs to include an Access Control Entry (ACE) for the user (or group) allowing the Create All Child Objects permission. The creator of this object becomes the owner, giving the creator full control of this object only. This option allows the user to reinstall, if required, without administrator assistance.
I forgot a couple items. First, I need to install RIS with Enterprise Admin rights. Since we have 2 domains (root and primary) I needed to give administrative rights on the RIS server to the correct root\account.
My second issue is documented above. Instead of requiring "Domain Admin" rights, we decided to create a domain group of "RIS Operators" which had permissions to perform a RIS installation. To do that, I needed to run ADSI edit from a domain controller, go to properties of the RIS computer and then the security tab. Give the Self object "create all child objects" and "delete all child objects" permissions.
I almost remember reading about this permission but had forgotten it and couldn't find it again on Microsoft's website.
RIS server wont authorise
What OS and SP? Are you getting other binl event IDs, like 7000, 1047 and
1007?
Did you successfully complete risetup?
It could be permissions-related. The computer account of Self has to be
granted
the Create All Child object access on the computer object of the Ris Server
in AD.
Tuesday, September 12, 2006
Links Are Dead Post
Steve, I couldn't find an email address or comment area to comment on your show. I wanted to suggest that you could sell more GoDaddy domains with Gillmor1 if you mentioned that Google is allowing beta users to sign up for gmail accounts with up to 25 accounts mapped to domains purchased not through Google but through GoDaddy or other establishments.
I set up a domain that I already purchased through Yahoo for 2x's what GoDaddy charges with the Gillmor discount. But I am very tempted to find another domain and map it onto a 2GB gmail account. Maybe jeff@rasmussen.com is available.
Monday, September 11, 2006
Microsoft vs. Open Source: Who Will Win? — HBS Working Knowledge
Our paper introduces a dynamic mixed duopoly model in which a profit-maximizing competitor (Microsoft) interacts with a competitor that prices at zero (Linux), with the installed base affecting their relative values over time. We use a formal model to ask what conditions are needed for Linux to take over Windows. The questions that we address are: Is Linux's superior demand-side learning sufficient to win out? What is the effect of forced procurement by governments and some large corporations on the long-run equilibrium? How do cost asymmetries play out? Can Microsoft use piracy strategically to improve its market position?
Harvard analysis of market forces between OSS and Microsoft. It seems that they believe that Linux and other OSS cannot be pushed out of the market but they do have some strategies that Microsoft can use against Linux.
Lot's of editorial liberty, but a quick summary of effective strategies that Microsoft can (and has) used against Linux:
- Act more like open source projects: Increase customer feedback loops and be quicker to market these changes.
- Use network effects to Microsoft's advantage.
- Give OS and software away to schools and universities so that people build file libraries on Microsoft Word not Open Office
- Allow governments access to source code and give away binaries to people who would otherwise use Linux, but keep the price for people not easily swayed.
- Find the right mixture of piracy to purchases. Piracy may actually help sell more Microsoft products in the future.
- Reduce costs. Always helpful but not really practical when competing with volunteers.
- Make it more difficult for people to contribute/ participate in open source development (Trusted Computing)
- Make sure that Windows applications are not able to be run on Linux platforms
- FUD (Fear, Uncertainty, Doubt) campaigns Create new metrics to evaluate software (Total Cost of Ownership - TCO)
The MythTV Convergence | Tom's Hardware
Enter MythTV, a grand unification of personal digital video recording and home theater technology, and a magnum opus of modular design, freedom of expression and personal entertainment. At its core, MythTV is a digital video recording solution composed of several modular components that facilitate time-stretched manipulation of live television feeds, but it's really much more than that. In this multi-part article, we examine the depth and scope of MythTV's capabilities. We start here from the standard MythTV base, then address the wide-open capabilities that make MythTV more than just a video recording suite - the capabilities that make it into a quintessential home theater PC (HTPC) system.
I've installed MythTV through the mythknoppix live/cd. It worked with my TV card and was really nice but it won't replace my tivo until I need HDTV and get a TV card with a remote control.
Don't kid yourself, you will not save money with MythTV. To make a machine that can go into your living room, you will have to spend some decent pennies to buy the right kind of quiet hard drive, the right video card with remote control, the right looking case that at least looks like it belongs in the living room.
Qtopia Greenphone — Trolltech
I would like to take a look at this phone. I assume it will be buggy at first but since my biggest peeve with Blackberry is that I can't install much, this phone may be just what I am looking for.
Friday, September 8, 2006
Thursday, August 31, 2006
Dapper on Dell Precision M65
I'm not intending to install Ubuntu on it because it is for someone else.
Quick report, the wired connection works out of the box. Wireless is installed but doesn't seem to register as a wireless connection. It is calling it an eth1 device. Network-manager (nm-applet) doesn't see it.
Here is the lspci output:
0000:00:00.0 Host bridge: Intel Corporation Mobile Memory Controller Hub (rev 03)
0000:00:01.0 PCI bridge: Intel Corporation Mobile PCI Express Graphics Port (rev 03)
0000:00:1b.0 0403: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
0000:00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
0000:00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 01)
0000:00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 01)
0000:00:1c.3 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 4 (rev 01)
0000:00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 01)
0000:00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 01)
0000:00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 01)
0000:00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 01)
0000:00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
0000:00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e1)
0000:00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 01)
0000:00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controllers cc=IDE (rev 01)
0000:00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
0000:01:00.0 VGA compatible controller: nVidia Corporation: Unknown device 01dc (rev a1)
0000:03:01.0 CardBus bridge: O2 Micro, Inc.: Unknown device 7135 (rev 21)
0000:03:01.4 FireWire (IEEE 1394): O2 Micro, Inc.: Unknown device 00f7 (rev 02)
0000:09:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express (rev 02)
0000:0c:00.0 Network controller: Intel Corporation: Unknown device 4222 (rev 02)
This is the device I think i think is the wireless card (lspci -vv)
0000:0c:00.0 Network controller: Intel Corporation: Unknown device 4222 (rev 02) Subsystem: Intel Corporation: Unknown device 1020
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR-
Latency: 0, Cache Line Size: 0x10 (64 bytes)
Interrupt: pin A routed to IRQ 177
Region 0: Memory at dcfff000 (32-bit, non-prefetchable) [size=4K]
Capabilities: <available only to root>
I'm not going to spend much time on this but I will try to use fw-cutter to see if I need to download some firmware. Although the bcm43xx driver isn't loaded.
Here is what we purchased using Dell's SKU #'s
It looks like the laptop is using Intel's ipw3945 driver. Everything looks like it is working but network-manager doesn't seem to like it.
Monday, August 28, 2006
Remotely Adding Remote Desktop Windows 2003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001
Enable Terminal services W2K ( command line )
Sunday, August 27, 2006
Remote Acces to Linux from Cell Phone
Now I have been issued a Blackberry from work. Internet service costs $20 a month from Verizon wireless. T-mobile required the $20 service when purchasing a Blackberry. The service is much faster but I haven't read what speed that translates into.
Anyways, you probably want to know how to get ssh access to your linux machine through your cell phone. Go to http://xk72.com/wap to download MidpSSH to your phone. There is a special Blackberry version near the bottom.
The big trick is to set your terminal to linux otherwise it defaults to vt320 with only ASCII characters.
I've also set MidpSSH to use public keys (very secure if used correctly). Just copy the public key (a menu option once public key settings are enabled) and add a line ssh-rsa {public key} to ~/auth_keys. Reference man auth_keys to verify, I'm doing all this from memory.
Friday, August 25, 2006
Intel Duo Core 2 - My personal observations
I needed to purchase a Radiology 2 medical monitor setup for a doctor that would live 9 months out of the year in Florida and be an integral tele-radiologist for our hospital. I work for the doctor side of our community hospital and as such, we don't normally purchase radiology workstations. I was given the specs for a current machine and asked to replicate it.
Since I knew that the Intel Duo Core 2's just became available July 27th (Thanks to DLtv, Cranky Geeks, and Twit), I wanted to see if I could save money using the more efficient processor.
All I can say is, Wow! You can look at a number of site with benchmarks but if you are like me you usually take them with a grain of salt. I'm not in the business of benchmarking systems, let alone processors. I knew from Anandtech and Tom's Hardware Guide that the speed improvements were significant but until I compared the processor to our systems I didn't really care :) TG Daily has a fantastic article and graph that compares price versus power between Intel and AMD since the 8/18/2006 price drop.
When I received the Precision 390 with a Duo2 processor, I eagerly opened the box and sat in front of the machine quickly realizing I had nothing to throw at the processor except ripping CD's to MP3 or OGG files. In comes OpenMark...a quick search on sourceforge.org showed a seemingly strong contender (see note below). I don't pretend to do this for a living, this was just the best way I could compare two systems.
Below you can see 3 cpu's. The first one is my normal workstation P4 with hyperthreading which only seems to help when ripping MP3's. The second is a 2 Xeon processor Radiology workstation that I needed to duplicate. The third is the Intel Duo Core 2. Note the differences in Voltage and the Multiplier (I'll talk about the Multiplier later).
Benchmarks
Okay, if you are still with me, here are the results from the OpenMark sstandard tests, with all defaults selected. I did turn off services on the older machines because I tested the Duo Core 2 with the Dell Windows default OS. My workstation had a webserver and other crap.
Okay, what can we learn from this? Well, first of all the AMD comparison doesn't really belong. I include it here because I have been coveting an AMD chip for a long time. At work we buy all PCs through Dell and Dell hasn't offered an AMD line until recently. However, I didn't perform the test so I don't know what type of hardware they were testing and how they performed the test. I got the results in the downloaded OpenMark package.
On the other three, I performed each test as equally as I could and feel pretty confident that the performance can be compared. Since I turned off some services on the Intel P4 and the Xeon system, they may have had a slight advantage. But my process was pretty much the same:
- copy the zip file from a machine,
- unzip it
- run the Official Run with all defaults
- wait for the 3 iterations to complete
From these tests, the Intel Duo Core 2 is at least twice the speed as the Xeon system. I didn't purchase the Xeon system but I had the service tag and could look up the specs which is what I used to determine the power I needed for a Radiology workstation.
I differed from the specs (from memory) on the precision model number (the same model did not offer the new processors), the processor, and the video card and possibly the hard drive.
I'll try finishing this later...I'm getting drastically different values from OpenMark using the same computer/ configuration.
Tuesday, August 22, 2006
Picture of the Linux Kernel
RadRails and Subversion
Integrating Subversion and RadRailsI just spent a time while figuring out how to integrate RadRails and Subversion, and thought I'd share a tidbit in the hope it saves others time. I installed Subversion, created a repository under C:/repository, created a project called edu20 using svnadmin, and then started the lightweight subversion server by typing:svnserve -d --listen-port 3690 -r repositoryFrom RadRails, I selected Window>Show View>other>SVN>SVN Repository, which then displays a SVN window at the bottom of the screen. Then I clicked the + button which allows you to enter the URL of an SVN repository. The trouble is, it wasn't obvious what this URL should look like. After googling for information and some trial and error, I discovered the magic incantation is:svn://localhost/edu20/trunkIn other words, the protocol is svn, the next part is the host name, and the last part is the path from the repository root to the trunk of the project. I hope this helps someone! Graham Glass, etc., August 17, 2006. [Conversation]
Integrating Subversion and RadRails | Technology4Teachers.com: Google Cache
technorati tags:RadRails, Subversion, SVN
Monday, August 21, 2006
Defrag Linux? Surely you jest
After my first run into Linux (3 years ago), I started looking for a defrag tool. I was using a lot of space for video and iso images and I was sure that my drive needed to be defragmented.
Low and behold I found article after article insisting that Linux didn't need to be defragmented. That the OS would constantly monitor the drive for fragmentation. Well, I heard that with Windows 2000 and with Windows XP did that too and it does work the same.
technorati tags:Defrag
Sunday, August 20, 2006
Mongrel is Terrific
First, I needed motivation to switch - “the why.” And the why is simple: speed. Mongrel and mod_proxy often have far better performance than a FastCGI setup (although this may depend from setup to setup, application to application). As better performance means less overhead, I was on board for learning what this was all about. Mongrel also has other advantages; most importantly, it is easier to debug problems (as discussed in the web-as-pipe essay). As I found out, it has only a marginal learning curve.
Do yourself a favor and use gem to install mongrel, cd to the root of your rails project and run 'mongrel_rails start' After another strong article and my own experience Mongrel makes getting Rails projects up really easy and it is faster for the dynamic portions (i.e. the hard stuff). If you combine Mongrel with a proxy layer from Apache, Lighttpd (wait for the next mod_proxy release), or Pound (specific proxy layer) for the static content you have a solid solution.
First Attempt at Mongrel on Ubuntu
First problem: Need to install make and gcc. 'sudo aptitude install make gcc' is necessary for a gem install of mongrel. It looks like mongrel is compiled from C to assist with speed.
If you don't have make installed, you won't see any errors during the mongrel install until you try running it within a rails project.
/usr/lib/ruby/gems/1.8/gems/mongrel-0.3.13.3/lib/mongrel.rb:666:in `register': undefined method `resolve' for nil:Mongrel::URIClassifier (NoMethodError)
So I installed make and gcc and reinstalled mongrel through 'sudo gem install mongrel'.
Running Regedit with System Rights
In DOS prompt:
at 16:31 /interactive regedt32.exe
This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
Windows Updates: Crazy
PatchAholic...The WSUS Blog! : Troubleshooting Error 0x80072efd
Yesterday while I was heading to work I was reading Slashdot Mobile (fantastic WAP site) and noticed the worm concerns. From 9am on Friday until 2am Saturday morning, myself and 2 other network administrators were updating servers and desktop computers.
The servers were straightforward, apply patch and reboot. The desktop computers forced us to pull the trigger on our WSUS strategy early. I had already created a test group and approved all the updates to a small group of 4 users. We were having problems with I knew we were having speed issues. Frantically, I moved our WSUS server from a WMSDE service to a frontend backend SQL server solution.
Today I was able to force an update on the critical patch KB921883 at a time today. As long as the client's checked in to WSUS before that time, I could change our normal behavior of updating at 9am.
I found out that a group of workstations were not updating. From this event log and the link above, I can determine that I need to "computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected"
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 8/11/2006
Time: 10:01:56 PM
User: N/A
Computer: HFA9304
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Here is the meat-and-potatoes of what I think our problem is. My first tests with 'proxycfg -p proxyserver:80 wsusfrontend' didn't help but I think this is the right track. I will next check to see if winhttppxy service is disabled on these workstation.
OK, I solved it!!!! On our ISA 2000 (Proxy) Server, since we use WPAD for Automatic Detection through DNS and DHCP, I had to go into the Client Configuration > Web Browser settings and turn on the Bypass Proxy for Local Servers under the Direct Access tab. I never thought about this cause, I didn't actually realize those particular settings are what actually "write" the wpad.dat file that Automatic IE clients get.And, I found this by finally finding an article that states that WinHTTP clients, which Automatic Updates is if you are not actually manually going out to the Windows Update website, do not use IE settings including the IE exceptions list to access the Windows Update site. So, if you manually open IE and go to the Windows Update site, you are using all IE settings. BUT, if you use any kind of automatic scheduling for Windows Updates, to where you are not manually going out to the website, it uses the WinHTTP (which is the proxycfg tool) which either goes directly out there or through the automatically detect settings, or the wpad.dat or proxy script if you are using that.After figuring that out and doing some narrowing down, I found (as others had said in the past, just didn't make total sense) that since our client PC's use the Automatically Detect config of the wpad.dat through DNS and/or DHCP, then I needed to focus there. After making some changes, and testing, I have all my client PC's now popping up in there. YES!!!!! Case closed.I am going to award the points to Netman66 because 1) He tried hard to help me and narrow things down and 2) he taught me something else about GPO's that I didn't quite know, in that you should disable the settings first and not "not configure" them in order to reverse the settings. Thanks for everything.
Windows Server 2003: WSUS - 0x8024401B Error (Proxy Authentication)
Friday, August 18, 2006
Using Linux in a Microsoft World
Open Networks - Denver Linux Networking Part 2
I also work for a Microsoft/ Dell shop. I am one of 4 network/ system administrators managing 530 desktops and around 20 Windows 2003 servers. I have been using Linux (Debian and recently Ubuntu) for about 3 years.
Since I had control over my machine, I installed a second hard drive and attempted to install Linux without touching the Windows drive. It was possible if I had Linux as the primary drive, but Windows doesn't work if it believes it is not on the primary drive. I had to use grub to trick Windows into thinking it was the primary drive. It is much easier to allow Linux to modify the boot sector on the Windows drive because you can always run fixmbr.exe from an old Win98 boot disk to revert.
You can authenticate on a Windows domain without joining the computer to Active Directory.
smbclient \computernameshare -U username -W domain # ftp client
smb://username@computername/share # for Gnome Nautilus smb.conf needs
the domain listed to resolve to the default domain
Kerberos is even better but I never figured out how to get Gnome's Nautilus to work with Kerberos without joining the computer to the domain.
After I got XGL working with Ubuntu Dapper, I went Linux full time for a week. XGL sounds like just fluff but I found it to be very useful for my dual monitor workstation
Just note, when I joined my computer to the domain, it showed up in the AD find box as a Domain Controller and in the properties box as a workstation or server. I don't have rights to join a Linux computer as a domain controller and this field must be an reporting error.
Sunday, August 13, 2006
Windows Updates: Crazy
PatchAholic...The WSUS Blog! : Troubleshooting Error 0x80072efd
Yesterday while I was heading to work I was reading Slashdot Mobile (fantastic WAP site) and noticed the worm concerns. From 9am on Friday until 2am Saturday morning, myself and 2 other network administrators were updating servers and desktop computers.
The servers were straightforward, apply patch and reboot. The desktop computers forced us to pull the trigger on our WSUS strategy early. I had already created a test group and approved all the updates to a small group of 4 users. We were having problems with I knew we were having speed issues. Frantically, I moved our WSUS server from a WMSDE service to a frontend backend SQL server solution.
Today I was able to force an update on the critical patch KB921883 at a time today. As long as the client's checked in to WSUS before that time, I could change our normal behavior of updating at 9am.
I found out that a group of workstations were not updating. From this event log and the link above, I can determine that I need to "computer's Local Area Network (LAN) settings, the automatically detect settings check box is NOT selected"
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 8/11/2006
Time: 10:01:56 PM
User: N/A
Computer: HFA9304
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Here is the meat-and-potatoes of what I think our problem is. My first tests with 'proxycfg -p proxyserver:80 wsusfrontend' didn't help but I think this is the right track. I will next check to see if winhttppxy service is disabled on these workstation.
OK, I solved it!!!! On our ISA 2000 (Proxy) Server, since we use WPAD for Automatic Detection through DNS and DHCP, I had to go into the Client Configuration > Web Browser settings and turn on the Bypass Proxy for Local Servers under the Direct Access tab. I never thought about this cause, I didn't actually realize those particular settings are what actually "write" the wpad.dat file that Automatic IE clients get.And, I found this by finally finding an article that states that WinHTTP clients, which Automatic Updates is if you are not actually manually going out to the Windows Update website, do not use IE settings including the IE exceptions list to access the Windows Update site. So, if you manually open IE and go to the Windows Update site, you are using all IE settings. BUT, if you use any kind of automatic scheduling for Windows Updates, to where you are not manually going out to the website, it uses the WinHTTP (which is the proxycfg tool) which either goes directly out there or through the automatically detect settings, or the wpad.dat or proxy script if you are using that.After figuring that out and doing some narrowing down, I found (as others had said in the past, just didn't make total sense) that since our client PC's use the Automatically Detect config of the wpad.dat through DNS and/or DHCP, then I needed to focus there. After making some changes, and testing, I have all my client PC's now popping up in there. YES!!!!! Case closed.I am going to award the points to Netman66 because 1) He tried hard to help me and narrow things down and 2) he taught me something else about GPO's that I didn't quite know, in that you should disable the settings first and not "not configure" them in order to reverse the settings. Thanks for everything.
Windows Server 2003: WSUS - 0x8024401B Error (Proxy Authentication)
Saturday, August 12, 2006
Cool Links from TWIT
Network Neutrality test. Google could incorporate this into their toolbar.
Ben Kinski dox site. Computer World article.
Thursday, August 10, 2006
Rails back on my mind
Rails is very much on my mind after hearing about the huge hole in the application. If you made the right call, you could wipe out data. I can't help but be disappointed that rails didn't have a security process before such a big problem.
Rails 1.1.6, backports, and full disclosure
Riding Rails: Rails 1.1.6, backports, and full disclosure
Read this fantastic comment by planetmcd. I wish I could just link to it on a blog. I've taken liberty on formating it but all wording is from this commenter.
# planetmcd on 10 Aug 18:46:
DHH et al., First, I hope you get some much deserved rest today. Thanks for the hard work and the disclosure. Let me layout what I believe to be the source of frustration for many posters over the last day.
With a security breach there are 3 discreet tasks.
1) plug the hole,
2) assess the damage if there has actually been a breach,
3) take steps to correct the damage.
As a framework developer, all you can do is work on Step 1. And assuming things are smoothed out, your job is done and in quick fashion to boot.
For the people using your framework, steps 2 and 3 are equally if not more important to be handled in a timely fashion. Think compromised bank accounts or credit cards. The sooner clients know about this, the sooner they can protect themselves, and the sooner they will get over their anger.
By issuing a dire warning and then not revealing the problem, developers had no way to judge whether they should shut down their app, do nothing, put in place other security measures. And they had no means to judge whether the fix actually worked or not.
I do sympathize that hiding the attack vector to reduce detection by lowerlevel crackers, while you and the team feverishly worked on a solution might have been the most logical approach from the framework standpoint, it was a tough position for some members of the community. And while you’ve primarily created a framework, you’ve also created a community.
Let me also say that I also regret that many who disagreed with your decision expressed that disagreement in an immature fashion. How people state a point can diminish the validity of that point, and I hope that is not the case here. Some posters on both sides should really take some time and think about what they say before they hit send. This isn’t a black and white issue and treating as such reflects poorly on the posters and the community.
Thanks for your effort (in this case and in general), handling the situation with aplomb, and taking proactive measures for future security issues.
Riding Rails: Rails 1.1.6, backports, and full disclosure
My only addition to planetmcd, is a possible solution. The biggest concern with disclosing the vulnerability was that big sites that have used rails (odeo, second life's map, off the top of my head) needed to have that full disclosure. Actually any Internet facing website need this information but as soon as the public knows about it, then anybody can type the right url into a browser and delete parts of databases.
Stream of consciousness, such as it is
I believe the only solution for this type of disclosure is through a fee-based support model. I can't think of any other way to let the good people know and keep the bad people from knowing. If DHH offered a security support model that companies could pay for the quicker more direct information, then you could mitigate some of the risk of full disclosure.
Of course, it would only take one person to bring that information to the press, or the bad guys could even subscribe to the security support contract
Create a security support contract that costs $300 to get "trusted" by the core development team. On the contract, you could bind users to huge fines for disclosure which would prevent users from going to the press publically. Then you only have the untrustable good guys and bad guys.
Maybe there is no easy way. Previously, I had thought that all the money transactions could be replaced by trusted GPG keys, but I'm not sure. If there was only a way to encrypt a message that would show who opened the message. Naw, you could always circumvent the process by cutting the decrypted information out of the message. Unless there was always a block that would decrypt with the other parts of the message that could identify who had decrypted the message.
=====GPG Decrypted Message====
ajdflkj029384oiuweu0293480980 This is a short asymmetrically encrypted hash
Here is the decrypted text.
)@#(LKJFDLSJF#@IOUKJFSLDFJO#WIE
=====end of Message===========
The blocks (hashes) could always be different depending on who's public key opened the message. Really what you would have here is a signed message encrypted within a signed message. The block could originally be something that only the sender can create. When a user strips off the encryption with their key the block doesn't get decrypted because it was never encrypted to that user's key. In effect, the block gets changed in a way only the recipient could have changed it. I don't know if there is any way that you could use the recipient's public key to determine who decrypted it. Maybe if the sender used their key that they encrypted the block, they would get something that you could compare to other public keys.
I think this could almost work and if you required recipients to send a copy of the decrypted text as an acknowledgment request (Not that you can force anybody to do anything but if you don't receive their acknowledgment then you could talk to them)
It's more like a signature within a signature.
RIS 2003 Documentation
http://web.mit.edu/ist/topics/windows/server/winmitedu/whatsRIS.htm
http://bink.nu/Forums/ShowPost.aspx?PostID=1684
I really felt I had to copy the text from un4given1. I didn't like the format on the webpage and I was concerned that the information may be lost. I don't have a way to contact un4given1 but I give this person full credit for this post.
I have been working with RIS for almost 2 years now and I concider myself somewhat of a seasoned pro so I would be more than happy to help anyone who has questions. I figured I would get this section off to a good start, so kick back and relax and get ready for a really long thread.I will start with a page that I am working on...-----------------------------------------------------
Introduction to RIS
There are many ways to deploy Operating Systems. Manual CD installs, image-based installations, network unattended installs and CD unattended installs are amongst a few of them. Each offering positives and negatives for their use. One other option is Remote Installation services, or RIS for short.
Lets first talk about Manual CD installation. It is obvious why this installation method is the least preferred. Such an installation requires constant user interaction. This is valuable time wasted especially when you have a need for a large volume of PCs.
Image-based installations offer a good amount of positives. With image based installations such as Ghost or DriveImage you can build a PC and configure it will all of your software. You then create the image and burn it to disk. The negatives of this would be that you would have to recreate an image and re-burn it to disk each time you needed to make a change. There is also a good amount of administration that needs to be done with image-based installations, such as using a utility to change the SID and computer name. One other negative point is that an image may only work with one hardware configuration.
Some imaging software does give you options to run “mini-setup” programs but since I am not all to familiar with image-based installations I can not comment on such programs. CD unattended installations give you all of the options that a manual CD installation offers but allows
you to create an answer file which holds the answers to all of the questions the setup wizards ask. You
can automate in installation of software through using a cmdlines.txt file and the GuiRunOnce options in
the answer file, but you are limited to the size of a CD minus how much Windows takes up. A negative
point would be that as with image-based installations, you have to recreate a CD each time you want to
add or remove an item.
Network installations offer the same positives and negatives as CD unattended installations with the
exception of size limitations and the need to burn the information to a CD.
Remote Installation Services allows you to do everything that all of the other methods offer and much
more. RIS allows you to install an operating system without any interaction and install programs
through the use of the same methods as a CD or network based unattended installation. RIS also allows
you to add a computer to a domain without having to save your password information into the answer file.
RIS can be updated without recreating the image. There really aren’t any disadvantages to using RIS.
Remote Installation Services can be used many ways. You can create images using RIPrep, which in my
opinion is an unpreferred method since it must be recreated each time you make a change. You can use a
base image and through cmdlines.txt, GuiRunOnce, and batch scripting you can accomplish almost anything.
This is the method that I will focus on.
Prerequisites for Remote Installation Services
Remote Installation Services is only available on Windows 2000 Server and Windows 2003 Server. It
cannot be installed on the same drive or partition that Windows is installed on. The drive must be
formatted with the NTFS file system and must have enough space to hold at least one full image of
Windows 2000 or Windows XP. I recommend that you have at least 3 gigabytes, this way you accommodate
for a working image, a test image and space for any software you may want to include.
Remote Installation Services also requires other available services. These services can be run locally
on the RIS server or as part of your network domain. These services include Active Directory, DHCP
(Dynamic Host Configuration Protocol), and DNS (Domain Name Service).
Installing Remote Installation Services
Before you will be able to use RIS you will need to install the necessary components. The following
instructions will show you how to install Remote Installation Services.
1. Log into the Windows 2000/2003 Server you would like to use for your Remote Installation
Services as an administrator.
2. For Windows Server 2000: click Start, Settings, and Control Panel.
For Windows Server 2003: click Start, Control Panel, Add/Remove Programs then skip to step 4.
3. Double-click on Add/Remove Programs.
4. Double-click on Add/Remove Windows Components.
5. Select Remote Installation Services and click Next.
6. Insert your Windows Server 2000 or 2003 CD into your CD drive.
7. Click Finish to exit the Windows Components wizard.
8. When you are prompted to restart your server click Yes.
Configuring Remote Installation Services
The steps you followed minutes ago installed the necessary service, but without an image and other
changes you will be unable to use RIS. So, here we go.
1. Click Start, Run, enter RISetup.exe and click Open.
2. You will be prompted with the Remote Installation Services Setup Wizard dialogue box. Click
Next to continue.
3. You will be prompted to the drive and directory where you would like RIS to install it’s files.
Enter the drive and directory you would like to use, keeping in mind that you may not use the system
drive, and click Next.
4. In the next dialogue box you will be prompted with the options of Respond to clients requesting
service and Do not respond to unknown client computers. My recommendation is to choose the first
option. You can control who is allowed to use the services through permissions and delegated control.
If you choose the second option a PC must be pre-staged within Active Directory in order to connect to
the RIS server. Pre-staging PCs requires you to enter a GUID from each PC into Active Directory and
give it a computer name. Unless you are running another network based PXE (Pre-eXecution boot
Environment) you should have no need to use the second option. Make your selection and click Next.
5. You will be prompted for the location of your Windows 2000 or Windows XP installation files.
Contrary to information on Microsoft’s site stating that RIS works only with Windows 2000, it also works
with Windows XP and now in Windows Server 2003 support for Server operating systems has been included.
Insert your Windows 2000 or Windows XP CD into the drive. Enter the location of the CD and click Next.
IMPORTANT: Please be aware of licensing when creating an image. An image should be created with an
enterprise edition of Windows 2000 or XP. A retail or OEM installation disk may work with other retail
or OEM installation license keys but you should be careful not to include the license key in the answer
file. Unfortunately this will require a manual step, but it is always necessary to maintain license
compliance with Microsoft. I can not be held responsible for abuse of the aforementioned choices.
6. You will now be prompted to enter the name of the directory for which you will want to save
these installation files. You can name the directory anything you wish but you should not use spaces.
I recommend, as it is recommended by Microsoft as well, that you name the directory in a method such as
“win2000.pro” or you can take it one step further and use names such as “w2k.sp4.production” or
“wxp.sp1.test” Depending on how many images you create you will find that it’s important to have a good
naming scheme for the images. Enter the name of the directory you wish to use and click Next.
7. You will be prompted to enter a description of the image you are creating. This description
will be shown during the RIS setup screens on the client PC when the image is highlighted. Be as vague
or as detailed as you would like. Click Next to continue.
8. You will be prompted now with a dialogue box showing all of the choices you made. Click Finish
to accept these options and continue.
9. You will have to wait while RIS completes it’s tasks and creates the image by copying the
complete contents of the CD to it’s drive. This can take awhile. When it is finished click Done.
Authorizing Remote Installation Services in Active Directory
Well, you probably thought you were just about done. You were wrong. Before you can use the images you
just created you have to authorize RIS in Active Directory. The following changes must be made as a
domain administrator of the root domain that the RIS server will be servicing. They can be made from
the DHCP server or using the snap-ins on any other server, or available by installing the administrator
tool package located on your Windows 2000 or Windows XP CD as “adminpak.msi” It is not necessary to
complete these next steps if your DHCP server is also your RIS server.
1. Click Start, Programs, Administrative Tools and then DHCP.
2. Right click on DHCP in the top left of the window.
3. Select Manage Authorized Servers.
4. Click Authorize.
5. Enter the DNS or IP address of your RIS server and click OK.
6. Click Yes to verify that the DNS or IP address you entered is correct.
The changes you have just now made enable RIS to respond to client PCs that request it’s service.
User Permissions in Active Directory
In order for users to use RIS to install an operating system they must have the rights necessary to use
RIS. These rights would include the ability to join a computer to the domain. If you will not be
joining the PC to your domain you may skip the following steps.
1. Click Start, Programs, Administrative Tools and then Active Directory Users and Computers.
2. Right click on the domain name at the top left and select Delegate Control.
3. The Delegation of Control Wizard will begin. Click Next to continue.
4. Click Add.
5. Enter the name or group name you wish to delegate control to and click OK.
6. Click Next.
7. Select the radio box Delegate the following common tasks and then select Join a computer to the
domain.
8. Click Next.
9. Click Finish to exit the wizard.
At this point you are now able to use RIS. The image you created earlier will be the only image
available at this time and until you have edited the answer file it will act in the same manor as a CD
install.
--------------------------------------------
Now... that is just the setup of a RIS server... I could tell you how to use it but I think it's more
important to configure it first, so I will take some time to show you my method for that...
--------------------------------------------
First I start by creating an $OEM$ directory in the image directory, adjacent to the i386 directory. In
this I create three directories, $1, $$, and SOFTWARE. Within the $1 directory I create a directory
called FILES. Within that directory I create a directory for hotfixes with the 4 types of hotfixes each
having a directory (1,2,3,4). I will explain the different types a little later. Then I throw in
directories for programs I want to install during the build, such as acrobat reader and shockwave/flash
player. Throw anything into the $$ directory that you want to include in your %windir% and you can even
create sub directories. I then create a SOFTWARE directory that any software that is installed during
the cmdlines.txt is copied. So the directory structure will look a bit like this..
i386
$OEM$
-$1
--files
---hotfixes
----1
----2
----3
----4
---acroread
---swfp
-$$
-SOFTWARE
Now, you ask, "What do I do now?"
Well, all of those directories are useless without the files necessary so here we go..
In the $OEM$ directory you want to create a file called CMDLINES.TXT The format in the file will be
something like this...
------------
[commands]
".\software\ieak\ie6setup.exe /q:a /r:n"
------------
That would install your internet explorer administration kit during the 13 minute mark in GUI setup mode
for Windows XP. You can add any other commands that you would like.
For the example above you would need to copy the IEAK files to the IEAK directory under the SOFTWARE directory.
The $1 directory will be the root of the C drive (RIS does not allow you to do much with formatting and partitioning). In this directory you want to create a command script file that you will launch from the [GuiRunOnce] in the SIF file. So, lets assume that you want to install Service Pack 1 when the system starts for the first time. You would copy the SP1 file to the $OEM$\$1\files\SP1 directory. You would then create a CMD file to launch this... like this...
-----------
@echo off
echo Installing Service Pack 1
start "" /wait "c:\files\SP1\wxpsp1a.exe -u -z -q"
echo -completed
shutdown -r -t 10 -f -c "The system is restarting"
-----------
But what I usually do in this case is add an item that will write to the RunOnce regkey for when the PC restarts again, so that I can kick off hotfixes... You can do that by adding this item before the shutdown command...
-----------
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v hotfixes /t REG_SZ /d "c:\files\hotfixes.cmd"
-----------
What is HOTFIXES.CMD, you ask? It's a script to run all of your current hotfixes... and here it is...
-----------
@echo off
TITLE Hotfix Installation Script - by Donald Freeman
echo Collecting list of current hotfixes...
echo @echo off>>c:\hotfixes\hotfixinst.cmd
echo echo Please wait while current hotfixes are being installed. This may take awhile!!!>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\1 /b') Do @echo start "" /wait c:\hotfixes\1\%%i /passive /norestart>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\2 /b') Do @echo start "" /wait c:\hotfixes\2\%%i /q /r:n>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\3 /b') Do @echo start "" /wait c:\hotfixes\3\%%i -u -n -z>>c:\hotfixes\hotfixinst.cmd
for /f %%i IN ('dir c:\hotfixes\4 /b') Do @echo start "" /wait c:\hotfixes\4\%%i /C:"dahotfix.exe /q /n" /q>>c:\hotfixes\hotfixinst.cmd
echo echo - Completed>>c:\hotfixes\hotfixinst.cmd
echo - Completed
echo.
CALL c:\hotfixes\hotfixinst.cmd
shutdown.exe -r -t 15 -f -c "PC must reboot to make changes. This is part of the unattended installation. Please do not disturb."
:end
------------
Now, for the explanation of the different hotfix types...
type 1 is only used by the new XP rollup package. It's unattended switches are "/passive /norestart" This will allow you to view the install progress and it will be unattended.
type 2 is used by many packages and uses the switches "/q /r:n" This will also allow for you to view it's progress and allow for unattended install.
type 3 is used by many packages as well and uses the switches "-u -n -z" This will allow for all of the same as the above two.
type 4 is used by packages such as MDAC and others and uses the switches "/C:"dahotfix.exe /q /n" /q" Same as the above...
By placing the correct hotfixes in the correct directories (you can determine it's switches by typeing hotfix_name /? in a command window (where hotfix_name) is the name of the hotfix. You will learn to know the difference after you have done it a couple times.
The above will make your PC reboot once again. You can continue to write items to the RunOnce key and reboot the PC as many times as you would like (my build has 4 reboots, but that's just me...)
OK now... what about the programs such as acrobat reader and flash player? Well, I drop the EXEs into thier corresponding directories and create a CMD file in the $OEM$\files\ directory that includes the unattended switches for that file... such as this...
----------
@echo off
echo Installing Acrobat Reader 5.1...
start "" /wait c:\files\acroread\setup.exe
reg add "HKLM\Software\Adobe\Acrobat Reader\5.0\AdobeViewer" /v EULA /t REG_DWORD /d 00000001
echo - Completed
echo.
----------
The "reg add" key accepts the license agreement.
Well, in order for you to install this you have to call it at some point right? You can decide the point and just call the following file which will scan the directory for files in it and launch each of them in alphabetical order (I usually put numbers at the beginning of the files to control order.. if your hotfixes files is part of this directory it will call it, and you can do away with the call script I spoke of earlier and input this following script instead)
----------
for /f %%g IN ('dir c:\files\*.cmd /b') Do @echo CALL c:\files\%%g>>c:\RISinstalls.cmd
CALL c:\RISinstalls.cmd
----------
This will gather the names of the files in the c:\files directory and launch each.
Ok, so it's always a good idea to clean all of the files off when you are done so you would need to add a script to delete any temporary files and directories you have. Thats easily accomplished using the RD /q /s command.
OK.. I know that this is spotty and some things may be missing, but it is getting late so I am going to conclude this addition. Please let me know if you have any questions, comments or suggestions!
Later!