Trend Micro 3.5 ActiveUpdate Server setting

From the SBS2K group at http://tech.groups.yahoo.com/group/sbs2k/

Hello,
> What they don’t know is that I turned the server off for a
> day, and that one desktop is still being updated.
The Clients will update, automatically, from the Internet if they cannot communicate direclty with the CSM SMB server. We have changed this to be the default behavior in 3.5. You can check this here:
Security Settings | Select a Group | Configure | Client Privileges | Update Settings
[x] Download from the Trend Micro ActiveUpdate Server
It is now enabled by default in 3.5 and above.
> because he understands that it should be able to run on
> the Windows XP Pro system.
Prior to GM release we run a final check called FCSE, First Customer Ship Experience, and I personally did the following on Windows XP Professional and had no issues.
2.0 upgrade to 3.5
3.0 SP1 upgrade to 3.5
3.5 New installation
Let me check with Support on this issue.
Regards,
William Kam
Product Management
Trend Micro, Ltd.
https://SMB-PORTAL.TRENDMICRO.COM (External User Group Portal)

Although I am running version 3.5 on the company server, I did not think my laptop was updating until I connected with the local network via vpn. When I checked my configuration I found that the setting to allow the client to update from the ActiveUpdate server was not enabled. It is now enabled since I prefer to have my laptop up to date.

My experience with Trend Micro has been mixed. I run Client Server Messaging Security for SMB version 3.5 on our company server. I generally have had good experiences with the client. Major client updates can get a little hairy. My experience is that all of the anti-virus vendors are okay but the other vendors are a little more intrusive. The most serious problems I faced occured with the server interface under version 3.0. Several SBS consultants said they were staying with 2.0 until the interface situation improved. SP1 improved the situation somewhat. I found the interface to be quirky but workable since clients do not access it and I did not need to use it very often. I upgraded to version 3.5 from 3.0 SP1. It took a long time to upgrade but it worked without a problem. The server interface has improved. It is stable and a joy to use.

Technorati tags: ,

E-Bitz – SBS MVP the Official Blog of the SBS "Diva" : Getting an "Event ID 5" error on "DefaultAppPool"?

 

Getting an “Event ID 5” error on “DefaultAppPool”?

Event Type: Error
Event Source: Active Server Pages
Event Category: None
Event ID: 5
Date:  14/05/2004
Time:  4:32:55 AM
User:  N/A
Computer: 001DC001
Description:
Error: The Template Persistent Cache initialization failed for Application Pool ‘DefaultAppPool’ because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..

Try these fixes:

A. Add the NT AUTHORITY\NETWORK SERVICE account to
C:\WINDOWS\Help\iisHelp\common with “Read and Execute,” “List Folder Contents” and “Read”.

B. Add the NT AUTHORITY\NETWORK SERVICE account to
C:\WINDOWS\system32\inetsrv\ASP Compiled Templates with Full Control.

C. Add the NT AUTHORITY\NETWORK SERVICE account to C:\WINDOWS\IIS Temporary Compressed Files with Full Control.

Thanks David S. for the suggestion! 🙂

Source: E-Bitz – SBS MVP the Official Blog of the SBS “Diva” : Getting an “Event ID 5” error on “DefaultAppPool”?

Event 5 is more of an annoyance than an error so I implemented this today. I do not know how long I have had this “error” but the only symptom is this error message. I restarted IIS and I did not get the error message. My final test will be when I reboot.

Cleaning up ISA routes

ISA Server detected routes through adapter WAN that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 172.16.255.255-172.16.255.255;.

While I was fixing problems I decided to clean up this configuration error. I have a DMZ that uses IP addresses, 172.16.0.0 through 172.16.0.255. Evidently ISA needs 172.16.255.255 so it inserts a route on the WAN adapter for it and then complains about the route being in the wrong place. I added this single address to the DMZ network and this configuration error went away.

Microsoft ISA 2004 crashes and burns

Yesterday was a miserable day. We lost power for eight hours due to an ice storm and I spent most of the day taking care of business in the barn since our employees were not going to make it in. When I finally got some time to look at my server, it was complaining that it was running low on disk space on the OS partition and that an external drive I was storing volume snaps had been forced down. Microsoft had just let loose gobs of patches. So late in the day I decided to clean up the server.

  1. I deleted the tmp files that had caused the disk space problem.
  2. I deleted the old apps I have been meaning to remove but hadn’t got around to it.
  3. I applied the patches and reboot.

Then the fun began. The Firewall service crashed with the following message.

Event Type: Error
Event Source: Microsoft ISA Server 2004
Event Category: None
Event ID: 1000
Date: 2/15/2007
Time: 11:03:56 AM
User: N/A
Computer: myserver
Description: Faulting application wspsrv.exe, version 4.0.2165.610, stamp 442d48f1, faulting module w3filter.dll, version 4.0.2165.610, stamp 442d48dd, debug? 0, fault address 0x00094cff.

This did not seem too serious until I realized that my workstation could no longer see the server. My search of the internet came up with nothing so I removed the most recent patches and rebooted. It still failed. The server’s browser could not get to local https sites and the LAN card was showing no incoming traffic. This was getting pretty ugly.

The symptoms on my workstation were ugly, too. All of the programs(e.g. TrendMicro and Firewall client) that regularly communicate with the server were not communicating with the server. When I ran ipconfig, it showed that DHCP was not working. The LAN card status showed that there were no incoming packets. Fortunately I can let this server be down for awhile, so I went to bed.

Today I searched the internet for some more clues. I found a reference for a similar problem that pointed me in the direction of the ISA cache and it recomended disabling BITS on the ISA Cache rules. That didn’t work. Since I was out of ideas I decided to disable the cache. I started the firewall service and it worked. Just for kicks I enabled the cache and started the firewall service again. It worked! It must have been something in the cache.

Outlook by the sound : RPC server is unavailable since SP1

 

I finally called Tech Support and we found out that there is a hotfix out related to RPC Issues in ISA 2004, also there is an “SBS Protected Networks Access Rule” . Rt click it and “configure RPC protocol and uncheck the “Enforce strict RPC compliance”. This will allow DCOM to pass.

Source: Outlook by the sound : RPC server is unavailable since SP1

Okay this should not be that difficult but I found a way to screw it up. I started to suffer these problems when I installed SP1 for SBS Premium  in 2005(?). The most prominent symptom of this problem is that you suffer Autoenrollment errors on the client and 537 login audit failures on the server. The 537 errors are kerberos errors but they are particularly ambiguous. This was an annoying problem in my case but surprisingly everything still works. From a different source than the one listed above, I unchecked the “Enforce strict RPC compliance” box. The problem is that there are two boxes, one in the System Policy and another the box on the “SBS Protected Networks Access Rule”. I unchecked the box in the System Policy and it did not fix my problem. So I spent a lot of hours after installing SP1 trying to figure out why I was still getting errors. Over the last two days I have been rebuilding my desktop computer so I made another attempt to clear up this problem. Lo and behold, I found this in one of my searches. Unchecking the box on “SBS Protected Networks Access Rule” appears to have fixed the Autoenrollment errors and 10009 DCOM errors on the client. It also fixes the 537 audit failures on the server.

Workaround Discovered For Clean Install With Vista Upgrade DVDs

Microsoft internal documentation reveals workaround for Vista Upgrade DVDs with no need for a previous version of Windows

Link to Workaround Discovered For Clean Install With Vista Upgrade DVDs

Original article can be found at Workaround Discovered For “Clean Install” With Vista Upgrade DVDs at Dailytech.com. Clean installs are a useful fix for a variety of difficult to solve problems but I find it very curious that Microsoft does not require the original disk.

The Outlook "Move" tool for DST has been released

Download details: Microsoft Office Outlook Tool: Time Zone Data Update Tool for Microsoft Office Outlook:
http://www.microsoft.com/downloads/details.aspx?familyid=e343a233-b9c8-4652-9dd8-ae0f1af62568&displaylang=en&tm

To install this download:

  1. Before running this tool, make sure that you have installed the Windows patch that contains the most up-to-date time zone definitions or you are running Windows Vista with the most up-to-date time zone definitions.
  2. Download the file by clicking the Download button (above) and saving the file to your hard disk.
  3. Double-click the tzmove.exe program file on your hard disk to start the Setup program.
  4. Follow the instructions on the screen to complete the installation.

Instructions for use:
After you are done installing the tool, it will automatically launch for you.

  1. Verify your default Data File is selected and Update to reflect changes to Windows time zones is selected, and continue through the rest of the tool.
  2. If you need to run the tool again, then launch tzmove.exe (located in the \Program Files\Microsoft Office\Office12\Office Outlook Time Zone Data Update Tool\ folder.)

Note that if you have created non-recurring appointments on your Calendar since you updated your Windows time zones, you should click the Details button once the tool has reported that its scan is complete and uncheck any such appointments before continuing. Additionally, after running the tool, make sure to go to your calendar and review your calendar items to ensure that they appear at the correct times.

This is the standalone mailbox tool…and I’m not sure I understand what it’s doing?

Timezone screen image

Share this post: email it! | bookmark it! | digg it! | live it!

Link to The Outlook “Move” tool for DST has been released

"Synctoy is unable to determine if other instances of SyncToy are running, possibly because perfmon counters are turned off for some components. Is this the only instance of SyncToy currently running?"

 

Stuffa,

Enabling that perf counter for the PerfProc.Dll addresses this issue and
enables SyncToy to run.

We will take a look at alternative means of determining whether SyncToy is
already running for possible inclusion in a future release.

For those interested, the registry entry for PerfProc is:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance

As you might expect, the Disable Performance Counteres REG_DWORD = 0 for not
disabled and = 1 for disabled.

I hope this helps.

george

Source: SyncToy not running – throws System.InvalidOperationException-Usenet Gateway

Reading a blog about a similar problem I decided to finally see if I could finally find an answer to an annoyance I have with Synctoy. Other than this annoyance I really like Synctoy. I changed the Disable Performance Counters to 0 in the CurrentControlSet rather than the ControlSet001 and it  fixed my problem. From what others have written about this problem, this is the typical solution recommended but it did not work for some people.

Windows NT Backup – Restore Utility

This download is a utility that runs on Windows Vista and Windows Server Codename “Longhorn” to restore older backups, made using the “NT Backup” application on Windows XP or Windows Server 2003. NT Backup has been replaced in Windows Vista or Windows Server Codename “Longhorn” with different applications, which are not compatible with the .bkf files that NT Backup created.

Link to Windows NT Backup – Restore Utility

Wow,  I did not realize that they changed backup formats and Vista’s backup would not read the XP backup files!

Windows 2003 Terminal Services – What licenses do I need? Examples both with and without SBS 2003.

Last week I gave a licensing seminar before the Northern California Area Quarterly Partner Briefing that ran throughout the morning. In the session we covered many, many aspects of licensing, including “What licenses do you need to use Windows 2003 Terminal Services?” This seems to be an area with several questions, so I thought I would post here about how it really works (and it’s not that bad).

So, if you have a standard Windows 2003 Server network with six (6) PCs connected to it, your network will look like this with the following licenses:

Terminal Services 1(Click to view full size image)

Now what happens if you want to allow two (2) of those PCs to log into the server using Windows 2003 Terminal Services? It’s actually very straight forward… You simply need two (2) Windows 2003 Terminal Services CALs for those two (2) PCs. You can see this represented below:

Terminal Services with 2 CALs(Click to view full size image)

Since you can purchase either User or Device Terminal Services CALs (they are separate items, so purchase the ones you want), the number of Terminal Services CALs you need depends on the total number of Users or Devices (depending on which option you choose to license by) that connect to the server utilizing Terminal Services. These are not concurrent use, so each separate Device or User that utilizes Terminal Services would need their own Terminal Services

Some common questions:

1) Does a Windows 2003 Server include a Windows 2003 Terminal Services CAL

– Answer: No, they are separate items.

2) Does an SBS 2003 Server CAL include a Windows 2003 Terminal Services CAL?

– Answer: No, they are separate items.

3) Does the Windows Desktop Operating System include a Windows 2003 Terminal Services CAL?

– Answer: No, the Windows Desktop Operating System license does not include a Windows 2003 Terminal Services CAL

– NOTE: Customers who had Windows XP Professional licenses prior to April 24, 2003 are eligible to receive a free Windows 2003 Terminal Services CAL for that device. Read the “Terminal Server Licensing Changes and Transition Plan” document for details. These customers have until June 30, 2007 to claim these free Windows 2003 Terminal Services CALs.

So what happens if you’re on an SBS 2003 network and bring up a Windows 2003 Server as a member server on the domain to act as your Terminal Server? Now what? Again, it’s not that bad. Let’s take a look…

So here is how your SBS 2003 Server network would look with a Windows 2003 Server member server:

Terminal Services with SBS(Click to view full size image)

Remember, your SBS 2003 CALs provide you rights to access the Windows 2003 Server as a member server on the network from a server perspective, so you would not need to purchase additional Windows Server 2003 CALs for your Users or Devices. Now, if you want to allow two (2) of those Users or Devices to access the Windows 2003 Server using Terminal Services, then you would need to add two (2) Windows 2003 Terminal Services CALs (one per User or Device depending on which licensing model you choose) to enable those Users or Devices to access the server via Terminal Services:

Terminal Services with SBS(Click to view full size image)

So in reality, the only thing that changes from a network licensing perspective with Terminal Services vs. a regular Windows Server 2003 or SBS 2003 Server environment is the need to add a Windows 2003 Terminal Services CAL for each User or Device (depending on which licensing model you choose) that uses Terminal Services to access the server.

See? That isn’t so bad, is it?

One thing to note, the above talks about the network licensing for Terminal Services. Terminal Services in no way changes Microsoft Office licensing. So, if you have additional PCs access the server via Terminal Services to run Office, you still need one license of Microsoft Office for every device that runs Office and Office is NOT licensed concurrently. Because of this, each device that accesses the Terminal Server to run Office needs its own unique Microsoft Office license and it cannot be an OEM Didn’t know that about OEM Office licenses? Be sure to check out Question #9 on “The 30 in 30” to learn more about that.

Thank you and have a wonderful day,

Eric Ligman

Microsoft US Senior Manager

Small Business Community Engagement

This posting is provided “AS IS” with no warranties, and confers no rights

Link to Windows 2003 Terminal Services – What licenses do I need? Examples both with and without SBS 2003.

Security Settings tabs do not respond after installing CSM on Windows2003/SBS 2003 with SP1

Solution Details
The Security Settings tabs do not respond after installing CSM on Windows2003/SBS 2003 with SP1.

I finally found this article. I do not use TrendMicro’s Dashboard very often but it has been a problem for me. Sometimes it would work. Sometimes it would not work. I did not think I had done anything wrong but I was not sure. Since I push the lower limits of the hardware requirements on my server, I did not push the issue with TrendMicro. When I checked my “Web Sites” settings as indicated in this article, they were set to compress application files. So I unchecked the block and clicked OK. Now the Security Settings tab in Dashboard works consistently for me.

The SysInternals tools are now on microsoft.com

The SysInternals tools — including Process Explorer, Regmon, Filemon, and many more — are now available here on microsoft.com. A couple of major highlights include Process Monitor, a new tool that supersedes Regmon and Filemon, and the SysInternals Suite, which combines the whole set of SysInternals tools into a single download package.

In addition, check out Mark’s new TechNet blog, and the SysInternals blog.

URLs:
http://www.microsoft.com/technet/sysinternals/default.mspx
http://blogs.technet.com/MarkRussinovich/
http://blogs.technet.com/sysinternals/

Link to The SysInternals tools are now on microsoft.com

Comment on Office Live Collaboration Site

I am not sure it has much value for SBS customers. I setup a collaboration site and tried to envision our Habitat for Humanity affiliate using it. Although Office Live Collaboration looks like it has the potential to do the job, it would require a lot of customization to get board members to look at it on a regular basis. My first guess is that it would require too much customization work for the perceived benefit. I expected a bit more CRM, project tracking, and accounting features. I guess I was expecting something that looked like an integrated Salesforce.com and QuickBook Online application. Right now it looks too much like a standard Sharepoint site.

As the Treasurer for the last couple of years I have been keenly interested in making our affiliate make better operational and strategic decisions. Charities are competing for the same funds and volunteers. Donors and volunteers are expecting a better experience for their time and money. They can make a different choice. I do not think I am stretching things too much when I compare a charity’s donors and volunteers to a small business’s customers. A charity has key performance indicators and line of business(LOB) activities that are very much like a small business. Making timely operational and strategic decisions is key to survival. With a geographically dispersed workforce this decision making process becomes more difficult. The areas of improvement I feel there is the most potential for are:

  • Improve collaboration amongst the board of directors members.
    1. Collect committee reports in one location.
    2. Access a common schedule for meetings and other key events.
    3. Keep track of committee’s monthly objectives.
  • Identify and report on key indicators.
    1. Construction status by house/project
    2. Donation status by house/campaign
    3. Mortgage/Delinquency status
    4. Partner family application status
  • Improve operation
    1. Track employee hours.
    2. Track expense account forms.
    3. LOB activities reporting and approvals.

Server Guide part 2: Affordable and Manageable Storage

Our server guides’ goal is to give a you a comprehensive overview of server technology. In this second part we introduce you to server storage technology and what you must consider to find decently priced, high performance, and manageable server technology.

Link to Server Guide part 2: Affordable and Manageable Storage

This is a really nicely written article explaining some of the technical differences between regular IDE drives(PATA), SCSI, SATA and SAS drives. For performance and reliability reasons SCSI drives have been the preferred drive type for servers in the past. Recently I have seen where server manufacturers have been encouraging the use of SAS drives. SAS and “enterprise” SATA drives are gradually replacing SCSI drives in many areas. They have achieved the performance and reliability of the SCSI drives at a lower cost.

Changing over to a 3 leg network layout

3 Leg Perimeter Network LayoutI had been curious about implementing a DMZ for some time but I really did not have a use for one. My previous network layout was a standard edge network with two firewalls, a router/firewall and a ISA firewall. Recently I have been playing with a variety of linux packages who eventually will need constant exposure to the internet so a DMZ would became a logical upgrade. Since I had recently installed a third NIC on my SBS server, I could use ISA to manage the perimeter network.

To setup this network I went to Tom Shindler’s ISAServer.org site and browsed his documentation on setting up a DMZ using a ISA server. Although there are several documents on setting up DMZ segments, the document I used was Publishing Servers on a ISA Server 2004 Firewall Public Address DMZ Segment. I followed the directions and only changed the outbound protocols. For my network I want to pass ftp, http, https, ntp, ping, and smtp from the DMZ to Internet. At this point in time I do not need to allow inbound internet access to the DMZ but I will allow full inbound access from the internal network. I will leave that as a future project. I did change my access rule for the Protected Networks as recommended by Amy in DMZ – SBS special considerations.

The DMZ network is now up and running. I have one linux server running on the DMZ. It is running Groundworks and is connected via the ultimate low cost hub, a cross-over cable. So far there are no gotchas!

Smigrate Cheat sheet

Using Smigrate to dump SharePoint to a .CAB file

Dean’s presentation to the Puget Sound Users Group had yet another nugget of information on SharePoint. Did you know that sharepoint comes with another admin tool other than sbsadm.exe. It comes with…

smigrate.exe !!

So what can it do?

  • Works with sites based on WMSDE
  • Size is unlimited
  • Requires Admin Access
  • Pick and choose site content
  • Pick and choose sites
  • Allows you to migrate between WSS versions

So what can’t it do?

  • Does not preserve customization or security
  • Will not overwrite existing sites

So what does it do? well, run it! It’s located %Program Files%\Common Files\Microsoft Shared\web server extensions\60\BIN\

Here is the help for smigrate (acquired by typing “smigrate /?”

Backs up or restores a SharePoint Web site.Usage (backup): smigrate -w -f [-e] [-y]
Usage (restore): smigrate -r -w -f [-x]

Operations and Parameters:
-f Backup filename – required. Specify a filename with the extension .fwp.
-e Exclude subsites during backup – optional. No parameters.
-r Restore – optional. No parameters.
-w Website URL – required. Valid URL to a SharePoint Web site.
-x Exclude security during restore – optional. No parameters.
-y Confirm that you want to overwrite an existing backup file.
-u Administrator username.
-pw Administrator password.
Specify * as the password to be prompted for a password.

Example backup:
smigrate -w http://server -f backup.fwp
smigrate -w http://server -f c:\backups\backup.fwp
smigrate -w http://server -f \\share\folder\backup.fwp
smigrate -w http://server -f c:\backups\backup.fwp -e -y

Example restore:
smigrate -r -w http://server -f backup.fwp
smigrate -r -w http://server -f c:\backups\backup.fwp
smigrate -r -w http://server -f \\share\folder\backup.fwp
smigrate -r -w http://server -f c:\backups\backup.fwp -x

Now here’s the fancy thing: rename .fwp to .cab, then crack the file open with windows explorer. Surprise, there’s all your files.

Have fun with this one. 🙂

RE: Linux vs. SBS: Switch!

Excellent point brought up in the comments section today by Josh:

For example, Microsoft wants to argue about stability vs. Linux. In nearly all Linux servers we manage that comparison is laughable. Now, compare RPC-over-HTTP functionality with Linux? You can’t, no such thing on Linux! Where is that among the facts?

This is something that I’ve tried to make very painfully clear in my Linux presentations for SBSers in Florida groups. Here is the thing about winning in small business, you have to know your customers. You also have to know your Microsoft and understand certain “facts”. So here is a little competitive howto on Linux vs. SBS.

Watch Where You Get Your Facts

First and most important thing to understand about Microsoft’s Get The Facts site is that those reports have been paid for by Microsoft and are to a large extent questionable at best and outright false in many respects. Second thing to remember is that those reports are not written or targeted for the SMB market at all – they are written to discourage enterprise and high-end markets from moving their commodity-line servers to Linux and discourage Unix-shops from going to Linux instead of Microsoft. If you’re an SBSer, you will not find your facts there.

Know Your SWOT

Know your strenghts, know your weaknesses… but more importantly know what is not your weakness.

Price

When bidding against Linux you are really competing against this: “Joe Consultant told us that Linux is free.” They are correct, many Linux distributions are free. So in most cases, it will be $599 vs. $0. For the purchase price that is. So on the face of things, Linux wins because its free.

When you dig a little deeper you find out that the “free” is the acquisition cost. If you are losing a client over $599 this is likely a client that you do not want as your business to begin with. If the server costs $1,800 and your labor to set them up and train them for a week will cost them another $4,000 that up-front licensing cost of $599 is going to be less than 10% of the total solution. This is generally what Microsoft talks about when they mention their TCO, total cost of ownership.

But we know our small business owners, don’t we? The same folks that will sign up for a plan with a “free cell phone” (MSRP $99) but agree to a two year contract that costs $20 a month more. If you really want to compete against Linux give them a 10% discount on your labor which will outright displace the licensing costs. Show them that they will be paying the Microsoft penalty anyhow as its very hard to impossible to buy a PC without a Microsoft OS to begin with. 

Upgrades and Migrations

When you bid against Linux you bid against free upgrades, forever, and easy migrations. Thats at least what gets put on the paper and what the Linux guy will say. The truth is much different. Here are a few facts that you might want to consider about some of the most popular Linux distributions out there:

Fedora – Fedora is a free version of Redhat Linux. Redhat Enterprise Linux is a full tested and supported distribution of Linux that retails between $350 and $3000 per server. So whats the difference? Redhat uses Fedora as their bleeding edge distribution, they use it to roll out experimental packages and see what breaks. The software itself is solid, but it is not elegant by a long shot. For example, consider that there is no migration path from version 3 to 4 to 5 – if you Google for “upgrade from FC3 to FC4” you will find a number of hacks that show you how to fool the dependancy checks and hack your way up. Not that it won’t work, but what happens if it fails? Remember, unsupported. There is literally nobody you can call.

Debian – Used to be most popular but recently displaced by its Ubuntu cousin. The trick with Debian is that they are so fanatical about being free that they eliminate any commercial or restricted software (or non GNU) from the base distribution. It is a severly outdated technology (in terms of even years) that nearly everyone seriously running Debian is doing so with the untested– or experimental– branches of the code. Even if you’re not a Linux person you can imagine what thats like. Again, virtually unsupported except for the MVP-like effort.

Gentoo – The concept here is that this is the most optimized version of Linux you can get because virtually everything from kernel on up is upgraded by running an emerge command. What emerge actually does is pretty cool – it downloads the source code along with a spec and compiles it against your hardware – so on a fairly loaded box you are constantly affecting the performance by rolling out your own code. Do you trust that your security patches are deployed as full recompiles of the source code? I don’t even trust most binary patches.

Ubuntu – The darling of the Linux world at the moment. Built on the Debian core with the pretty integrated interfaces and its claim to fame is the ability to roll out LAMP (Linux, Apache, MySQL and PHP) in 15 minutes. Pretty, but unsupported.

Those are the basics of Linux and distributions you will likely come up against. Every now and then someone will propose an Enterprise Linux version, a free community recompile of the popular Redhat Enterprise Linux. Distributions such as CentOS and WhiteBox Enterprise Linux. They are free, but again, unsupported as well.

So here is a real world scenario for you. The upgrade for the above is free– in all cases. They will download an ISO, burn it, stick it in a Linux server and after the reboot the system will be upgraded. All free! Yay.

As far as the technical discussion is concerned, they are right. Here is the dirty secret behind this though that nobody talks about: For most scenarios Linux doesn’t migrate, Linux overwrites. Now lets say your consultant tweaked the /etc/rc.d/rc.local file to automatically delete specific files on the server – generally a Linux distro upgrade would put in the new file in the place and make the original one a rc.local.bak. Let’s say you wanted something special done with your web server – your /etc/httpd/conf/httpd.conf file would have two options – it would get overwritten, or they would copy an httpd.conf.orig or tweak it in another way.

So yes, the upgrade is free. But the time to get this done is not. More importantly, because these migrations are generally done on per-site basis (ok, these guys have Redhat, these are on Fedora, these are on Gentoo) the migration checklist is all but nonexistant.

The truth about Linux deployments is that they are very much done on a per-case, needs basis. The beauty of the system (unlimited flexibility) is also its dagger because by endlessly tweaking the system the documentation part of the setup goes out the window. And when the migration goes bad with the freebies above you will likely have only newsgroups and mailing lists to turn to.

Finally, migrations nearly always include more than the base OS. The reason you deploy a Linux system is to get a flexible, fast and cost effective server. Well, Linux developers don’t think the same way business owners do. Linux developers try to adapt new technology, provide the newest features, create a system that is easiest and fastest to develop for. So when that new distribution comes with MySQL 5.0 and PHP 5.0 – will your PHP 4 script designed on MySQL 3.1 work? Maybe, maybe not. Who do you contact to find out – the webmaster that took the script from some random site? Nope. The commercial software developer? Unlikely, they only support official distributions like Redhat Enterprise Linux and SuSe. Who do you turn to? Good question to ask while providing a competitive bid.

How do you do application migration compatibility tests on Linux? You install the new version and try to hack it into working. If you’re lucky, it will just work. If you’re not lucky, whats the alternative? Another question for the stack. This is not the U part of FUD in uncertainty, this is something that there is no good, reliable, documented process in Linux. For years Linux distributions have tried to fight amongst themselves to develop a unified way that Linux is deployed – with same file system layout, dependancy checks, package management. Today you’re more likely to find multiple package management systems (yum up2date, apt).

Features

For the most part this is your biggest strength. Small business owners and business people in general have habbits that are hard to change. Going from a Windows world to a Linux world is a big transition in anything more complex than a P2P environment. Its easy to replace a pop3 server with an onsite dovecot deployment. But when you’re selling a new server you are selling new functionality. Here are things that you will not find in Linux.

Exchange – Biggest advantage. There are no decent webmail programs for Linux – the best one to date is Scalix and it costs about as much as Exchange does. It does not provide RPC-over-HTTP, it does not provide cached mode, it does not provide advanced connectivity to mobile devices.

ISA – For the most part almost all Linux firewalls are connection based firewalls, nothing provides application-level security. So yes, if you want to block people from going to certain sites, Linux will cut it. Try to set those restrictions in place per employee per hour (ie, no espn updates for Joe between 9AM and Noon) you’ll be SOL.

WSUS – Exists on commercial Linux distributions as a Satellite server but almost all are desktop triggered up2date updates via cron – no ability to see which software is running on which system and no ability to restrict what goes on which workstation without manually adjusting workstations on per-case basis. No grouping. No reporting on which patches failed and no reporting on what may be out of compliance. These could be hacked together but do you really want to hack your security solutions together? Do you think your customers would?

IIS – The biggest reason to deploy LAMP is to get PHP and a free SQL server. Both of those run quite reliably on Windows as well and you can install WAMP on Windows. My personal dev environment for Linux is based on Vertrigo server which rolls out as a single install. So if thats all you need to deploy a new forum, blog, or a survey package your customer saw somewhere – this is the way to do it. And it’s free too. But feature is an advantage here – you have a choice. ASP or PHP? On Linux you have no ASP advantage (they use Chilisoft, Sun’s poor hack of ASP) nor do they have any .NET compatibilities without hacking in mono – but skip back to migrations and upgrades – whats the guarantee that your app will run on a hacked server? Now compare that with IIS. If you’re really familiar with IIS this is almost impossible to do. The cost of a second IIS server is not that great to begin with, Windows 2003 Server Web Edition retails for less than $300 which is likely less than two hours of any consultants time. You’d end up charging them more to download an ISO and read the intro parts of the Apache documentation.

Bus Features

When I worked at Dial ISDN I used to write “If Vlad Gets Hit By A Bus” documentation for everything I did. Why? Because all of our Linux servers were so heavilly tweaked that in case something happened there was no way on earth someone would be able to figure out how I’ve implemented my patch management, version control, monitoring, account creation and race conditions.

How much documentation will the Linux deployment come with? How long will it take someone else to replicate the setup on a new system? What commercial contacts do you have that will validate what you say about Linux? How many “user-geared” books are there on Linux that can get me going with this server immediately? SMB owners are DIY-centric, how much of this can I do through a GUI?

Final question: Give me a place to find other professional Linux consultants.

Where you have hundreds of Windows guys in every area there are only a few Linux solution shops. Most of the “Linux guys” will be people with careers and full time jobs that do consulting on the side and are saving your money out of the goodness of their heart. These are also the types you turn to for support. Do you want to run your business on goodness of strangers or do you want a contract? If you want a contract the savings will go out the window.  

Conclusion

Linux provides a cost effective, flexible and powerful server operating system and Microsoft’s FUD about it is largely a collection of paid distortions, some quite well documented as outright lies. Microsoft will not offer competitive sales support to SMB solutions that are under $10,000 in licensing so you’re on your own. They will also not discuss any of the above because of the irrational fear that if you experience a competitive solution you might find enough in it that you like to leave Microsoft.

On the other end of the fence you have, by comparison, a relatively innovative but young solution that lacks the standardization, unity and certainty with many of its supposed solutions. While the core of it is solid the biggest lacking factors for small businesses are in the areas of available expertise and support systems to fall back on when there are problems. In the areas of affordable business intelligence Linux is behind enough to make it unattractive beyond file servers, basic pop3/imap mail servers and popular web applications. 

In the end, both sides will lie, cheat and FUD to get their points accross. Your advantage is in knowing your customer, knowing their needs, and showing them the solution that will not only solve their problems but be ready for the problems they will encounter as they grow. For what its worth, I’ve been a Linux system administrator for three years longer than I’ve been a Windows guy and work on both platforms daily. 

[Via Vlad Mazek – Vladville Blog]

WSUS and MBSA

I think it was last week when I made the changes to the WSUS configuration so that the clients would use SSL. Everything kind of worked but I was not happy. Today I finally got everything to work as expected. The first annoyance was to enable “Display mixed content” for Intranet sites so that I would stop seeing the popup everytime I went into WSUSAdmin using https. The next configuration change was more subtle. I could not go into WSUSAdmin with a fully qualified domain name when I cranked up the browser on my server. I would get a 502 error complaining about https traffic should be on 443. I think this same problem kept MBSA from downloading the latest updates file since it was probably using port 8531, too. The problem was probably related to my IE proxy setup. I had set this manually when I installed the server. Since then I had successfully verified that my automatic configuration with wpad.dat was working. So I set the IE LAN Setting to automatically detect the settings. I can now go into WSUSAdmin. MBSA works correctly, too! At least for me I found that if I can go into WSUSAdmin via https on port 8531 I have the WSUS client set up correctly. I still need to work on distributing the certificate to new clients.

I had been monitoring WSUS ever since Office 2K3 SP2 was released. I was looking for it to appear as a package needing approval. I did find it today but it had been disapproved. I wonder how that happened? Hmm!

This whole episode started off this morning when I noticed that my PC had rebooted. I forgot that I had set it up to automatically install critical updates at 3 AM. I did confirm that I configured WSUS to automatically approve critical updates.