My Top Recommended Books for IT Networking Professionals

"Repetition of the fundamentals of any discipline brings Mastery" ~ Tao of ServerGoBoom

I have posted before (years ago) about some books which I have found to be game changers for me as an IT Professional. Some of them are still on my Top Recommended list as they are fundamental to helping those new to IT or those moving into more responsibility within IT organizations get their "House of IT" foundation built right.

I have mentioned "Sams Teach Yourself Network Troubleshooting in 24 hours" from Jonathan Feldman previously I stand by what I said in that original post. Excellent Network Troubleshooting Fundamentals. This is probably the first book you should read and practice if you are just starting out in the "Way of Network/System Troubleshooting"

Next I would recommend  "Time Management for System Administrators" by Tom Limoncelli. It has a lot of very useful fundamental IT-specific time management techniques and explanations for helping you be successful and happy as an IT Professional.

As you move along in your career and are getting ready to really improve as or move up from being an individual contributor to managing IT teams and infrastructure deployment, I recommended "The Practice of System and Network Administration" by Tom Limoncelli, Christina Hogan and Strata Chalup. This one will help you build an IT department and it's infrastructure from the ground up based on best practices that have been proven in production. Just an Excellent resource. Check it out and see.

I have some more books which I will add later to the list but I feel these books will be of the most immediate use to you and can be looked at as the materials which will help you build your solid foundation and frame upon which you will build the rest of your career as an IT Professional.

As always, I hope these help you as much as they have helped me.

Whoops I just googled all over myself and found an old useful answer I had provided over at Server Fault

- quoted below mostly for my own edification and maybe a little for yours:

Question:

I'm looking for a good, free, visual traceroute utility. Anyone know of any?   networking edited Nov 1 '11 at 23:38 Bart De Vos 13.6k34269 asked Mar 30 '10 at 17:02 John Himmelman 3582715

ServerGoBoom Says:

"There is a new java-based project called Open Visual Trace Route. It's free at http://sourceforge.net/projects/openvisualtrace/ - It does include geolocation as part of it's free feature set. None of the other locally installed applications listed provide the geolocation to map view for free.

You can get it for free if you use an online tool like Visual Trace Route Tool at http://www.yougetsignal.com/tools/visual-tracert/

Hope this helps, Enjoy!

answered Sep 19 '11 at 10:07 servergoboom 411

You did WHAT after opening an email attachment?!

It's crazy how often I hear something similar to the following:

"Hi, Tech Support? I opened an email attachment in Outlook and edited it and made changes, but now that I closed it I can't find that updated file and the one in the original email doesn't show my changes ..."

It should go without saying .. but seems to still need to be said:

"Don't open attached files directly from your email and edit them. Ever. Never-Ever."

If people pay attention to that advice we may have just solved about 70% of the future Tech Support calls related to this PEBCAK issue for end-users using Outlook 2003 and 2007.

If only ...

UPDATE: Thankfully Microsoft has taken action to resolve this being an issue going forward and has made it so that if the user is using Outlook 2010 for Windows or Outlook 2011 for Mac - Documents open in read-only mode, cannot readily be saved in the temporary folder structure and are saved in the "My Documents" folder by default.

For users with this issue in Outlook 2003 - 2007, try the following methods to find the temp file for the user:

Method 1:

1. If you have not already done so, set Windows Explorer to display hidden files and folders from its Tools > Folder Options > View menu >Advanced Settings > Files and Folders > Hidden files and folders > tick the Show hidden filers and folders radio button.
2. Then from the Windows > Start > Run dialog - type "%Temp%" and press Enter
3. This will open an Explorer Window into your user temporary file area of Windows:
4. In the left pane click "LOCALS~1" which will open another Explorer Window
5. Then open the "Temporary Internet Files" folder
6. Then open the "OLK**" folder (This is the Outlook temporary file area)
7. Select the file you were looking for and move it to the Documents folder

Method 2:

If the locations discussed above do not apply on your PC, then the safest procedure to adopt would be to:

1. Attach a test document (it doesn't matter what the actual content of the file is) to a message and e-mail it to yourself.
2. View the message.
3. Right click the attachment and use 'Open' to open the attachment in Word.
4. Opening the document will create temporary working files in the temporary folder Outlook uses for this purpose. The file will be opened from the temporary location which your PC uses to store attachments.
5. Save the document in the temporary folder.
6. With that document still open, select 'Open' from Word, which will now have set its focus to the temporary location.
7. Open the required document which should have your changes and save it to your usual document folder e.g. My Documents, as shown in the following sequence of illustrations.
8. You can then open the document from Word.
9. If the document does not appear in the folder in the above illustration, or if you have opened it again from the attachment and saved it with the same name (which should no longer be possible) any changes you originally made to it are lost.

iPhone and Exchange 2010, you better play nice!! Or I'll ....

I ran into an interesting Mobile Smartphone issue recently with an iPhone and Exchange 2010 ... and by "interesting" I really mean annoyingly frustrating . >.<

The end-user reported that he had copied the settings from another iPhone user and he was able to get the Exchange account setup, but it would error out when he tried to send an email.

We had him delete the account and we went through the setup a second time; same results - no sendy no receivey

I attempted to reproduce the issue on an iPad I had available. I was able to create the account and confirmed that the security certificate was accepted correctly but still was unable to send or receive email.

Remotely accessed the client's Exchange 2010 email server and confirmed that the user's mailbox and Active Directory account looked correct when compared to a user who was using their iPhone successfully with the company's exchange email and had 'Manage Mobile Phone' showing their iPhone had successfully made a partnership with Exchange via ActiveSync  but the account for the user I was working with did not show that any devices have been synced/partnered successfully. ARGH!

Things smarter people would do = With ActiveSync enabled correctly in Exchange/AD etc; this is where, if I was smarter, I would have gone directly to using the Microsoft Remote Connectivity Analyzer

But ... Alas .. I didn't

The next thing I did was review the Event logs and found ActiveSync errors in the Application log.

I researched resolutions for the following error:

Source: MSExchange ActiveSync
Event ID: 1053
Task Category: Configuration
Description:

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=MailboxName,OU=OrganizationalUnitName,DC=domain,DC=suffix" container under Active Directory user "Active Directory operation failed on DOMAINCONTROLLER.domain.suffix. This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0".

Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

I applied a few fixes but was still having issues ... it was at this point inspiration hit and I started using the Microsoft Remote Connectivity Analyzer and was eventually able to get ActiveSync working on the iPad and then on the user's iPhone.

The Microsoft Remote Connectivity Analyzer linked me to this TechNet entry which fixed the issue:

“In Exchange Server 2010, you may also experience this issue if the Exchange Servers group does not have the appropriate permission to the mailbox object in Active Directory. The most common cause for this is broken Access Control List (ACL) inheritance in Active Directory.

To check whether inheritance is disabled on the user:

1. Open Active Directory Users and Computers.
2. On the menu at the top of the console, click View then Advanced Features.
3. Locate and right-click the mailbox account in the console, and then click Properties.
4. Click the Security tab.
5. Click Advanced.
6. Make sure that the check box for "Include inheritable permissions from this object's parent" is selected.

If the user is a member of certain protected groups such as Domain Administrators, it is normal for this box to be unchecked. If you are experiencing a problem with members of these protected groups you should check the permissions on the AdminSDHolder object.”

So this brings me to my real point here: Be smarter than me ...

** Always use the Microsoft Remote Connectivity Analyzer  FIRST to test for ActiveSync issues by default with the user’s email account and credentials" **

Note: Admin accounts will not work with the Microsoft Remote Connectivity Analyzer or with ActiveSync at all (Check to make sure the user having the issue is not a member of an adminstrators group in AD)

I hope this information helps you resolve this issue faster than I did! :)

How to open Xcode iPhone Simulator

I have been providing a lot of iPhone support recently and I don't own a iPhone so I have been using Xcode's iPhone Simulator which you can launch from through Finder here:

/Developer/Platforms/iPhoneSimulator.platform/Developer/Applications/iOS Simulator.app.

Also, you can make it available from Applications/QuickSilver by right clicking it and select 'Make Alias' and put the alias/shortcut wherever you want (like in your Applications folder).


Here's iOS Simulator information quoted from the iOS Developer Library which can be found here:

http://developer.apple.com/library/ios/#documentation/Xcode/Conceptual/ios_development_workflow/25-Using_iOS_Simulator/ios_simulator_application.html#//apple_ref/doc/uid/TP40007959-CH9-SW1

Using iOS Simulator

You use the iOS Simulator app to run your iOS app on a Mac. By simulating the operation of your app you:

• Learn about the Xcode development experience and the iOS development environment before becoming a member of a development team.
• Find major problems in your app during design and early testing.
• Test your app’s user interface.
• Measure your app’s memory usage before carrying out detailed performance analysis on iOS-based devices.

The iOS Simulator app (located in /Platforms/iPhoneSimulator.platform/Developer/Applications) presents the iPhone or iPad user interface in a window on your computer. This app provides several ways to interact with it by using the keyboard and mouse to simulate taps, device rotation, and other user actions.
This chapter describes the ways in which you use your computer’s input devices to simulate the interaction between users and their devices. The chapter also describes how to uninstall apps from a simulator and how to reset the contents of a simulation environment.

Content specifications: This content is written for Xcode 4.0.2 and iOS SDK 4.3.

Setting the Device and iOS Version

iOS Simulator can simulate three devices (iPhone, iPhone with Retina display, and iPad) and several iOS versions.
To specify the device you want to simulate, choose Hardware > Device, and choose the device.
To specify the iOS version to simulate, choose Hardware > Version, and choose the iOS version.

Manipulating the Hardware

With iOS Simulator you can simulate most of the actions a user performs on a device. When your app is running in a simulator, you can carry out these hardware interactions through the Hardware menu:

• Rotate Left. Rotates the simulator to the left.
• Rotate Right. Rotates the simulator to the right.
• Shake Gesture. Shakes the simulator.
• Home. Takes the simulator to the Home screen.
• Lock. Locks the simulator.
• Simulate Memory Warning. Sends the frontmost app low-memory warnings. For information on how to handle low-memory situations, see <!--a target="_self"

“Observing Low-Memory Warnings” in iOS App Programming Guide.

Toggle In-Call Status Bar. Toggles the status bar between its normal state and its state when a phone call or FaceTime call is in progress. The status bar is taller in its in-call state than in its normal state. This command shows how your app’s user interface looks when the user launches your app during a call.

Simulate Hardware Keyboard. Toggles the software keyboard on an iPad simulator. Turn off the software keyboard to simulate using a keyboard dock or wireless keyboard with an iPad device.

TV Out. Opens a window simulating the TV out signal of a device.

-->

Performing Gestures

Table 4-1 lists gestures you can perform on a simulator (see iOS Human Interface Guidelines for more about gestures).

Table 4-1 Performing gestures in iOS Simulator

Gesture	Desktop action
Tap	Click.
Touch and hold	Hold down the mouse button.
Double-tap	Double-click.
Swipe	1. Place the pointer at the place where you want the swipe to start. 2. Hold down the mouse button. 3. Move the pointer in the direction you want to swipe and release the mouse button.
Flick	1. Place the pointer at the start position. 2. Hold down the mouse button. 3. Move the pointer quickly in the direction you want to flick and release the mouse button.
Drag	1. Place the pointer at the start position. 2. Hold down the mouse button. 3. Move the pointer in the direction you want to drag.
Pinch	1. Place the pointer where you want the pinch to occur. 2. Hold down the Option key. 3. Move the circles that represent finger touches to the start position. 4. Move the center of the pinch target by holding down the Shift key, moving the circles to the desired center position, and releasing the Shift key. 5. Hold down the mouse button, move the circles to the end position, and release the Option key.

Installing Apps

Xcode installs apps in simulation environments automatically when you build your app for a simulator. See “Building and Running Apps” for details.

Note: You cannot install apps from the App Store in simulation environments.

Uninstalling Apps

To uninstall apps that you have installed in a simulation environment, use the same method used to uninstall apps from devices:

1. Place the pointer over the icon of the app you want to uninstall and hold down the mouse button until the icon starts to jiggle and a close button appears.
2. Click the close button.
3. Click the Home button to stop the icon from jiggling.

Resetting Content and Settings

To set the user content and settings of a simulation environment to their factory state and remove the apps you have installed, choose iOS Simulator > Reset Content and Settings.

Viewing iOS Simulator Console and Crash Logs

To learn how to view your app’s console logs when it runs in a simulator, see “Viewing Console Output and Device Logs.”
If your app crashes while running in a simulator, the CrashReporter facility displays details about the crash. You configure how CrashReporter deals with such crashes using the CrashReporterPref app, located in /Applications/Utilities (, which is the directory where the Xcode toolset is installed).

Simulation Environment File System Location

The file systems for the iOS releases the iOS Simulator can simulate are stored in your home directory, ~/Library/Application Support/iPhone Simulator. That directory contains one subdirectory per iOS release supported by iOS Simulator.
Within each iOS-release directory, iOS Simulator stores system app preferences files in Library/Preferences and third-party–app preferences files in Applications/Library/Preferences.

Hardware Simulation Support

iOS Simulator doesn’t simulate accelerometer or camera hardware.

What is the default location of the Outlook "OST" and "PST files?

In case you need to find the default location of the Outlook "OST" and "PST files for Outlook 2000-2010 - it is found under the user profile at the following locations by default depending on the Windows OS you are running:

Windows 9x/2K/XP -
C:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Windows Vista/7 -
C:\Users\\AppData\Local\Microsoft\Outlook

As a side note for those who are interested in such things:

Microsoft Office Outlook 2003-2007 both have a different format and a larger overall size limit for the personal folders (.pst) file than the .pst files that are in the earlier versions of Microsoft Outlook.

By default, .pst files are in the Unicode format in Outlook 2007 and in Outlook 2003. Additionally, the overall size of the .pst files has a limit that is more than the 2-GB limit that is imposed by the ANSI .pst files. By default, the limit for a Unicode .pst file in Outlook 2007 and in Outlook 2003 is configured to be 20 GB.

As in earlier versions of Outlook, Outlook 2003 Internet Message Access Protocol Version 4rev1 (IMAP4) accounts and HTTP accounts use .pst files that do not use the Unicode format. Therefore, the .pst files for IMAP or HTTP accounts in Outlook 2003 are limited to 2 GB.

In Outlook 2007, the Internet Message Access Protocol Version 4rev1 (IMAP4) accounts and HTTP accounts do use Unicode format .pst files and are not limited to 2 GB.

IT Troubleshooting Method Frameworks

There are many ways to troubleshoot IT/network issues. Here are some of the tried and true methods that will help you apply a structured approach to getting to the root cause of an issue:

 

• Cisco Internetwork Troubleshooting Method - utilizes the OSI Model to help isolate the source of the issue
• Medical Practioners SOAP note - an acronym for the subjective, objective, assessment, and plan diagnostic technique

Jonathan Feldman, author of "Sams Teach Yourself Network Troubleshooting in 24 hours", also adds some additional methods under what he calls "Black Box Troubleshooting":

• The Delta Method: Identifying Network Change
• The Napoleon Method: Divide and Conquer
• The Sesame Street Method: Using What Works
• The Simple Simon Method: Consultations and Support.

I can't recommend this book enough for new IT professionals and even us veterans. While there is some good reference material on the internet about this subject, Jonathan's book is the best spend for your money and time. While some of the sections are dated due to the publication date of the book, about 80% of the information is still totally applicable as it is based on principles and not products.

I'll discuss the Troubleshooting Frameworks in future blog posts, but while you are waiting... go buy Jonathan's book and start reading. :)

Note for troubleshooting network/internet connectivity on a windows workstation:

If you are unable to browse the internet

1. Check workstation IP, is it static or DHCP?

2. If using DHCP, release and renew workstation IP.

3. Reset winsock through netsh.

4. Check for a proxy, there are none.

5. Reboot

6. Set the static DNS entries to 192.168.1.1 (i.e. local router/gateway address), and 4.2.2.1 (verizon L3 router).

7. Reboot router and DSL/CABLE/FIOS modem.

*&(@%#$! Malware!

Some people have way too much damn free time and access to internet-connected computers. Seriously. Mix in an ample helping of "Douchebag" and you have Malware programmers.

The number of computers on which I have to perform malware/virus removals on a regular basis seems to increase daily. Based on this I am going to hazard a guess that you have had or are having trouble with malware on your computer.

Well I have some good news for you, there is hope. Some people out there are using their free time to do good in coding up counter measures to all this *&(@%#$! Malware.

There are 3 Anti-Malware tools that I use most to deal with malware infections: Malwarebyte's Anti-Malware, SUPERAntiSpyware and ComboFix. I'll summarize each below.

There is a fourth indespensible tool which I use: www.bleepingcomputer.com/malware-removal/ which has the best Virus and Malware removal guides around. They are a one-stop shop for taking care of annoying computer issues. You should be able to find out how to remove whatever is bothering your computer there.

Malwarebytes' Anti-Malware

MalwareBytes (MBAM) - the freeware edition can be used to detect and remove malware by launching the software and starting a manual scan. MBAM's malware definitions are updated constantly throughout the day and it has excellent protection against all the new malware that comes out. The are more advanced features you can purchase in the commercial full version which include real-time protection that will protect you from being infected in the first place.

SUPERAntiSpyware

SUPERAntiSpyware scans your computer for known Spyware, Adware, Malware, Trojans, Dialers, Worms, KeyLoggers, HiJackers and many other types of threats, and allows you to remove or quarantine them. It offers daily (manual) definition updates, as well as home page hijack protection and customizable scan options. The program includes a Repair feature that allows you to restore various settings which are often changed by malware programs, but usually not corrected by simply removing the malware. The free version lacks real-time blocking and protection as well as several other advanced options.

ComboFix

is an excellent freeware malware discovery and removal tool created by sUBs of bleepingcomputer.com. It scans your computer for known malware, and when found, attempts to clean these infections automatically. I have used it frequently to remove some of the most stubborn malware infections when nothing else would work.

In addition to being able to remove many of the most common and current malware infections, ComboFix also displays a report that can be used by experienced users to remove malware that is not automatically removed by the program.

It is hosted exclusively at http://www.bleepingcomputer.com/combofix/how-to-use-combofix

** sUBs welcomes contributions to help finance development ComboFix via PayPal via a link at the webpage listed above. sUBs is doing a great job and if you have the means please do donate.

Ncat for Fun and Profit - The network Swiss army knife ... not so much.

Ncat was born out of the Google Summer of Code project and was written in similitude to Netcat by Hobbit but not using any of Hobbit's source code. 

There are some differences between Ncat and Netcat such as the omission of port scanning functionality - Ncat cannot take a list of ports to connect to on a host system, only a single port at a time, and has no port randomization or zero-I/O mode functionality. 

From the developers standpoint, this does make sense as it is bundled with the best port scanner in the world, Nmap. 

However, Ncat can't really take on the mantle of "The network Swiss army knife" by reducing functionality.

You can download the current stable and beta versions of Ncat from: Fyodor's Nmap site

The windows binary can be gotten in the Nmap Win32 zip distribution or installed as part of the Nmap installation using the windows installer version.

Here are some usage examples to try out for fun on your "lab network" (grin, grin, wink, wink)

Connect to nsa.gov on TCP port 8080.

• ncat nsa.gov 8080

Listen for connections on TCP port 8080.

• ncat -l 8080

Redirect TCP port 8080 on the local machine to host on port 80.

• ncat --sh-exec "ncat nsa.gov 80" -l 8080 --keep-open

Bind to TCP port 8081 and attach /bin/bash for the world to access freely.

• ncat --exec "/bin/bash" -l 8081 --keep-open

Bind a shell to TCP port 8081, limit access to hosts on a local network, and limit the maximum number of simultaneous connections to 3.

• ncat --exec "/bin/bash" --max-conns 3 --allow 192.168.0.0/24 -l 8081 --keep-open

Connect to smtphost:25 through a SOCKS4 server on port 1080.

• ncat --proxy socks4host --proxy-type socks4 --proxy-auth user smtphost 25

Create an HTTP proxy server on localhost port 8888.

• ncat -l --proxy-type http localhost 8888

Send a file over TCP port 9899 from host2 (client) to host1 (server).

• HOST1$ ncat -l 9899 > outputfile 
• HOST2$ ncat HOST1 9899 < inputfile

Transfer in the other direction, turning Ncat into a “one file” server. 

• HOST1$ ncat -l 9899 < inputfile 
• HOST2$ ncat HOST1 9899 > outputfile  

Hackers of the World - Unite!

Launch CMD line apps from windows shortcuts that stay open after execution

Sometimes you just feel lazy. Admit it. You'd like to be able to just double-click a shortcut and launch your favorite command line applications in one shot ... oh and not have them disappear once they complete their run before you can absorb the output. :)

Here's a quick little trick that some may or may not know.

CMD.EXE has some switches of it's own that don't get used too often unless you spend a lot of time scripting batch files etc.

The one we care about for this blog post is the"/K" switch

Definition -/k : Carries out the command specified by string and continues.

So let's say you have Ncat installed and you want to have a quick desktop shortcut to launch it, you would set it up as follows:

1. Right-click the desktop and choose NEW > Shortcut and the following window will appear

2. Enter "cmd.exe" into the location and click NEXT
3. Type in the desired shortcut name, in this case: Ncat 5.21
4. Once you have clicked Finish, you should see something like the following on the desktop. Right-click the icon and choose Properties
5. In the Properties pop-up window, you should see the following
6. In the "Target:" field append " /k ncat -h" with out the quotes as shown below**NOTE: I like to add the "-h, -?, or /?" switch to print help at the end of the command as some command line tools if launched without a help switch will enter interactive mode immediately and I always like a quick reminder of the switches I can use with the command before using it.

7. Also you'll want to usually run built-in command line tools from the systems directory, in this case: SYSTEM32 So append it to the path "Start in:" like shown below.8. I like to modify the Options for the command prompt window to allow QuickEdit. Just check the box for it on the Options Tab as shown below.9. I usually increase the size of the command prompt window as well. From the Layout Tab I change the windows size height to 50 as shown below, so I can see all the help that the "-h" printed.10. After clicking OK, I double-click the shortcut icon and viola:
This can be used for any command line application. You can get more creative to include more complex switch and command arguments to the shortcut if there is a particular process you want to launch easily. If you go too far with it, you might as well start batch scripting though. ;)

Go Team CMD-LINE!

Break-out the low-level processes running under SVCHOST

This is an after thought note the preceding post.

Windows uses the Service Host (svchost.exe) process to collect a number of lower-level critical system services into a single process instance for task management. It does this to reduce boot time, system overhead and reduce the number of separate lower-level service processes running.

Windows creates different svchost.exe instances based on the different lower-level processes' system access and security requirements.

To determine which processes are running under a single svchost.exe instance use the following command sequence from the command-line:

tasklist /svc /fi “imagename eq svchost.exe”

Make sure to type it from scratch, sometimes copying and pasting will cause the command parser to misinterpret the section in quotations on this particular command.

It should output something that looks like the following:

Check out this link for a deeper look at TechNet details on the tasklist command:

http://technet.microsoft.com/en-us/library/cc730909(WS.10).aspx

Bad service!! BAD! STOP!!

Have you ever tried to stop or restart a Windows Server service when you couldn't afford to reboot because the CFO was in the middle of something "Financial" on the server and you like having a job? Well I have and on many occasions. Now what happens when that service doesn't want to stop?

SMTP service "stopping".... (get lunch and come back) SMTP service "stopping"....

Ugh.

Well if that service is an executable file then you can force it to stop with either the following command sequences:

taskkill /s hostname /IM ImageName /F

taskkill /PID ProcessID /F

But you say, "That's great, ServerGoBoom, but how do I figure out the ImageName or ProcessID for the &#^$%! service I want to kill .. er ... stop?"

Good question. You could do it one of a couple ways both involving the Windows Task Management systems, graphical and textual. :)

You can use Task Manager which provides a GUI view of the Process currently running on your system. If you don't already know, you can access this utility easily by right-clicking the Task bar (or Start Bar) and choosing Task Manager from the dropdown menu that appears.

Once you have it open, you'll notice that the Task Manager window has several tabs, one of which is Processes. Click this to put it in focus. If you don't see a column named PID then click the View option at the top of the window, click Select Columns ... then put a check in the box next to PID (Process Identifier) and click OK.



Now you can see which Services (Image Name column) match which PIDs (PID Column), plug in the info for the service that won't stop into the either of the command sequences quoted above and bingo. Bob's your uncle, Fanny's your aunt. Service stopped.

If you prefer the simplicity and stark beauty of the command-line as I do, then you can open the command prompt and use the tasklist command to generate a text-based table of the same info that looks like this:









Check out this link for the TechNet break-down on the Taskkill command:


http://technet.microsoft.com/en-us/library/cc725602(WS.10).aspx

Get a list of Windows 2008 Updates in simple text format.

When recording the updates manually that have been installed on a system for my clients, it used to be easy in Windows 2003 since the update history was just a web page.

However, in Windows 2008/Vista/Window 7 it is no longer easy to copy all the updates which have been installed on a certain date with the description and KB numbers and paste them into my report.

I have found a way around this as Windows 2008/Vista/Window 7 has a log of all downloaded updates and if they have been installed successfully at the following location:

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log

It is a simple process of scrolling to the end of the log to copy the section that looks like the following:

{FD92377F-D788-4D8F-923F-6D07CE81DB3D} 2010-04-28 22:33:42:727-0700 1 184 101 {98140701-9959-0001-0000-812532895600} 102 0 AutomaticUpdates Success Content Install Installation successful and restart required for the following update: Update Rollup 10 for Exchange Server 2007 Service Pack 1 (KB981407){F45D593D-CA26-484A-AC33-C6724C83C954} 2010-04-28 22:35:49:984-0700 1 183 101 {E4AB408F-0208-4BB8-9782-C1D895DC4F78} 101 0 AutomaticUpdates Success Content Install Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 - April 2010 (KB890830)

Then you can paste it to a text file and clean it up or you can Paste Special as Unicode Text to a MS Excel spreadsheet to paste the data into nice columns which you can copy the specific data columns you want and then paste to your report.

Enjoy!

Status information for Windows services

When a windows service is running, it sends status notifications to the SCM process. SCM maintains this status information in the service record for each service. SCM tracks this information so that it does not mistakenly send control requests that do not conform to the recipient service's current state.

The service status information includes:

• Service Type - A service can be a file system driver, device driver, or a Windows service, and can run its own process or share a process with other services. System Attendant is an example of a service that runs its own process. The SMTP service, however, is a service that shares a process with other services that are integrated with Internet Information Services (IIS).
• Current state - The service state can be starting, running, paused, stopping, or not running.
• Acceptable control codes - Theses are the control codes that the service is able to accept and process in its handler function, according to the current state.
• Windows exit code - The service uses this code to report an error that occurs when it is starting or stopping. To return an error code specific to the service, the service must set this value to ERROR_SERVICE_SPECIFIC_ERROR to indicate that additional information can be found in the service exit code. The service sets this value to NO_ERROR when it is running or stopping properly.
• Service exit code - The service uses this code to report an error when it is starting or stopping. The value is ignored unless the Windows exit code is set to ERROR_SERVICE_SPECIFIC_ERROR.
• Wait hint - The service uses this code to report the estimated time, in milliseconds, required for a pending start, stop, pause, or continue operation.
• Checkpoint - The service uses this value to periodically report its progress during a lengthy start, stop, pause, or continue operation. For example, the Services tool uses this value to track the progress of the service during start and stop operations.

Displaying Serivce Exit Codes -

To display the current status for all Windows services, you can use the command sc query

Simply run the command sc query service_name and look for the WIN32_EXIT_CODE field in the output of the command.

If this field is zero then the service started properly, and if the service didn't start properly then WIN32_EXIT_CODE will display a non-zero exit code specific to the service.

For example, when I run the command sc query vss to query the status of the Volume Shadow Copy service on a Windows XP machine, the WIN32_EXIT_CODE value returned is 1077 (0x435).

To find out what this exit code means, you can type net helpmsg 1077, and the result of doing this is "No attempts to start the service have been made since the last boot."

This likely indicates that the Startup Type for this service is Manual i.e. the service isn't set to start automatically upon reboot.

I hope this tip proves useful for you.

**Information in this post consolidated from several sources including MS TechNet, WindowsNetworking.com, etc.**

Remote control sessions keep loosing connection

RDP, LogMeIn, VNC etc -

The most common issue is an unstable IP protocol stack. Try running "netsh int ip reset c:\ipreset.log"

The other common issue is trojan redirectors attempting to override the DNS which causes connections to drop.

If this goes away by the user connecting in Safe Mode with Networking, then you have an issue with a trojan, a firewall application, or an a/v application trying to block the system.

Email Administrator Tips - Volume 1

When you are performing the email administration role, there are some important things to keep in mind and to test on a regular basis.

Here's some basic Email services checklist items:


Test Remote Email Web Access -

Make sure you can successfully connect and log in to Outlook Web Access (OWA) etc.

Check that all Email services are running -

You either need to confirm these yourself on a daily basis or setup availability monitoring via RMon etc. Some of these services can be continuosly monitored from your desktop using Exchange Monitor.

Check Mail queues -

Check in Exchange System Manager (or equivalent) that there are no pending emails in the mail (SMTP) queues.


Check Size of Mailbox stores -
Managing the size of your email databases is critical especially in Small Business environments where disk space is at a premium.

Exchange uses single-instance storage, so if a message is sent to 20 employees, only one copy is kept in the mailstore DB.

This keeps the size of the store down, but the mailbox list counts this message in the total size for each of those 20 users. So, the total of the mailbox sizes from System Manager will almost always be larger than the actual databases sizes.

The quickest way to check total storage size for Exchange 2000 - 2007 is here: http://www.petri.co.il/reporting_storage_size_in_exchange.htm

Check sizes of individual mailboxes -

As with the above advice, you also need to make sure you keep track of your biggest offenders in the mailbox disk space usage wars. In Exchange 2003 this can be checked easily from System Manager's Mailboxes screen. Mailbox sizes should be kept below 2GB and 10K items to maintain performance according to best practices.

Offline Mail Store Defrag -

Consider performing an offline mail store defrag depending on the activity of email, but especially if you haven't performed one in 6 months or if you have recently deleted a lot of old mailboxes.

The mail store size doesn't really shrink after these deletions until on offline defrag is performed. This can take several hours for a small to moderate sized mail store set, so you'll need to bring mail services down during that time, best done in the middle of the night and when you have scheduled downtime with the users.


Clean up BADMAIL directory -

"What is this BadMail? Let us start with NDRs (Non-deliverable requests). These NDR emails cannot be returned to the sender. So what happens is that after the allotted retries, Exchange 2003 routes the email to a bin called the BadMail folder.

To find the BadMail folder: Navigate to \Exchsrvr\Mailroot, now you should see a \vsi 1\BadMail folder. There will be one vsi folder for each virtual server. " (See link below)

This was important with Exchange 2000 and earlier. If you are using Exchange 2003 SP1 and later then you can skip this.

Here is a good summary of BadMail: http://www.computerperformance.co.uk/exchange2003/exchange2003_badmail.htm

Confirm that there are no open relays -

Test for open mail relays using (one or more of the following sites): http://www.mxtoolbox.com/diagnostic.aspx

http://www.checkor.com/

http://www.spamhelp.org/shopenrelay/shopenrelaytest.php

http://www.abuse.net/relay.html


Useful tools to have in your toolkit:


Sam Spade (WIN32) - a multi-function analysis web site that can decode a message's headers and make a fairly good guess about where it came from. Be patient with yourself while learning it, it's a very useful tool for dealing with spam and backtracing it's origin.


Exchange Monitor (WIN32) - from SolarWinds is a desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health.

Microsoft Exchange Server User Monitor (WIN32) aka ExMon - Use the Microsoft Exchange Server User Monitor to gather real-time data to better understand current client usage patterns, and to plan for future work. Administrators can view several items, including IP addresses used by clients, versions and modes of Microsoft Office Outlook, and resources such as CPU usage, server-side processor latency, and total latency for network and processing. Works with Microsoft Exchange Server 2000, 2003, 2007 and 2010. How to use it: http://www.petri.co.il/using_ms_exmon.htm

Configure Services MMC to Open Maximized by Default

One of my pet peeves when working on client servers remotely doing maintenance is that I need to check to make sure all automatically started services are ... started, using Services MMC.

You'd think this would not be an issue, but believe me, automatically started services do not always start automatically. True Story.

Now when you open up Services (services.msc) it starts in extended windowed mode. I like to maximize it to see the most services at a glance as possible.

You can edit the shortcut for the MMC all day long and it will never start Maximized ... Damn you Microsoft!

Well here's how you fix this in the non-obvious way:

You will open Services MMC in author mode to create a new Services console or modify existing Services console. (This works for all MMCs btw)

1. Click Start, Run and type %systemroot%\system32
2. Right click the file Services.msc and copy/paste it back into the same directory, which will create a backup copy called "Copy of Services.msc"
3. Right-click the original Services.msc, and choose Author

The Services MMC Snap-In opens in Author mode, in which you can customize the window size, pane width, view mode (Standard or Extended) etc.

4. Customize the MMC to your hearts content.
5. From the File menu, click Save As to save your settings, save over Services.msc.
6. Exit the Services MMC.

Now open Services MMC (services.msc) normally, it should have retained your customizations.

Rock it like a hurricane, baby!

Get System Uptime quickly via the Command-line

Here is a real quick way to find the a System's Up Time value (Time since it was last booted) using the Command Prompt.

This becomes important during due-diligence on a server crash etc. where you need to determine when the system came back online etc.

The following command-line coding uses the piping technique and the Find filter tool to easily isolate the System Up Time value:

Open a Command Prompt window.

Type the following command, exactly as you see it here, caps and quotes included:

Systeminfo Find "Up Time"

This will print the info to the Command Prompt window, if you would like to send it to a text file for instance, type is in as follows:

Systeminfo Find "Up Time" > c:\uptime.txt

For Windows 2008 and Vista/Windows 7 use the following command:

Systeminfo Find "System Boot Time"

** Note between Systeminfo and Find there is a pipe (shift+\) which blogger.com is removing, so make sure to put it in.

If you'd like to just type in uptime to get the System Up Time value then you can also download the following command-line app from Microsoft and install on your PC/server:

http://download.microsoft.com/download/appcenter2000/uptime/1.0/NT5/EN-US/AC-UpTimeTool.exe

WTH? Terminal Services is started but won't allow RDP access, can I fix that without rebooting the server again? Yes ...

Prerequisites:
You will need to have console or iLO/DRAC access to the server with the stalled terminal services instance.

This can be accomplished by either having physical access to the server console(KVM), by using a Lights-Out remote access card to remotely access the physical console or by using a non-TS based remote console access service such as LogMeIn, VNC, etc.

Microsoft (damn you, Ballmer!) decided to disable the ability to restart terminal services by default in Windows Server. Because, you know, ... the service never fails ... LAME!

Lucky you, you are about to find out a way around that little bit of design madness.

Abrakadabra! and poof ... SysInternals - Process Explorer.

** FYI - On Windows Server 2008 you will need to start procexp.exe with Administrator rights in order to kill processes**

• Access the server console via one of the means mentioned above under pre-reqs
• Open IE and go to http://live.sysinternals.com (allows you to run sysinternals apps from the net!)
• Locate the link to procexp.exe click it and open (not save) it.
• Once Process Explorer has launched, click View in the command bar and from it's drop down menu, click on Select Columns and check Command Line, click OK.
• Next sort by Process so that you get an alphabetical listing by process name and look for: svchost.exe.
• Now expand the Command Line column, look for a svchost line that looks something like this: C:\WINDOWS\SYSTEM32\svchost.exe -k termsvcs
• Stop that svchost.exe process by right clicking it and clicking Kill Process.
• Press Windows Key+R to launch the run command, type services.msc in the Run field and press Enter
• Once the Services management console launches, locate Terminal Services and right click it, then choose Start.

Yay! Terminal Services is working now.

Huzzah! And there was much rejoicing amongst all the remote workers and administrators and no local user's open files were harmed in the process by a nasty server reboot.

Who's their Daddy? Why, you are, of course. ;-)