Blog

Symantec Endpoint Protection (SEP) allows additional locations to be defined per client-group.  The main purpose of these is usually to define LiveUpdate settings when the client is not on the network.  Although there are many rule variations to define when the client auto-switches to a secondary location, one common rule-setting is to switchover when the client simply cannot communicate with the management server.  Occasionally, you may have reason to define a second location for your server group(s).  If so, be careful not to have an additional location using the rule mentioned above for your terminal-server group (either explicitly or through inheritance).  Doing so can make your terminal-server SEP clients go 'partially offline' - meaning they show offline locally and do not seem to enforce some policy settings, but continue to apply definition updates and show online in the management console.  A symptom of this behavior that is easy to spot is the SEP icon not displaying in the system tray (assuming you don't have policies defined to intentionally hide it).  Rebooting the terminal server or restarting SMC will resolve the issue temporarily, but it will come back randomly.  This issue has been seen in a production environment using SEP 11.0.4-builds on Windows 2003 SP2 Terminal Services.

A client of ours uses the Cybernet iONE all in one PCs for customer internet stations at several of their locations. One oddity of these machines is that they ship with dual Gigabit onboard NICs. On these internet stations we typically use just one and disable the other NIC. While building out a particular machine, I needed to install several pieces of software that we deploy via Group Policy Software Installation. The problem is that any time I would attempt to deploy the software via Group Policy, it would fail and I would see event ID 1054 in the event logs… “Windows cannot obtain the domain controller name for the computer network. (The specified domain either does not exist or exist or could not be contacted). Group Policy processing aborted. Data: (unavailable)”.  Everything else was working fine. The machine was a member of the domain, I could ping the domain controller that DHCP had assigned to the machine, I could resolve internal and external addresses, gpresult showed that the PC was successfully linked to the software installation OU, etc. [more]

After conducting some research on this error and on these machines, it turns out the problem was that the onboard Broadcom gigabit NIC was taking too long to auto-negotiate its link speed, creating a “race condition” between the TCP/IP protocol and the NIC driver when they try and register with the MS Nework Driver Interface Specification. The local Userenv process (what actually performs GP’s instructions) would attempt to install the software before the NIC was fully available, thereby causing it to fail when it would attempt to run the assigned MSI over the network. Here’s how to rig the race so that the NIS driver always wins the “race”. There is a MS hotfix available for this along with a more detailed problem description at http://support.microsoft.com/kb/840669. After installing this hotfix you must add the DWORD registry entry GpNetworkStartTimeoutPolicyValue in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and set the value of that DWORD entry to the number of seconds you would like the OS to delay processing Group Policy Startup scripts.

I had problems with my laptop after installing the PGP desktop (in order to use the PGP Whole Disk Encryption).  Most times, when I would reboot, the PGP boot application would not take my domain password.  I would have to use a one-time recovery token to get booted.  A co-worker found, in the PGP forums, a reference to this being a conflict with the ThinkVantage fingerprint software for some ThinkPads (T400, T500, X301, X200, W700, etc.).  I uninstalled the fingerprint software and the problem stopped immediately.  I ran this way for more than a week without any issues.  I installed the fingerprint software again and, so far, it seems to work.  Time will tell if the problem comes back and the fingerprint software has to be uninstalled again.

One of my few frustrations with my new iPhone was battery life – it seemed I had to charge my phone every day.  So, I googled to see if I could find some tips on how to increase my iPhone batter life.  While searching, I found a link from Apple (http://www.apple.com/batteries/iphone.html) with the following tips that helped with preserving the battery life of my iPhone:

1. I implemented the following recommendations, and it has made a difference in my battery life – I even went a little over two days without charging on one occasion…
   Disable WiFi & Bluetooth when not needed
2. Disable unnecessary sounds (i.e. audio keyboard clicks)
3. Enable Auto-Brightness (note: uses the camera to automatically adjust the screen’s brightness)
4. Store the iPhone at room temperature & do not expose it to direct sunlight (exposure to heat causes damage to lithium-ion batteries due to intense ionization)
5. Turn off location services when not needed
6. Turn off EQ (equalizer setting for song playback)

I was assisting a vendor with a software update at a client site that required .NET 3.5 SP1. An error keep popping up (“remote user install not available”) when I attempted to install .NET 3.5 SP1.  RGBRast was listed as the problem child. I looked at group policy as many web post suggested.

(Computer Configuration: Administrative Templates: Windows Components:Windows Installer) (Disable Windows Installer) Set to "Disable"

The group policy was not set so I went ahead and disabled the setting to see if it would help, but it did not.

After researching more I found that with .NET 3.0 and up, the RGB Rast msi appears to be configured to do a per-user install, rather than per-machine. The server had the "Prevent per-user installs" Group Policy enabled which would cause the install to fail, preventing .Net 3.5  from installing. [more]

I modified the registry value

Key: HKLM\Software\Policies\Microsoft\Windows\Installer
Value: DisableUserInstalls
Data: 1
Type: REG_DWORD

And was then able to complete the .NET 3.5 SP1 installation as well as the database / program upgrade.

This seems to be something that my Windows Vista book did not mention about disk management in comparison with the past versions.  Windows Vista/7/2008 Server have an improved Disk Management feature in that it allows you to shrink basic partitions.  Whereas in the past we have had to use 3rd party utilities (such as gparted or partition magic) to resize drives, Windows has the option to shrink the partition size.  Simply open up disk management and right click on the partition you wish to shrink and select “Shrink”. 

Windows will calculate exactly how much it can shrink so that you can use the new unallocated space to make additional partitions.  Limitations to this of course depend on where the data is currently stored on the disk.  If it is scattered, you may be able to claim more by defragmenting and moving your data towards the first sectors of the disk.

The National Credit Union Administration (NCUA) issued an advisory warning that CDs with malware are being mailed to Credit Unions claiming to be training materials.

See http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm for the alert.

CoNetrix is pleased to announce the CoNetrix Information Security Risk Assessment software and Business Continuity Planning (BCP) software are candidates for the BankNews 2009 Innovative Solutions Award.

The Innovative Solutions Award, sponsored by BankNews, recognizes companies that have introduced or enhanced a product or service designed to help banks better serve their customers.  Entries are divided into four categories:

1. Architectural/Equipment Solutions
2. Consulting/Outsourcing/Training Solutions
3. Management Software Solutions
4. Online/Remote/Mobile Solutions

The CoNetrix Risk Assessment tool is listed under the category 2 "Consulting/Outsourcing/Training Solution", and the BCP tool is listed under the category 3 "Management Solutions".

To vote now, go to http://www.banknews.com/2009-Entries.704.0.html

To learn more about the Innovative Solutions Award, visit http://www.banknews.com/

I have been working on VMware vSphere v4 for the last few days and have found that enabling jumbo frames support is not as intuitive as the admin guide makes it sound. The process goes something like this.

1. Enable jumbo frame support on iSCSI SAN (MSA 2012i)
2. Enable jumbo frame support on switch (a Linksys business class in this case)

Both of these are very straight forward and simple to do, but here is where it gets a little tricky. vSphere v4 jumbo frame support for the iSCSI network must be enabled with the CLI. Two things must be done. You must enable jumbo frames on the vSwitch and then able it on the VMkernel port/ports. The command to enable JF enable on the vSwitch looks like this: [more]

esxcfg-vswitch -m <MTU> <vSwitch>

In my case, I wanted a 9000 MTU (9KB) for vSwitch1, so it was ‘esxcfg-vswitch -m 9000 vSwitch1’ . All good so far. Now, I needed to JF enable the VMkernel port. Admin guide says this is the command

esxcfg-vmknic -a -I <ip address> -n <netmask> -m <MTU> <port group name>

So my command looked something like this esxcfg-vmknic -a -I 192.168.155.21 -n 255.255.255.0 -m 9000 “iSCSI VMkernel”

When I ran this command, it said that this port group didn’t exist. Exactly…that is why I am running this command…to create the VMkernel port and associated port group. After MUCH troubleshooting, I finally found that the following sequence WILL work. It must have something to do with the way the port groups and their associated identifiers are created.

1. Create the VMkernel port in the vi client (GUI)
2. Remove the VMkernel port from the CLI with this command esxcfg-vmknic –d “iSCSI VMkernl”
3. Recreate the same VMkernel you just deleted with JF enabled esxcfg-vmknic -a -I 192.168.155.21 -n 255.255.255.0 -m 9000 “iSCSI VMkernel”