Category Archives: Stuff

Anything else

House Prices

October 7, 2010 Barry Mercer Leave a comment

It’s been quite a while since I blogged about house prices, or anything to do with the economy at all really. Mostly because not much seems to be happening. Government prints some money, nothing much moves anywhere, least of all house prices which hae remained pretty much stable the alst few months. An odd rise here, and odd drop there but not a lot. Until that is, the Halifx’s latest report indicated a 3.6% drop in asking prices for September. Now, I know these are asking prices and I know it’s a monthly change but this is a pretty awful statistic. The quaterly change incidentally is 0.9%, which is not as awful. I suppose the next few months will be telling. The annual change is now +2.6%, which isn’t great considering inflation is something higher than that!

Stuff

IAS, 802.1X and Cisco

April 8, 2010 Barry Mercer Leave a comment

This took me hours to fix. I’m so utterly annoyed at myself for not finding the problem out earlier, that I’m going to let you in on what I did.

We have a set up at work of about 100 cisco routers, aironets and other 802.1x devices connecting to a Windows 2008 IAS box for AD RADIUS authentication. Now, this one user was having a problem with them. IAS logs are, as I’m sure you’re aware, impossible to read. I could see something happening in the logs, but the aironet said Station [mac] Authentication failed. Hmm. AD security logs showed he authenticated ok. It took a long time for Windows to give up authenticating, so seemed like a network related issue. This guy was ok at home with his wireless so the laptop was ok. Weird.

Anyway, after a long and hard struggle of no errors being logged, I looked at his “dial-in” tab in AD and lo and behold, it was set to “deny”. Thanks to whomever set his account up, that was a great help. To make it better, that tab doesn’t show in my Win7 RSAT so I had to RDP to a 2k3 box.

Stuff

SSM and AMT

March 3, 2010 Barry Mercer Leave a comment

As you may be aware I’ve been experiementing with SCCM recently. I’m finding it amazing. I’ve not been on a course for this so to say it is daunting is a huge understatement. The myriad configuration options are enough to scare anyone off, but once you grasp the basic concepts of advertisements, packages and collections, life becomes easier. I’d recommend taking it one step at a time. Get one item configured and working before progressing onto the next.

Regarding that, the PC I’m testing on has intels “VPro” architecture. I really had no idea what this was until I had a cause to use it. Basically, for those of you with HP servers, it’s like a very cut down desktop version of an ILO. No remote console viewing or anything fancy. I can reboot the machine (in a hardware way), view some information on the settings and specifiy a boot image for recovery perhaps. I see it being quite useful but it’s a big of a pain to configure initially. Like msot things in SCCM, getting it do thing NOW is quite hard. As its intended to be used in a huge enterprise, everything happens in a scheduled fashion.

With this in mind, here is a basic list of what you will need. I used our own internal CA, to provision it, which makes things a little more difficult. Mainly because I spent a lot of time wondering why it didn’t work. Here;s a hint. If you are using your own internal CA for AMT provisioning, you must go into the AMT screen via ctrl+P (on my HP) and enter the hash (thumprint) of the CA Root certificate. You can USB provison them, you will need to download Intels AMT SDK http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/and the USB key provisioning tool http://communities.intel.com/docs/DOC-1430 You make the .bin file with the program in the SDK thusly:

usbfile -create c:\setup.bin admin S3curepw! -hash c:\root-ca.cer “MY CAs Hash”

Obviously change the bits above to suit your environment. You can then format the usb key with the tool, give it the .bin file and boot from the usb key to provision the PC. After a while, assuming SCCM has been setup correctly, it will discover the AMT and it will be configured for you to use.

Stuff

SCCM Site Detection

February 19, 2010 Barry Mercer Leave a comment

I’ve been having some fun at work recently with SCCM. Generally got it to work after following most of the articles on-line. It’s a bit of a mammoth program and configuring it takes time, so I’d certainly read everything first. Also, get an Enterprise CA, life is easier.

My first confusion with an SCCM client was when trying to auto-discover the site. It kept failing for no particular reason. Anyway, it turns out that you can’t do it when logged on locally when it’s AD integrated and there’s no WINS (remember that?). Tried it as a domain account and it worked fine. No idea why, one would assume it would use the computer account to connect to the SLP but it appears not to do so when run from the Control Panel

Have Fun!

Stuff

LockoutThreshold

January 21, 2010 Barry Mercer Leave a comment

We’ve been having some interesting issues at work recently with the account lockout that has been enforced upon us by our auditors. Like most places, we use an account for services that run on the servers. Now, on one of our servers somewhere in the galaxy, the password is wrong. This causes the account to lockout after a while, meaning most of the others fall over. I’ve managed to find out which server it is – I think – yet I can’t see anything actually logging on as the account other than the evidence in the eventlog. Strange.

Another problem related to the above, is that our proxy (a “BLOXX” ) uses the service account to authenticate users. This caused huge problems. It give no indication that the account is locked, the proxy instead repeatedly asks the user for their password. Obvisouly the service desk assume the user is rtyping their password incorrectly, which – lets face it – is probably quite likely… Eventually we discovered that the proxy must use the service account to query AD in some way, and if that account was locked, it would reject any authentication.

To add yet more fun to the problem with implementing the lockout is that I can’t get rid of it. Nope. It won’t go. I’ve unset everythign in the policy, confirmed it in RSOP, yet if I look in adsiedit.msc I can clearly see that the information is still set there. If i set the lockout information again, I can see it change in adsieit. Removing it again, means that it stays there. I’ve no idea how to set it to “not configured”, so I’ve set it to a high value. Ultimately, the lockout isn’t there to punish users, it’s there to stop the domain admin accounts from being brute forced.

The resolution we’ve found is to use a different account for the bloxx and to manually edit LockoutThreshold in adsi edit to keep things nice and happy

adsiedit account lockout information — Account lockout information from adsi edit