Wednesday, December 21, 2005


I find it rather amusing (actually reminiscient might be more accurate) to see the flurry around AJAX. In particular, the number of companies that are springing up out of nowhere with 'AJAX desktops', 'AJAX Office' and 'AJAX messaging'. Feels like I'm back in 99. TechCrunch does a rather good job of following these developments.

The delivery of 'web services' does not mean 'something delivered via a web browser'. Hopefully people will pick up on that sooner rather than later. Java developers have been there for some time already. The notion of Web 2.0 is exciting, but people are getting too wrapped up in the browser paradigm. Javascript, SOAP and XML are cool, but I've yet to see a compelling interface delivered via a web browser that didn't use Flash or Java. Most remind me of Windows 3.11 with pastel colours.

It's easy to see that the infrastructure illiterati pushing these AJAX based services are so wrapped up in the world of web development, they never stopped to take a look at what other technologies enable delivery of rich client applications over minimal bandwidth to a platform agnostic client (which can be as simple as a java applet running in a browser or an ActiveX control). I am of course talking about the ICA protocol and it's derivative on the Windows platform, RDP.

There is so much amazing technology that has gone into the development of these 2 protocols, and so may years of serious improvements, I am sure that if the developers working on AJAX actually took a minute to understand them, they'd possibly pack up their AJAX shops right now and start writing real rich server based apps with little client footprint.

Just take a look at the seamless application publishing Microsoft will be delivering with Longhorn server. This is something Citrix has offered for maybe 10 years, but they see the writing on the wall - Citrix has re-invented itself as an access and identity management company for good reason. They know what the 800 pound gorilla of the software industry is capable of.

So just in time for the end of 2005, here is my prediction of where we'll end up sometime late 2006/ early 2007:

1) All these AJAX offerings will either have disappeared, be losing vast amounts of other peoples money or offering subscription based services for which people will quickly ask themselves 'why am I paying for this?'.

2) Microsoft will bury them with seamless office application delivery via Terminal Services, probably using the portal as a launchpad.

For those of you not in the infrastructure space, Microsoft already has a rich corporate messaging client that is completely browser based and offers integration across their product suite (Office, Exchange, Sharepoint, ASP.NET) that the others could only dream of.

For those who doubt my predictions about the delivery of real applications over minimal bandwidth, check out this video on -

And Merry Xmas / Happy New Year :-)

Tuesday, November 22, 2005

Microsoft coming good with the licensing...

I've always maintained that if Microsoft really want to take the fight to Linux, all they would need to do would be drop some prices and fix up their confusing and at times insulting corporate licensing scheme. And it looks like this may happen, if the trend in the non-enterprise space is anything to go by.

Take the new Visual Studio 2005 Express Editions - all 'free for one year'. I'm still not sure what that means... whether it's 'download within the first year and it's free forever' or 'download and use it for free for one year from install date'. Either way, it's a good thing.

And the new 'virtual' licensing scheme. Buy 2003 R2 Enterprise, and run up to 4 virtual instances for no extra cost whatsoever. Microsoft have even graciously stipulated that it doesn't matter what virtual platform it's sitting on as well.

Speaking of their virtual platform, the new licensing for Virtual Server 2005 R2 is another example of taking the fight to the competition - $99 for the standard edition, which will run on up to 4 CPUs, and $199 which will run on an unlimited number of CPUs. I'm sure this will result in some more competitive pricing from EMC. It's not like they don't rip us off enough with their hardware already.

I have been a huge fan of VMWare for years, and while VirtualPC 2004 sucks teh pensi, I must say I'm tempted to run some comparisons at work between ESX Server and Virtual Server 2005 R2. I'm sure my company is like most - we are looking at using virtualisation to provide development / proof of concept environments and doing some hardware consolidation for some old boxes still running NT4. We are not even considering running high I/O production servers in a virtual environment. Obviously, in functional testing or proof of concept environment, performance is a non-issue. And with regards to migrating off old hardware, I'd be surprised if there was any noticable performance degradation when moving an NT4 application server off old P2/P3 based hardware with 1GB of RAM to sharing a dual Opteron box with 8GB of RAM with another 4-7 virtual machines. Regardless of what the virtual platform is - VMWare still recommend that you assign 800M of RAM and a dedicated NIC to the ESX service console. Windows Server 2003 running Virtual Server don't need any more resources than that.

I'll be looking very closely at both products in the next few weeks. If the performance differences justify the additional expense and infrastructure requirements to run ESX Server properly (ie full SAN backend, dedicated machine running Virtual Center, vmotion etc etc) then I'll happily never look at the Microsoft product again. But I have a hunch it won't turn out that way... I'll be sure to post my findings.

Monday, October 24, 2005

Boot Windows PE from TFTP Server to RAM

Oooooo yes, finally working. All because I overlooked one file... see if you can guess which one from the instructions. So as I wrote previously, I had created a PE from HDD to RAM solution for cases where I was building a remote server that didn't have a virtual CDROM available but did have a virtual floppy available (for those familiar with HP server hardware, boxes with a RILOE / RILOE II).

But why bother with all that when you can just have a TFTP server and boot the WinPE ISO directly from there into the RAM of the server you are building! Here we go...

The following files are required, ALL from Windows PE 2005 / Windows Server 2003 + SP1. Yes I know you could use a PE ISO built from XP but with ramdisk.sys from 2003+SP1, but for the sake of brevity... oh well there goes that idea!

1. A Windows PE ISO, built from 2003 Server + SP1
2. from the 2003 Server + SP1 CD
3. from the PE ISO
4. winnt.sif, with the same entries as the PE HDD to RAM post
5. setupldr.exe from the PE ISO. !!!NOTE!!! That's SETUPLDR.EXE that is 272KB - NOT NOT NOT setupldr.bin which is 292KB in size. Rename SETUPLDR.EXE to NTLDR. The file size is 272KB. Did I mention it needs to be the SETUPLDR.EXE renamed to NTLDR?

OK, so follow the instructions in the previous post to setup your free Microsoft TFTP server.

Put the 5 files mentioned above into the TFTPROOT directory.

Set option 066 on your DHCP server, with a value of the IP address of your TFTP server.

Set option 067 on your DHCP server, with a value of

*Note* If your DHCP server and TFTP server are the same box, you also need to set option 060 on the DHCP server to tell PXE Clients that port 67 on the DHCP server is also serving up PXE boot images. DHCP listens on port 67 by default.

And voila, that's it!

"But n0000000000dles...", I hear you say, "we don't have DHCP running in our datacenters so we can't PXE boot."

Well, I think you're outta luck, but I'll look around and see if I can find some other solution.

Friday, October 21, 2005

Running a Windows TFTP Server

There are several 3rd party free TFTP servers for Windows out there, but why use a 3rd party product when you already have a free TFTP server on the install CD? Lets roll!

First, grab the Windows Server 2003 resource kit, and install it.

Now open a shell and go to your I386 directory (CD or distribution share - doesn't matter).

Run expand tftpd.ex_ %systemroot%\tftpd.exe. Note you could place the .exe elsewhere if you like.

Still in the shell, change to the Windows 2003 reskit install directory and run instsrv tftpd %systemroot%\tftpd.exe.

Create a TFTP root directory. It can be anywhere and named anything. For example, D:\TFTProot.

Run the following commands to create / modify the appropriate registry values

reg add hklm\system\currentcontrolset\services\tftpd /v DisplayName /t REG_SZ /d "TFTP Server"
reg add hklm\system\currentcontrolset\services\tftpd\Parameters
reg add hklm\system\currentcontrolset\services\tftpd\Parameters /v Directory /t REG_SZ /d d:\tftproot

And finally, do a net start tftpd

And that's it. Of course it would be a good idea to set the appropriate NTFS permissions on the TFTP root directory, and run the service with a low privileged account.

Why am I doing this? I'm looking to take the 'PE from HDD to RAM' to the next level, which is booting PE via PXE :-)

Wednesday, September 28, 2005

Weighing in on the Google vs Microsoft thing...

There seems to be a *lot* of conjecture going on regarding Google extending it's reach into the home by offering some kind of client... maybe an OS. There are a lot of comments along the lines of 'the internet has matured enough now' and 'the network is the computer' etc etc. And most of all 'is this the end of Microsoft?'.

Let me just say LOL! What are these people taking (and where can I get some ;-). If someone was serious enough to think that Google was going to make some kind of thin client based foray into the OS market, maybe even combined with some kind of hardware offering, they should also consider what Microsoft currently offers /has in the pipeline in this space. Namely

1) The existing Windows Embedded product
2) The upcoming Eiger thin client
3) Terminal Services, both in it's current form and the upcoming Longhorn version (which will be offering things like seamless applications, which Citrix has had for at least 10 years)
4) Exchange / Outlook Web Access, Sharepoint
5) MSN

And on top of that, consider what Microsoft would have to gain by competing with Google in terms of a 'managed service' offering. Very few software companies have piracy problems on the scale that Microsoft does. If Microsoft could drop development of a full blown OS tomorrow and only offer a thin client solution that cost little or nothing and host a bunch of services on the backend that people paid for on a subscription basis, they would be more profitable than they are now. Not only would their payroll be cut in half, so would their R&D, their support costs and their security headache (and associated image problems) would verge on disappearing.

But is Microsoft heading in this direction? Of course not. If they were, what would the likes of Intel, AMD, Creative, nVidia, ATI, Seagate, Maxtor, Samsung, Hynix, Dell, HP and all the other massive hardware companies out there do about it? Probably switch to Linux :-P. Seriously though, these hardware companies benefit so much by having Microsoft add features that require more CPU, more RAM, more disk, better graphics etc etc. The last thing they would want to see would be a massive swing to thin client or appliance based computing. There's certainly no way the likes of Dell or anyone else would entertain manufacturing a low cost, low margin thin client for Google. I can see Steve Ballmer's reaction now. I suppose Google could try to make a go of hardware manufacturing alone, but it would be a brave, expensive gamble.

I'll be interested to look back on this in a few years time.

Sunday, September 04, 2005

Tech.Ed 05 thoughts...

Since this was my first Tech.Ed, I don't have anything to compare it with, but I'm a little disappointed. The highlights were pretty much limited to the sessions from Steve Riley and Jesper Johanssen. But if you've been listening to them speak or reading their whitepapers / blogs and anything else over the past 2-3 years, it wasn't anything new. Especially not if you read their book before going!

But one huge highlight was the half hour 1 on 1 I had with Steve Riley. It seems he is at the same point I am with regards to Windows security, in that nowadays the problem is less technical and more people / process related. I think most Windows admins know what needs to be done to secure their boxes, and what technologies are available to keep them secure. But when it comes to getting outages from business owners, we're still in the same (bad) situation we were in 3 years ago.

Anyone who works in a large environment knows this. People who have only ever worked in small environments will have no idea of what I'm talking about. I'm not longer tolerant of people making flippant remarks about 'how come all the big enterprises get [insert attack here] - don't they know how to patch?'. Yeh right. You try getting an outage on a box that sees hundreds of millions of income go through it. It doesn't matter if it's clustered - business people are paranoid of any change, esepcially when it's something they do not understand and there's a LOT of money involved.

Steve mentioned he is working on a presentation about showing security ROI. I can't wait to get his thoughts on that, not that I'm waiting for him to do something... all Windows admins should be looking into this asap!

Thursday, August 18, 2005

Clustering with VMWare 5.x...

Contrary to most things you'll read, it actualy is possible to share disks in VMWare 5.x. So now you don't have to have 3 VM's with one being an iSCSI host to do clustering. The trick is to create your primary OS disks as IDE drives, use vdiskmanager to create a SCSI based disk for the quorum, then add the following lines to the .vmx files of the servers you want to cluster:

scsi0:0.present = "TRUE"
scsi0:0.fileName = "..\wherever_disk_is_stored\QUORUM.vmdk"
scsi0:0.redo = ""
scsi0:0.mode = "independent-persistent"
scsi0:0.deviceType = "disk"

Then follow the normal cluster build process. The cluster service will ensure you don't get both nodes trying to write to disk at once.

Wednesday, August 17, 2005

Boot Windows PE from HDD to RAM

Here is how it is done...

Create your winpe ISO using whatever method and whatever source you like.

Grab ntldr, ntdetect and ramdisk.sys from a Windows Server 2003 + SP1 source. Replace the ramdisk.sys in your PE ISO with the one from 2K3 + SP1 (if you used a different source for your PE build).

In the root of the target HDD, put ntldr, ntdetect and the winpe ISO. Make sure the name of the ISO is in 8.3 format.... for this example, I will creatively use the name 'winpe.iso'.

In the root of the target HDD, create a winnt.sif file with the following entries

BootDevice = "ramdisk(0)"
BootPath = "\i386\System32\"
OsLoadOptions = "/noguiboot /fastdetect /minint /rdexportascd /rdpath=winpe.iso"

So now you have 4 files on the target HDD, being ntldr (W2K3 + SP1), (W2K3 + SP1), winpe.iso (any build you like) and winnt.sif.

Now when you boot the machine next, you'll see winpe fly into RAM and you can do anything you like without having to wait for CD / disk reads etc. Go ahead, format c: from within Windows PE... see if windows pe cares!

So now you can use Windows PE for remote server builds by taking a ghost image with the 4 files, booting the remote server off a floppy and dumping down the image, then rebooting. no more waiting for Window PE to crawl across a WAN from your laptop to the target server!

Saturday, August 13, 2005


As I've said before, WiX pwnz. But as an admin wanting to pack a whole bunch of files into an msi that will install to wherever I want it to without any dialogs etc, I needed a script to generate the bulk of the .wxs file. That being the Component and File entries.

So I wrote wxsgen.vbs. Download it here. And enjoy.

I'm on the 'Longhorn' Server beta!

Just finished installing Longhorn server on VMWare... will report back sometime in the next 48 hours with initial thoughts...

Somewhere along the way I must have lost my desktop mindset... the Windows Vista beta was so disappointing, and I wasn't even that excited about it before I saw it! But just after reading some of the beta documentation I'm excited about Longhorn server. Like the whole 'Core' concept for example... about time Microsoft! The 'core' build gives you the ability to install a server role, and add nothing else. It is stipped completely of a lot of extraneous stuff, like the explorer shell. 'What the!?!' I hear you say! That's right, you can now install a DHCP,DNS,File Server or Domain Controller WITH NO EXPLORER SHELL. It just has the CLI. Makes perfect sense - when was the last time you logged onto a Domain Controller to manage AD? Or a DNS server to create a new record? It just doesn't happen. So now you get the option of doing a role based install that uses bugger all disk (~500Mb) and next to no resources for anything other than what it's dedicated role uses. Double thumbs up to whoever at Microsoft got this concept up and running!

Now that there is a common code base, and the presentation and communication layers are becoming more compartmentalised, I am sure we will see a slew of role based server releases from Microsoft. Storage Server and the upcoming Cluster Server are just the beginning... thanks Linux - without you I'm sure none of this would have happened. We'd still be getting monolithic 'install everything just in case something will use it someday' server OS'es.

Friday, August 05, 2005

VMWare - Remove Virtual Adapters from the summary page...

One thing that has always annoyed the hell outta me with VMWare Workstation, is that for some reason when you remove a Virtual Adapter, it doesn't get removed from the Virtual Network Editor summary page.

It's happened in every version from 4 onwards... it might have happened in 3.x too, but I've never used that! Anyways, to get rid of these entries, fire up regedit and go to the following key

HKLM\SOFTWARE\VMWare, Inc.\VMnetLib\VMnetConfig

and sure enough you will see subkeys with the names of all Virtual Network Adapters, past and present. Blow the keys away that correspond to non-existent adapters, restart the Virtual Network Editor and you're good!

Wednesday, August 03, 2005

TechEd 2005 Here I come!

I'm completely stoked! The company is sending me to TechEd this year, on the Gold Coast (yes I'm Australian). It will actually be the first TechEd I've been to. Ever since I found out Steve Riley will be presenting, I've been itching to go. I saw him a few years back at the first Microsoft security summit in Sydney. If you ever get a chance to see this guy present, do so... he's bloody awesome!

Sunday, July 10, 2005

Adding PATH entries with WiX...

I know I'm going to need this later, so I'm posting it somewhere easy for me to find...

[Component Id='AppendPath' Guid='XXX-XXX-XXX-XXX-XXX']
[Environment Id='AppendPath' Name='PATH' Action='create' System='yes' Part='last' Value='[INSTALLDIR]' /]

And that's how you would append your installation directory to the path statement of the machine your app gets installed on!

Monday, June 20, 2005

Install via RDP...

I don't know if you have ever tried installing stuff via RDP and got the error 'You must be logged on as an Administrator blah blah' even though you actually are logged on with an Administrative account... here is how you fix that:

Windows Registry Editor Version 5.00


Go forth, and install...

Sunday, June 19, 2005

WiX Rocks!!!

I remember reading about WiX a while ago, back I when I was doing more packaging. Never really gave it a good look at the time though.

Recently I was looking at creating a few custom installers (like an updated OpenSSH for Windows) and I immediately turned to NSIS. I started reading through the doco, and then remembered something about an xml based Windows Installer tool... WiX. A Google later I had found the binaries and a veeeeery nice tutorial.

And let me just say, it fucking rocks. I haven't even scratched the surface of what it can do, but I'll get there and share my learnings along the way.

Saturday, June 18, 2005

Something to watch late...

This is pretty cool... watching it by myself in the darkness of 1am made the impact greater, I am sure.

It's funny how you stumble across stuff like this... I was trying to find some more info on Windows Installer internals when I came across it. But then again, that's what makes the web, the web.

Thursday, June 16, 2005


Alas, another sleepness night... anyway, a quick note on extending vmware disks.

vmware comes with a command-line disk utility called 'vmware-vdiskmanager'. You can use this to do a number of things, but the main things are creating disks before you create a new vm, or extending existing vmdk's. I like to use it to create disks for any new vm I'm configuring, and then hitting the resulting -flat.vmdk file with contig.exe (from sysinternals) to ensure my vm is being built on a contiguous file. I'm also in the habit of creating fixed size disks so they don't become fragmented at a later date. I think it's a good practice to just create smallish primary disks for your OS (2Gb-4Gb, depending on your pagefile requirements), and then adding a second disk for whatever else you want to install. This is in line with how most enterprises would like to run their servers - not with such a tiny system drive, but segregating the OS disk from any application / data disks (even if that separation is only based on logical volumes). It also helps with fitting more vm's onto one physical disk. Quite often you're not using vm's for big installs anyway - more likely messing around with additonal OS components like DNS/DHCP/IIS/clustering/ etc or testing GPO's or other OS level config changes.

So anyway, to create a 2Gb IDE fixed-size disk, you issue the following command from the shell vmware-vdiskmanager -c -s 2Gb -a ide -t 2 "Windows XP Professional + SP2.vmdk" and then run contig -v "Windows XP Professional + SP2-flat.vmdk" after the disk is created. To see all the available parameters, just run vmware-vdiskmanager on it's own.

BTW, if you want to use the LSI Logic SCSI adapter with Windows 2000, you need this driver.

Thats about it for now... I'm feeling sleepy again.

Monday, June 13, 2005


I doubt you're ever needed the CAPSLOCK key... I know I never have. But if I had a dollar for everytime I've accidentally hit it mid-password, and then wondered why the hell my authentication failed, I'd be $2 richer... $3 tops. But 2 or 3 times is enough to annoy me - hey, when was the last time you met a tolerant sys admin?

So here's how you can turn it into an extra LShift.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,2a,00,3a,00,00,00,00,00
"Scancode Comment"="CAPSLOCK is now the same as LShift"

Schweeeet :). Windows being Windows, a reboot is needed to bring it into effect. If you want to just make it a null key, change the '2a' to '00'. Or if you want to make it some other key, download this and have a read. And if for some reason you ever want to go back, just:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]

and Robert is your father's brother!