Posted by Shawn Anderson on Fri, Feb 26, 2010
Photo by dybarber
Msiexec is a good friend to many an admin who deploys software remotely. It has great arguments (or switches) that can make your life as a Windows administrator much easier.
One of these is REBOOT=REALLYSUPPRESS
msiexec /i < your_msi_file > /q REBOOT=REALLYSUPPRESS
It does what it implies; it stops not only a reboot but any dialog that the user might see telling them that a reboot is necessary. If you absolutely don't want the system to reboot after an installation, I suggest making this a default argument for your remote deployments.
Now for my Billy Mays impersonation...
"But wait! There's more..."
Actually, there really is more. The error code.
Too often the error codes can be merely glanced at, or worse, outright ignored. It's a good idea to verify that they are a 0 value (meaning no errors detected). However, not all non-zero error codes are created equally. (Note: Error code and Exit code are synonomous).
3010 is an important code to detect. It's official definition:
3010 - The requested operation is successful. Changes will not be effective until the system is rebooted.
If your deployment requires a reboot and you suppress you may feel that you don't need this error code, but I would ask you to reconsider. The fact that this code was generated is further evidence that your package was installed the way that you expected it to be.
Any administrator who has been deploying for awhile will certainly have seen instances where an error code of 0 (successful) is returned on a remote software installation when upon further investigation it is determined that the software wasn't installed at all, or worse yet, wasn't installed correctly.
So... Really suppress the reboot. Evaluate the exit code. Move on to more important tasks (they're starting to pile up).
Windows Administrator? Follow me on Twitter @ShawnAnderson
Want to
deploy software remotely to all of your windows systems? Do it for free with our fully functional 30-day trial.
Posted by The Admin Arsenal Team on Wed, Feb 24, 2010
Photo by batega
Author: Shane Corellian
Here's an interpretive guide to the minds of people with whom we have no choice but to deal.
Scenario: You ask your moderately paid Microsoft trainer a pertinent question that is not specifically discussed in the training manual.
What he says: I can tell you but you will learn best by figuring it out on your own.
What he thinks: Ummm, I don't remember seeing that on my PowerPoint slides.
Scenario: You explain to your Director of IT the ramifications of swapping out your backup/restore software.
What she says: Thank you! I don't know what we'd do without you.
What she thinks: Just nod and pretend you know what the hell he's talking about.
Scenario: You finally bring back the COO's laptop after fixing his "Microsoft Word" problem (when the problem was actually malware infected from a porn site ending in .ru)
What he says: What was wrong with my computer?
What he thinks: Did he see my pr0n directory?
Scenario: You make eye-contact with the Marketing director in the restroom.
What he says: There's the man! You keeping our computer's running, Humphrey?
What he thinks: Is that the same gravy stain on his shirt from last week?
Scenario: You tell a vendor at Tech-Ed that you are only listening to them to get their swag.
What he says: Hey, that's what it's here for, boss! How's the convention treatin' ya?
What he thinks: I'm so glad I didn't use booth babes.
Scenario: You keep quoting Fletch to the new 21 year-old hottie receptionist.
What she giggles: Heh heh. Good one.
What she thinks: Who do I hate that I could hook up with this 80's-movie-quoting fossil?
Scenario: Your interviewer notices that you put CNE on your resume
What he says: I'm impressed.
What he thinks: Let me guess, you're from Utah.
Follow me on Twitter (@ShaneCorellian)
Posted by The Admin Arsenal Team on Mon, Feb 22, 2010
My oh-so-cool dual keyboard set up
Author: Adam Ruth
(Note:
last week I said that this week I was going to write up a tutorial for running Perforce, but it was getting so long I decided it was best to expand into a
whitepaper, we'll all be better for it.)
What follows is a story of hope. That even when things seem their bleakest a kludge can come along and get things limping along.
For the last couple of years I've been dreaming of getting a second keyboard, something that will allow me to take the myriad keyboard shortcuts I have now and give me one-key access to most of them. While developing in Microsoft Visual Studio, there are a lot of tasks that I perform regularly that require two hands and a bit of contortion to operate correctly. There's only so much I can do with changing the keyboard mappings, since I have more common tasks than buttons. An example is the default keyboard shortcut to debug all of a project's unit tests: Ctrl+T, Ctrl+A. This is easy enough to type, but it requires two hands and 4 keystrokes. Even if I wanted to simplify it, there just aren't many free buttons left to use.
This is exacerbated by the fact that I run my development inside of a
VMWare Fusion virtual machine on an iMac. OS X takes some of my precious keys away for its own use, and I don't want to give them all up. If you've ever looked at an Apple keyboard, you see that the function keys double as system keys for such things as volume control, Dashboard, and Exposé. Now I've got one more modifier key to worry about, the Fn key.
I thought the solution would be a second keyboard with a bunch of keys that I could map to different functions at will. But I wasn't sure how to do it. I didn't want to spend money on a specialized second keyboard, they can get expensive. I was looking for a way to plug in a normal keyboard and use it's keys as all brand new. I couldn't figure out how to do this because a second normal keyboard just duplicates the existing keyboard. Until I figured that out I installed a program called
Keyboard Maestro which at least let me use all of the extra keys on an Apple keyboard with Visual Studio (F13-F19, in particular.) But I was still running out of keys.
Then a product came to my attention called
QuicKeys. It has the ability to map separate devices to different actions. I tried plugging in another Apple keyboard, just like the one I already had and it seemed to work. But unfortunately, because it was the exact same type of device, QuicKeys kept losing the new mappings and it was a chore to get it working again. I had an older Bluetooth Apple keyboard in a box, which I dusted off and tried. It worked great, now I have a whole 78 keys that I can use for single-key access instead of the carpal tunnel inducing keystrokes I was using.
Only one problem. QuicKeys, for some reason, doesn't work with VMWare Fusion. When it sends keystrokes to Fusion the modifier keys (Shift, Ctrl, and Alt) get stripped off. Damn! I had just spent a few hours getting my new keyboard up and running and figuring out the QuicKeys mapping interface. I e-mailed support only to be told that the problem was VMWare, not QuicKeys (how many times have you heard that excuse?) That didn't sound right, because Keyboard Maestro worked just fine.
Aha! Wait, if Keyboard Maestro works maybe I could use it along side QuicKeys. An idea so crazy that it just might work. I set it up so that QuicKeys maps a keystroke from my Bluetooth keyboard to a keystroke that Keyboard Maestro then listens for and translates it for VMWare. An example through the Kludge-o-train:
The normal keystroke to build a project in Visual Studio is Ctrl+Shift+B. Not the simplest thing in the world to type, especially when you do it 5,000 times a day. So I used QuicKeys to map the second keyboard's B key to Shift+Ctrl+Cmd+B, and then Keyboard Maestro maps Shift+Ctrl+Cmd+B to Shift+Ctrl+B and voilà I can build my projects with a single hand easily. I use the Command key modifier for all of my QuicKeys -> Keyboard Maestro keystrokes because the Command key is rarely used in Windows with other modifier keys (it maps to the Windows key by default.)
My kludge is limping along just fine and I've even started to use my extra keyboard for other programs like iMovie and iPhoto. I'm in geek heaven.
Need administrator tools that aren't kludges? Try a 30-day trial of
Admin Arsenal.
Follow me on twitter @AdamRuth
Posted by Shawn Anderson on Fri, Feb 19, 2010
Here's the question that I posed to my Twitter followers last week (@ShawnAnderson):
Why can Domino's do minute-by-minute tracking of a $10 pizza but Dell can only say that your server is either "In Production" or "Shipped"?
Three weeks ago I decided to enhance my in-house lab with a server that could host about 20 virtual machines. Afterall, what better way to freshen up on newer products as well as enhance my blogs with step-by-step videos? Lastly, which perhaps I should have stated firstly, I wanted to add a little extra after-hours customer support for our Software Deployment tool Admin Arsenal.
About three hours after I placed the order I could see that my status was "In Production".
Fast forward 2 weeks. Dell is displaying the same "In Production" status. Has nothing changed in two weeks? Really? It's getting very close to the estimated delivery time, but no status change. Finally an email arrives at 2AM informing me of the delay.
Fast forward another week. I check status. No change. Bummer. It's 6:02 PM Friday evening. The kids are hungry, nothing had been prepared for dinner so I jump to Dominos.com and order pizza.
Maybe it's because I have Dell on the brain, but the online order process for my pizza was quite similar to ordering my server. As I selected an online coupon and started building my pizzas, I was reminded with a bright colored dialog box that my order had a problem, I had ommited the included 2-liter bottle of root beer offered on the coupon. I recall a similar shining notice on Dell when I was selecting the hard drives and had inadvertantly selected the wrong type for my desired configuration.
Way to go Dell and Dominos. You've both perfected the ordering process. So how about the production and delivery phases? Here's how it goes with Dominos.
6:05 PM, ordered online. Order accepted and in production. The pizza started preparation at 6:07 PM by someone named Dean (you can see his name at the bottom of the image).
Sweet. I let my wife know that I had ordered pizza (she was just preparing to send me a text asking me to do that very thing). I resumed my work, but I kept the Dominos website up to stay abreast of the status.
The next time I glanced at the screen it looked something like this (actually it looked exactly like this). Dean had removed the pizzas from the oven and was boxing 'em up.
With the next status change I learned that our delivery driver would be Bryan and that he had left the store at 6:26 with our healthy dinner in tow.
Let's compare this 24 minute Dominos experience with my yet-to-be-completed three week order with Dell.
Here's what the Dell status read after my order was placed and my purchase funds verified:
7 days later here is what my status read:
17 days after my order (and three days after my delay notice) here is what my status read:
And this morning, 18 days after my order was placed, and after two customer service calls where the reps were kind and professional but still could not see the cause of the delay, here is what I see:
But wait! That's not true. If I drill down into my order, I'll eventually see this:
Awesome! Let me get my shipping and tracking info. But when I click on the "Shipped" link I see this pop-up:
Oh, OK. I guess the "Shipped" link won't take me to my shipping information but will provide me with the English definition of 'shipping'. That's OK because I was a little unclear about what it meant.
Let's click on another link to get my shipping info. Ummm, how about clicking on the order number? (Do I dare click on this?) I'm a little worried that I will be sent to wikipedia for the comprehensive history of order numbers... but no where else to click, so let's roll the dice baby.
Alas! It takes me to my shipping detail page so that I can get my up-to-the-intersection status of my delivery... or not.
OK. I want to cut Dell some slack here. It changed status on a Friday night and they probably don't do weekend shipping for non-premium, non-enterprise, completely inconsequential customers (I mean that sincerely, by the way). So I would expect tracking info on Monday... oh wait, Monday is a federal holiday... so by Monday I mean Tuesday.
When I spoke with Dell they informed me that server would arrive before my delayed deadline. With the federal holiday looming that means that Dell will be footing the bill for 2-day shipping. OK. I'm good with that.
Dell really did have great customer service, but imagine what it could've been if Dell only followed Dominos lead on a $10 pizza.
OK - I admit that I don't need to know which person is working on my system at any given moment (though it's a cool feature and really humanizes a company). But a status that is as broad as "In Production" is useless.
There are too many phases wrapped in that definition. There is part ordering from within Dell, part ordering from vendors, part shipment from within or without the manufacturing plant, assembly, testing, and finally acceptance.
Imagine how cool it would be if I saw that my order was delayed due to short supply of 750GB hard drives. Even cooler would be if I could have interacted with Dell and opted instead for their plentiful stock of 1TB drives. The difference in cost would have been perhaps $200-$300 but could've saved me a week of waiting.
I don't know if delayed parts were the issue, and neither does Dell customer service. However, someone at Dell knows why my server was delayed, but in the era of instant data transmission that information is eerily absent.
Who'd of thought that a multi-billion dollar company that sells servers and workstations could learn from a... umm... multi-billion dollar company that sells pizza. OK, that's not as profound as I'd hoped.
But still... imagine the possibilities.
Need to install software remotely on all your Windows computers? Do it for free using with a 30-day trial of Admin Arsenal Software Deployment.
Windows Administrator? Follow me on twitter @ShawnAnderson
Posted by Shawn Anderson on Wed, Feb 17, 2010
Adobe has released new patches this week. These patches haven't caused near the stir as Adobe's previous release which is both good and bad.
Don't be vulnerable. Software deployment of patches is a snap. It's standard operating procedure. Most admins have the Windows Patch Tuesday down very well, but sometimes they struggle with other vendor security patches.
Thanks to Donna SecurityFlash for providing this list of the patches and their download pages.
We'll post a video on deploying these patches. The video should surface by the end of next week.
Here is the list of patches:
v9.3.1 - http://www.adobe.com/support/downloads/detail.jsp?ftpID=4640
v8.2.1 -http://www.adobe.com/support/downloads/detail.jsp?ftpID=4596
Posted by The Admin Arsenal Team on Mon, Feb 15, 2010
Photo by quapan
Author: Adam Ruth
There comes a time in the life of every administrator where you need to get access to an old version of a file, or get access to a file that has been deleted. I'm not talking about a user's file, but your own file. We've all got little scripts and spreadsheets and text files that we use all the time. Perhaps you have a task that sounds similar to a batch file you wrote 3 or 4 centuries ago. It'd be handy to have that batch file, but you deleted during your last frenzy of hard disk clean-up.
Introducing
Source Code Management. Most techies are familiar with the concept of source code management, but for many of us it's something just for use by software developers who have to work in teams, manage different versions of products, deal with branching, and other advanced things. In a sense this is true, SCM is a critical tool for the software developer, particularly those working on teams. But that doesn't mean that many of the advantages of SCM can't be available for everyone else, even when working alone.
There are a couple of features of SCM that are helpful for any system administrator:
- Versioning. The big strength of SCM tools are their ability to track changes in files over time. Suppose you have a text file containing the names of computers, and that you've added and removed names over the months. It's handy to quickly look over the history of the file and see when and where it was changed. Perhaps even with a note as to why it was changed.
- File Recovery. Nothing in a SCM repository is ever deleted (unless you really go out of your way to remove it.) You never need to worry about deleted files disappearing, or have to worry about keeping it around cluttering up your disk in case you may need it.
- Rollback. It's becomes a lot easier to edit files if you know that at any time you can rollback to any previous version. No need to copy files around or make copies if you just want to test something.
But aren't SCM tools just for teams working on the same files? No, there's nothing wrong with installing a SCM tool locally on your own computer and using it for your own repository. There is a bit of a learning curve but in my opinion it's well worth it, especially the first time you're able to rollback a file after you realize those changes you made 3 weeks ago broke something.
I've experimented with many systems over the years, but I've really only worked with three different SCM systems in-depth. There are
many, many to choose from, but I'll just mention those three. Listed in chronological order of my use.
- Microsoft Visual SourceSafe. This is a product that Microsoft purchased years ago and has been giving away with Visual Studio licenses for years. Most Windows developers cut their teeth on it, and speaking of teeth, it's getting long in them. It hasn't been actively maintained by Microsoft for quite a few years, and has been replaced by Visual Team System which doesn't work very well for the single user. It's got some well known problems, but it's still very widely used because it's pretty simple and was essentially "free" at a time when other solutions were either too complicated and/or expensive.
- Concurrent Versions System, or CVS. This is one of the most popular open source SCM systems, though it may now have been surpassed in popularity by Subversion. The system only has a command-line interface, but there is a whole ecosystem of add-ons and GUIs including my favorite, TortoiseCVS. I replaced SourceSafe with CVS when I started working extensively in Linux and when my repository size got too large for SourceSafe to handle.
- Perforce. This is what I currently use and I love it. The installation is dead simple and it's very light-weight. It just works and once you understand how to configure a workspace, the rest just falls into place. The nice thing is that while it can get expensive for a large team, it's free for a single user (actually, free for 2 users) making it ideal for a lone wolf. It's got a flatter learning curve than CVS and the other open-source systems, but it doesn't sacrifice any power.
Next week I'll write a quick tutorial to get you up and running with Perforce in your environment. There are also plenty of resources available online to get you started with other packages out there. If you've got some spare time (who doesn't?!?) then this is one more tool to add to your arsenal.
Posted by The Admin Arsenal Team on Fri, Feb 12, 2010
Author: Shane Corellian
Tobias Weltner wrote this article on the Powershell.com site. It is definitely worth the read. For those of you planning on implementing Powershell Version 2, pay special heed.
An excerpt:
"When you search for PowerShell V2 downloads, you will find tons of articles and download links. Only some of them point to the correct final "RTM" link. A lot of people are still blogging about "CTP" versions which really were beta versions with limited functionality. Even worse, it turned out that these out-dated PowerShell versions are still up for download from the Microsoft Download center, so when you follow the "wrong" link, you could get the impression that these CTP versions really were official and up-to date releases."
I have been playing with V2 now for about 3 weeks and so far I am pretty excited. Extending Admin Arsenal with a good CLI is important and Powershell will definitely be the foundation on which it is built.
Posted by Shawn Anderson on Wed, Feb 10, 2010
In the coming weeks and months we're going to be spending some time with some of the features of the Remote Server Administration Tools for Windows 7.
These are the scripts, tools, and nice-to-haves that you hear about but sometimes don't take the time to sit down and learn. We're dedicating a portion of our lab to disecting these tools and showing some of the more practical uses.
Server administration is key to a system administrator, and getting these tools on Windows 7 is important for those admins who have made the move.
We're looking forward to bringing you videos, screenshots, and lessons learned from managing your Windows 2003 and 2008 servers. If there's a toolset that you've been wanting to test but haven't taken the time to do so, let us know and we'll add it to our queue.
Posted by The Admin Arsenal Team on Mon, Feb 08, 2010
Author: Adam Ruth
DCOM, or Distributed Component Object Model, is a technology in Windows allowing remote communication between programs. WMI, in particular, uses it to communicate. A lot of business oriented server applications use it, as well, to communicate between layers. If you've ever spent any time with DCOM you probably have come to understand just how fragile it can be. When it works, it's like magic, but when it doesn't it can be a serious hair pulling experience.
One of the more fragile bits of DCOM is its security. There are are four different areas of DCOM each with their own ACLs (Access Control Lists) and a problem in any one of the four can lead to hard to track down problems. To make matters worse, many applications that use DCOM will alter the security settings, potentially breaking DCOM access for other programs on the same computer. Sometimes it's necessary to just reset DCOM security to its default state, just as it was when Windows was installed.
Last week I found a quick way to do this, but it does require editing the registry so the standard warnings and "do not try this at home" apply. However, if you're stuck fixing a problem down in the guts of DCOM security, editing the registry is the least of your worries.
You can view the DCOM ACLs by running dcomcnfg.exe and navigating to Component Services > Computers > My Computer > Right-click > Properties > COM Security tab.
The ACLs are stored in the registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole, in the following binary values:
- DefaultAccessPermission
- DefaultLaunchPermission
- MachineAccessRestriction
- MachineLaunchRestriction
To reset them, all you need to do is to delete these values. If DCOM doesn't find any ACLs here, then it will use its defaults. Any changes you make will then re-create the values. Of course, you'll want to back them up before you delete them, or you could just rename them to be safe.
Posted by Shawn Anderson on Fri, Feb 05, 2010
Photo by Rennett Stowe
Last Friday I elaborated on the first four mistakes made by windows administrators in their collection of PC inventory. Today I conclude by jumping into more detail on numbers 5-7.
To refresh, here is the list.
- Limiting inventory collection to entries in Add/Remove Programs
- Excluding important registry entries
- Giving them what they 'ask for'
- Limiting inventory scans to .exe files
- No master baseline table to compare against
- Data is static
- Poor reporting
Let's jump into number 5. If you scan for all files that are executable and do a count search on any random PC you'll discover that the average workstation will contain well over 10,000 of these types of files. Gathering this much information will make you data rich but information poor. Make your data meaningful by comparing what you collect against what you are expecting (or what constitutes a vulnerability if performing a security scan).This is done by storing an expected baseline in a database table.
Number 6 is the static problem. This usually results when your reporting (or collection) is stored on spreadsheets. This is especially true if data is manually gathered. Be careful with this method - remember that your decisions are only as good as the data that they were based on. A good automated scanning solution writing to a relational database is the most desired method.
Ahh, number 7. This last item is perhaps the most dangerous because it impacts organizations that have the best inventory scanning solutions as well as those who only collect manually. It's the inability to report what you have.
SQL skills are essential when you're dealing with data stored in a relational database. I learned this years ago when I had a organization level manager ask for a report of all installed software on his computers. When I provided him the list he quickly stated that it was wrong. It was too granular (see item 3). He didn't want to see every Microsoft hotfix listed. He also only wanted to see one entry for Microsoft Office, rather than each component (Excel, Word, Powerpoint).
In short he wanted an inventory summary rather than an installed software report, even though he specifically asked for "what was installed on his computers." Remember, what they want and what they ask for are sometimes quite different.
SQL knowledge as well as a baseline of expected software (see item 5) would've done the trick. Instead of listing all the hotfixes installed I should have compared against a table listing required patches and reported the discrepencies.
On the Microsoft Office issue certain components discovered could be compared against a table to reflect the Office installation as a whole.
The frustrating outcome is that this manager concluded that we didn't know what was installed. Even though we were scanning registries, looking for many types of executable files, and even scanning for .exe header information, without the reporting skills I wasn't able to show what we knew. In a way he was right. I resolved to make reporting a central feature of inventory collection.
Afterall, if you can't show someone what you know, you might as well not know it.
Posted by Shawn Anderson on Wed, Feb 03, 2010
Your users use the web to do their jobs. Keep an eye on the current battle because help desk and support calls will continue coming until a winner is found.
I really enjoyed reading Scobleizer's take on the Adobe Flash saga. For those who have watched other news the last couple of weeks, Adobe has been the topic of conversation ever since Apple unveiled its new iPad, which doesn't support Adobe Flash.
Many sites use Flash, so obviously Apple would want their users to be able to experience the web as it is, right? Wrong. Apple wants its users to enjoy the web as it will be, or, at least as Apple thinks it will be.
Steve Jobs likes to say "skate to where the puck will be", and clearly Apple feels that the puck will be in the HTML5 corner.
This doesn't portend ease for system administrators. Yours is the job to ensure that things work, and for awhile they may well not, or at least not perfectly.
Scoble makes an excellent analogy that in the early days of Firefox many sites, especially financial sites (banks, credit cards, stock trading) simply didn't work well with Firefox. This was because the different web developers were writing code for IE. But that changed, and it wasn't Firefox that capitulated. Site developers heard from the masses (I was one of the them) and they started optimizing for both browsers.
Apple is betting on HTML5 (and it will be interesting to see if they start to cripple true HTML5 when it enables features that they don't particularly care for).
I'm in a growing group of admins. I make my money supporting Microsoft technology, yet I use a Mac (six of them, actually). As far as I'm concerned I get the best of the two worlds that I care about; Microsoft and Apple.
The battle over the technology that brings content to users is heating up. Silverlight, Flash, HTML5, and Java. Let them fight. The winners will be us. If you want to know where the puck will be, don't follow a company, follow an ideaology.
Users want content. Content wants to be freely available. If technology favors one platform, it holds content delivery hostage, and I think that is a losing strategy.
Where is the HTML5 corner again?
Posted by The Admin Arsenal Team on Mon, Feb 01, 2010
Author: Adam Ruth
When it comes to deploying MSI installers, it's almost always best to use the /quiet option to ensure that the installer runs silently. Almost. There is actually more than one level of "quietness" when it comes to MSI, and there are some very rare occasions when you may want to use one of them.
Recently, while troubleshooting an installer that wasn't being deployed properly with Admin Arsenal, I discovered one such situation. The Apple QuickTime installer version 7.65.17.80 (the latest version at the time of writing) has an unusual quirk. When installed with the /quiet option it doesn't install all of the files even though it installs fine when run normally. (Note, the installer is packaged as an .EXE file, but it's built with MSI as can be seen when you run it with the /? option.)
While troubleshooting I decided to try installing with one of the the less quiet options, just to see what would happen. For those of you not aware, the following are all of the various options for quietness:
- /quiet or /qn (no UI) - Completely silent
- /passive or /qb (basic UI) - Shows only a progress dialog
- /qr (reduced UI) - Skips all parts of the UI that ask for information
The /passive option worked in my lab. There must be a bug in the installer where it's not properly handling the /quiet option. There are valid reasons for doing things differently during a quiet install vs. a normal install, so it seems that the QuickTime installer developers just missed some case somewhere.
Swapping /passive for /quiet was very simple within Admin Arsenal since the installer is an .EXE file. But it's not so obvious how to change the option when installing an MSI file. To achieve the same effect you need to uncheck the quiet option and then add the replacement option in the "Other Options" box.