Vol. 22, #22 - May 29, 2017 - Issue #1133


Broken motherboards, WiFi networks, and a risky update

 

Free Tool: Permissions Analyzer for Active Directory 

Image

SolarWinds® Permissions Analyzer for Active Directory™ gives you instant visibility into user and group permissions and a complete hierarchical view of the effective permissions and access rights for a specific NTFS file folder or share drive – all from a user friendly desktop dashboard.  Browse permissions by group or individual user, and analyze user permissions based on group membership combined with specific permissions.  Unravel a tangled mess of file permissions: network share, folder, Active Directory, inherent, explicit, calculated and more.

Download the Free Permissions Analyzer Tool Today. 


Editor's Corner


In this week's issue of we share some helpful feedback from our readers concerning two Ask Our Readers items from last week's newsletter, namely, how to repair a broken CMOS battery holder and how to set up a second WiFi network that has Internet access but is isolated from your main WiFi network. We also have news about an URGENT issue regarding a recent Windows update that can affect certain systems running Windows Server 2012 R2. All this and more in this week's issue of WServerNews, your favorite IT pro newsletter!

Speaking of isolation, it's often helpful when troubleshooting a problem to try and isolate different aspects and conditions that may be involved. This classic Dilbert comic strip illustrates this useful troubleshooting principle:

http://www.wservernews.com/go/wggvaii8/

Do you keep YOUR phone's battery charged?

Ask Our Readers: WServerNews has almost 100,000 subscribers worldwide. That's a lot of expertise to tap into. Do you need help with some issue or need advice on something IT-related? Got a question you'd like us to toss out to our readers to try and answer? Email us at wsn@mtit.com


Warning!! Possible problem with May 2017 monthly rollup

An alert Microsoft MVP friend told me about a potential problem some users may encounter with the latest monthly rollup of updates from Microsoft. The monthly rollup was released on May 9th and is described in KB 4018217 which can be found here:

http://www.wservernews.com/go/luiku2mz/

The words of concern here are as follows:

If a Server 2012 R2 system uses an Intel Xeon (E3 v6) family of processors, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release.

So if your server systems are of this hardware type and OS then you may want to defer applying this update to your servers until the issue has reported as being resolved.


Ask Our Readers - Ejecting storage devices mounted to folders (new question)

A reader named Fritz from Alberta, Canada sent me the following interesting email recently:

I have just found this little jewel, to mount the reader as a folder. Thanks so much for this bit of advice. One of the new card readers wants 12 drives. I only have 4 letters available. So this is welcome news.

I do have a question. It is in regards to flushing the write buffer. If a drive letter is assigned, the card needs to be ejected to make sure all files are closed prior to removing the card. But there is no such function available for a folder. Have you found any problems with just pulling the card when done, or do you at least close the folder (as in going elsewhere). What are your thoughts on this issue?

I was a bit puzzled so I responded by asking Fritz what "little jewel" he was referring to and he replied:

It is your posting "Drive letters and USB multi-card readers" on WindowsNetworking.com here:

http://www.wservernews.com/go/a87kkqoz/

I have set up the mounted folders as you described, and they work great in Win 10, but I had the question regarding "ejecting" as it's used for removable drives. I understand that the reason for ejecting removable drives is to flush the write buffers before a card is removed. So my question is, how does the flushing of buffers work with mounted folders? If you have an answer I would appreciate it.

That tip was written by me way back in 2009 and I don't have any further insight into what Fritz is talking about. Perhaps some of our readers can offer some comments? Email me at wsn@mtit.com

 

Ask Our Readers - Isolating "training" network from "work" network (readers' suggestions)

In the previous issue a reader named Alain sent us some details of a wireless networking scenario he is trying to achieve:

Hi Mitch, thanks for continuing the very good WServerNews newsletter -- it always provides good tips. Can I ask you some advice on network setup? I want to extend my current small business network setup which works perfectly for my purposes to have a second "training" network setup so that trainees are not able to access my work network, but still have access to an application on the internet. Here's my scenario:


First Router:

Wireless is setup to have secure WIFI (for our staff to access servers / files /printer etc) as well as Guest access (for visitors in meetings, who can't access our servers etc). Guests cannot access the network. All working perfectly.

New TRAINING Network requirements:

WIFI to be set up with a separate SSID: "Training" with different passcode (to allow access to separate printer on that network), as well as a Separate Guest network which allows internet, but no access to network resources)

Would the settings I have suggested above work out? I need to ensure that there is absolutely no access to our main network connected to the first Router, from anything connected to the second router.

Several readers offered comments concerning Alain's question. We'll start off with the following suggestion by Bill from Illinois, USA:

Subnet Mask on training network needs to be 255.255.255.0, not 255.255.0.0.

Gateway on training network needs to be 192.168.192.1, not on the 67 network.

Public IP (NAT) address on training network router (which is the port connected to the main network) needs to be within the .67 subnet, such as 192.168.67.250.

However, this configuration will NOT work as expected, as anyone on the .192 subnet will have full access to the .67 subnet. This can be limited by setting up firewall rules on each machine to block the .67 subnet explicitly, but this is not very efficient.

A much better solution would be to replace the TPLink router with a 3-port router which supports a proper DMZ network. Then, the users on the training network can be piped into the DMZ, which can have connectivity to the Net without access to the LAN.

David from Michigan, USA made the following suggestion:

The reader named Alain states that the training network only needs access to the internet and not to the production network. There are a number of ways to do this.

The easiest way is to set up the training network on the Guest WIFI as long as the devices in the training network are wireless ready. The problem with this solution is the Guest WIFI, if properly setup, may be operating in AP Isolation mode (client isolation) preventing one wireless guest user from seeing another wireless guest user. The wireless printer, if placed in the Guest WIFI network may not be accessible from devices if the WIFI is operating in AP Isolation mode.

The best solution is to place the Training Network's router on its own public IP address but this means that Alain's ISP connection must have more than one static IP. This way the traffic from the Training Network never needs access to the Production Network's IP space. All the features of the Training Network's router can then be utilized as needed.

The worse solution is to place the Training Network behind the Production Network. This allows the Training Network to access the Production Network devices as if the Production Network is the DMZ to the Training network. You could always put the Production Network behind the Training Network but this creates a single point of failure for the Production Network if the Training Router fails.

When I layout Networks for my clients, I adhere to the KISS principle -- Keep it Simple Stupid. The fewer pieces of equipment the better. By daisy chaining a router behind a router, you are creating dependencies and single points of failure in addition to possible unwanted security holes.

I recommend getting a block of static IP addresses from your ISP and isolate the traffic of the Production Network, the Training Network, and the Guest Network with each network on their own Routers.

Of course, there are other ways involving vLans, layer 3 switches, and better routers…

And finally Quentin from the UK offered this observation:
 
It's been many years but I was involved in a number of these scenarios in an education environment. In every case the student network was completely physically separate from the work / teacher network. Separate LAN, separate switches, separate routers, separate internet connection, separate everything. We did not want some precocious child accessing the admin network. I hope that helps.

If any other readers would like to offer suggestions for Alain you can email me at wsn@mtit.com


Ask Our Readers - CMOS wire broken (readers' suggestions)


Also in last week's issue a reader named Duff sent use the following question which stumped us (and which I've edited for clarity):

My name is Duff and I am always tinkering with computers. I have an IBM X Series 232 loaded with 4 SCSI 18g drives. My problem is that the CMOS battery holder is snapped at the contact flat wire. Me solder?? No can do. When I boot up the server I get an error msg "NO VIDEO". This server is a true workhouse and I do really enjoy tinkering with it, all 4 drives have WXP sp2, 4 gb of memory and 2 Intel chips running at 1.2 gbps I think, so the Cmos problem prevents the system to run. Can I get someone to tell me how to repair the Cmos holder?

A whole bunch of readers offered suggestions concerning this one. Here's a short sampling of the feedback we received:

If the user doesn't want to solder get a couple of clip leads and a new CMOS battery holder and clip the new one on. Kludgy but should work. -- Kurt

For the problem that Duff had with the broken CMOS wire, there is a conductive "wire glue" you can get that will re-bond the wire without you needing to pick up a soldering gun. Hope that helps. -- Ron

Duff probably wants to stay away from things like liquid solder, while it would make a connection it's not as strong as the real thing. My advice is to get a decent soldering iron and practice on some scrap parts. It's a valuable skill, can be fun, and can open up a whole new world to explore. I'm not great at it, but after a few practice sessions I have been able to do a passable job on some small circuits that I normally would have thrown out in the past. Or ask around if any of your friends or co-workers have are 'makers' or have contacts in those circles, a lot those folks love to grab the iron and help someone out. -- Jim

If you can expose any of the needed terminal at all, grab it with a clip lead, and clip-lead in the needed voltage of batteries (Usually 3V), and see if it fixes your system. If it does, get somebody who can solder. Or run it on clip-leads. I'm an electronics tech of many years experience with soldering. I would test the above trick first, then dismantle the system as needed and replace the battery holder by un-soldering and removing the old one, and soldering in a new one. But that's me, and I realize I have advanced soldering skills. -- Paul


Not sure about this specific server board but 99.9% of main boards in servers have a plug where an external battery pack can be plugged in. It's not uncommon for the clips to break off because new or untrained admins pry up on them instead of sliding them out. Check with IBM or their online support and see if this model does indeed have an aux battery pack plug. If so it's a simple matter of plugging in the aux. battery pack and firing up the server. If there isn't a plug you will need to either have someone who can solder attach some leads for you that can be hooked up to an external battery pack or you will need to replace the board but I would really be surprised if there was not a hookup for a battery pack. You will have to set all the CMOS setting back since there hasn't been continuous power applied but that should do it. -- Frank, a Systems Administrator from South Carolina, USA

I may be of help, but a photo of the damage would be helpful to be certain what I suggest is viable. I once worked with a scanning electron microscope (SEM). This requires electrical contact from specimen to earth. Achieved by adhering specimens to sample holders with a colloidal suspension of silver which is conductive when dry. The liquid is a rapidly drying solvent. When dry the specimen and holder are coated with a layer of gold a couple of atoms thick in a sputter coater. The colloidal silver is sold as Silver DAG, here is one supplier's URL:

http://www.wservernews.com/go/fbco9sc6/


I have used DAG to repair electrical contacts and cracked PCB tracks, it's applied with a very fine artists paintbrush. Once dried and assured the repair has worked a coating of epoxy resin is used to keep the repair rigid. Any mistakes in applying DAG are easily corrected, let it dry and scratch it away with small flat blade jewelers screwdriver. --Richard

If you have any other suggestions for Duff or any other hardware-related tips that might benefit other readers of our newsletter, please feel free to send them to me at wsn@mtit.com


Send us your feedback

Got feedback about anything in this issue of WServerNews? Email us at wsn@mtit.com


Recommended for Learning

Watch Microsoft Build sessions on-demand on Channel 9

http://www.wservernews.com/go/rf2wql78/

 

Microsoft Virtual Academy

Certification Exam Overview: 70-532: Developing Microsoft Azure Solutions

IT pros who program, implement, automate, and monitor Microsoft Azure solutions, and are prepping for Microsoft Certification Exam 70-532 (part of the Azure Certification series), will find this a practical training course. Microsoft Certified Trainer Brian Swiger reviews exam concepts, explores specific topics and details, develops a study strategy, and provides exam tips and additional resources. Watch here.

http://www.wservernews.com/go/apr1f5cp/


  

Factoid of the Week

Last week's factoid and question was this:

In the intro to this week's newsletter I reported that I had experienced a "snafu" updating a Win10 machine to Creators' Update. Not immediately remembering the origin of this word "snafu" I tried searching for a Dilbert comic strip that used it but my search came up empty. So I googled the word and of course I remembered then its military origin. Do you know any more, er…interesting acronym of military origin? Nothing too raunchy please ;-)

A number of readers commented with the totally obvious suggestion (which I should have seen coming) of FUBAR which several readers explained in detail:

The acronym that first came to mind for me was FUBAR -- "fouled" up beyond all recognition (F-word changed for G-rated newsletter) --David from Florida, USA

FUBAR is the Vietnam era version of SNAFU. --Maury from the Netherlands

FUBAR -- f**ed up beyond repair. It was cleaned up in Digtal's Equipment's VAX WMS as Foobar -- the error registrator. -- Ted from Illinois, USA


I am sure others have suggested, "fubar". As I remember it , "fouled up beyond all recognition", or something like that. I heard it a lot during my years at the US Military Academy at West Point, since I seemed to be "he who fouled up", apparently a lot, spending many hours marching punishment tours... But that was almost fifty years ago, so my memory may have forgotten some. --Bob, a retired Major in the USAF

Who can forget FUBAR? It's attributed to the same time period as the other example, SNAFU. Let's just say it stands for, how should we put it… Fussed Up Beyond All Recognition. Both of these acronyms were a more colorful way of stating the truism that, as a Prussian general (Helmuth von Moltke) put it, "No plan of operations extends with any certainty beyond the first contact with the main hostile force." Or more simply: no plan survives first contact with the enemy. Perhaps those in the trenches felt that NPSFCWTE didn't roll off the tongue quite so well. One a side note, not related to acronyms: the people crafting these sayings were actually quite good at figuring out ways to deal with situations that were, well, FUBAR. A number of texts talk about how American GIs would use their own initiative in situations, where other soldiers might sit and wait for orders. --Thomas from San Diego, USA

Fortunately there were a few other answers besides FUBAR from our readers. For example Wayne sent us the following comment:

Fubar is my favorite (F*d up beyond all recognition). But the favorite of project managers the world over is 6P (Prior Preparation Prevents Piss Poor Performance)

Well that sure as heck beats Six Sigma ;-)

Don from Iowa sent us this one:

BOHICA: Bend Over Here It Comes Again!

Ouch!! And finally Frank from Germany point us to the following resource:

I think „fubar" (or „foobar") is the most well known acronym of military origin - at least in the IT space… but there are a lot of others as this
Wikipedia site lists:


http://www.wservernews.com/go/u55495n7/

I'm sure this list can't be complete given the inventiveness (foobarishness) of the G.I. Joe's in the US Army. Maybe some of our readers with military experience can offer some more?

Anyways, let's move on to this week's factoid:


Fact: he last words of Henry Royce, co-founder of Rolls-Royce, were: "I wish I’d spent more time, in the office."

Source: The Financial Times (paywalled)

Question: What are some other notable last words of famous people that have inspired, amused, or infuriated you?

Email your answer to us at: wsn@mtit.com

Until next week, 

Mitch Tulloch

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

GOT ADMIN TOOLS or other software/hardware you'd like to recommend? Email us at wsn@mtit.com

Challenger lets you encrypt at a data and directory level:

http://www.wservernews.com/go/h2seehzi/

Hushmail is a hosted web-based service that provides enhanced email security to keep your data safe:

http://www.wservernews.com/go/kient4iv/

PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator:

http://www.wservernews.com/go/315ujsy7/

 

This Week's Tips

GOT TIPS you'd like to share with other readers? Email us at wsn@mtit.com

BitLocker - Safeguarding against DMA side channel attacks

Moti Bani has a post on how you can secure your Bitlocker-enabled devices against a common attack vector, namely a Direct Memory Access/Side channel attack:

http://www.wservernews.com/go/ovmp50ag/


OpsMgr - Detecting PowerShell exploits

Nathan Gau explains how you can use System Center Operations Manager (SCOM) to various PowerShell Exploits that are commercially available for download and use:

http://www.wservernews.com/go/8fh0aqm0/


Windows Server - Removing a RemoteApp Session Host

Lee Stevens explains how to use PowerShell to successfully remove a RemoteApp server from a server pool:

http://www.wservernews.com/go/flpfn3t1/



Events Calendar


Microsoft Worldwide Partner Conference (WPC) on July 9-13, 2017 in Washington, D.C.

http://www.wservernews.com/go/rumh37uq/

Microsoft Ignite on September 25-29, 2017 in Orlando, Florida

http://www.wservernews.com/go/rw1hxlnp/

Add Your Event

PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 100,000 subscribers about? Contact info@techgenix.com

New on TechGenix.com

The enterprise’s shift toward storage virtualization -- explained

Storage virtualization makes it deceptively simple to allocate space. You gain the ability to affect more systems, and you are free to do whatever you want.

http://www.wservernews.com/go/ul876mis/

Comparing VSTO and Office Web add-ins [Video]

Microsoft Office is a great tool that can be made even better with add-ins. Here we compare the differences between VSTO and Office Web add-ins.

http://www.wservernews.com/go/i61lsr0e/


Office 365 vs. Hosted Exchange: Which should you be using?

When it comes to business email hosting, most companies must choose between Hosted Exchange and Office 365. Which one is better? Let’s find out.

http://www.wservernews.com/go/nceztzmz/


Keep attackers out: Introduction to Azure web application firewall

Azure web application firewall can help IT administers protect their web applications from a wide range of malicious attacks.

http://www.wservernews.com/go/eluflrs3/


More the merrier? Why you should consider a multicloud strategy

The cloud is here to stay. Now the question is, should you stick with one cloud provider or take a multicloud approach? Here are some facts to consider.

http://www.wservernews.com/go/owg43xyn/

 

Tech Briefing

AWS

Weekend Reading: Amazon Aurora: Design Considerations for High Throughput Cloud-Native Relational Databases (All Things Distributed)

http://www.wservernews.com/go/2jnrf2xk/


Thoughts On The AWS Outage  (Cloud Architect Musings)

http://www.wservernews.com/go/nrk4sc8z/

Azure

WannaCrypt attacks: guidance for Azure customers (Microsoft Azure Blog)

http://www.wservernews.com/go/1jwn0xfq/

Azure Blueprint illustrates the clear path to meet the Cybersecurity Executive Order (Azure Government Cloud)

http://www.wservernews.com/go/12m2fbcu/

Enterprise IT

Managing network settings on Red Hat Enterprise Linux (IT Pro Central)

http://www.wservernews.com/go/mxu4j42q/

Mysteriously Disappearing Start Menu Tiles and Roaming User Profiles (Ask PFE)

http://www.wservernews.com/go/b17gt185/

Exchange Server

Getting the number of mailboxes per database in your Exchange Organization (IT Pro Central)

http://www.wservernews.com/go/nl9l6e3c/

Exchange 2016 RecoverServer (250 Hello)

http://www.wservernews.com/go/wb0wsqp4/

Hyper-V

Massive Performance, Scale and Manageability Gains in Hyper-V with Windows Server 2016 (Keith Mayer)

http://www.wservernews.com/go/c22hwcu7/

Using Hyper-V Resource Pools to ease migration between different configurations (Ben Armstrong)

http://www.wservernews.com/go/vneebfmf/



Other Articles of Interest

Thoughts on Citrix's potential sale: 2017 Edition. This time it feels different.

Each year there are rumors about Citrix being acquired, but this time it might actually happen. But, who would buy Citrix? And, why would they be for sale? Find out the latest news surrounding the potential sale of Citrix.

http://www.wservernews.com/go/i9g4cvpy/

Why the desktop-as-a-service model hasn't taken off

DaaS has a presence in the market, but adoption hasn't skyrocketed like some expected. Experts pondered the reasons in a roundtable discussion at IDC Directions. Find out what they discussed.

http://www.wservernews.com/go/4gesad1r/

Samsung Knox gives IT control over Android OS updates

A common problem in organizations is users being able to update the operating system on their mobile devices without IT having any control. As a result, some business apps may not work, because they don't support the new version of the OS. Knox's E-FOTA feature lets IT test Android OS updates before users install them on their Samsung devices, preventing apps from breaking.

http://www.wservernews.com/go/udt3umfu/


Windows 10 migration plans hit a wall

Microsoft's free Windows 10 upgrade offer boosted adoption last year. But now, without that incentive, businesses are holding onto Windows 7 for as long as they can. For some, the Windows 10 new features just aren’t worth the cost of new hardware. So, is the switch from Windows 7 to Windows 10 really worth the trouble?

http://www.wservernews.com/go/vvqbrz20/

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at wsn@mtit.com

Dave from Australia sent us the following link to a cool video of a Lego train running through someone's house all done up:

http://www.wservernews.com/go/oe2pymyd/


10 MOST AMAZING Lego Machines

http://www.wservernews.com/go/bh6iu5k5/


10 Most Incredible LEGO Creations

http://www.wservernews.com/go/rpwwlfbv/


The Most Awesome Lego Machine Robot You Will Ever See

http://www.wservernews.com/go/ff4rjeb2/


Lego Art 2017 Amazing Lego sculptures ever made 2017

http://www.wservernews.com/go/49evnwln/


Amazing LEGO Machines Compilation (HD)

http://www.wservernews.com/go/yyo9g26n/

Personally I was a fan of Meccano when I was a kid.

WServerNews - Product of the Week

Free Tool: Permissions Analyzer for Active Directory 

Image

SolarWinds® Permissions Analyzer for Active Directory™ gives you instant visibility into user and group permissions and a complete hierarchical view of the effective permissions and access rights for a specific NTFS file folder or share drive – all from a user friendly desktop dashboard.  Browse permissions by group or individual user, and analyze user permissions based on group membership combined with specific permissions.  Unravel a tangled mess of file permissions: network share, folder, Active Directory, inherent, explicit, calculated and more.

Download the Free Permissions Analyzer Tool Today. 

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit and has been author or series editor for almost fifty books mostly published by Microsoft Press. Mitch is also a ten-time recipient of Microsoft's Most Valuable Professional (MVP) award for his  outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com.

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also manages research and marketing for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.