The New Mitch?


The photograph on the left was taken in front of La Floridita on Calle Obisbo in Old Havana by Greg Starks in February, 2017.  The photograph on the right was taken in the same spot by Eduardo Bensusan in July, 2017.  Conclusion?  Eduardo is obviously a much better photographer than Greg, except that Greg had the good sense to tell me to stand up straight.

Okay, let me say what I have been up to, simply because I am getting far too many comments to keep it secret any longer.

Yes, I have been on a diet.  Yes, it has been an extreme one.  No, I am not doing it on my own.  No, I am not sick in any way, and no, I have not, nor do I plan to have, any sort of surgical procedure.

Yes, I have been writing about it… quite a bit actually.  My journal, which has been shared with very few people, is nearing forty-eight thousand words.  I have not been writing it in public for a few reasons, not the least of which is that I have over the past few years written publicly and enthusiastically about my weight-loss attempts… and very little about all of those failures.

I have been quite successful with this attempt… so far.  I am down several pants sizes, and as the pictures show I have been doing well.  However I am far from done.  I have a long way to go, and I do not want to fail.  The only reason I am writing this is because I have received so many messages on Facebook from friends commenting, many of which with worried tones, asking if I was ill.

No, I am not ill.  I am quite well – I am jogging again, I am in the gym a few times per week, and I am trying to keep up the diet.  It gets difficult, but I am trying.  I will continue to do so.

I have a favour to ask of you all.  Please don’t ask me about it.  I do not wish to discuss how I am doing, nor what diet I am on.  If you wish to offer words of encouragement, I will graciously accept.  However, should you try to get any further information out of me, I will likely either divert or end the conversation.

Thank you all for your support.  And now we can resume our regularly scheduled technical mumbo-jumbo that Rick only understands twenty-five percent of!

Happy 10th Birthday!

i started blogging at The President’s Blog for about twelve years ago. However it was ten years ago today that The World According to Mitch went live, completely separating myself from my former position.

of course, back then the address was not – that would come later – but it was my own blog, running on DotNetNuke if I recall.

Ten years and over one thousand posts later, here we are. I want to thank all of you for your continued supports!

Touch: You can touch this!

Occasionally I am sent a press release about a new product, or a soon to be released product, that I think is worth talking about.  That happened this week when I received a kit about an upcoming product called Touch Earbuds.

touch-campaign-openers-v02The Touch Earbuds are the next generation of a product I looked at a few months ago called the Dot, which was a single earbud (although you could buy two and listen in stereo), which attached magnetically to a charging device (which in turn made a good key chain).  I made some recommendations to the company based on my experience, and here is the result: A pair of ear buds that have probably the best specs on paper that I’ve seen.  The charger is now an enclosed case (that simultaneously holds and charges the pair of buds), the Bluetooth 5 technology gives it an astounding 200m range from your device, as well as faster pairing, and the low energy functionality is perfect for devices that are needed to run for longer lengths of time.  They also did away with the button, and the Touch runs on just that – touch technology.

Did I mention that the Touch ear bud is 21mm long, making it a little shorter than an American quarter?  It fits in your ear smoothly and discretely, and stays in place even during rigorous physical activity.  They are sweat- and water-resistant, so you don’t have to take them out when it’s raining, or when you are working up a sweat.  They also come with various sizes of ear tips, to make sure they fit you perfectly.

The Touch is the world’s smallest ear buds, and they are due out in November, just in time for Christmas.  If you want to get in early though, you can back their Indiegogo campaign by clicking here.  There are more pictures, as well as data sheets and comparisons that you can look at.

I am really looking forward to trying these out… they will be the perfect fit for my long jogs and gym workouts, as well as for whenever I feel like listening to music… or chatting on the phone, because the noise reduction microphone makes it as easy as pie to chat as well as listen.


SCOM Unmonitored: Never Again!

In my last article I showed you how to enable the System Center Operations Manager (SCOM) Agent Proxy using PowerShell.  We used the cmdlet:

PS C:\> Get-SCOMagent | where {$_.ProxyingEnabled -match “False”} | Enable-SCOMAgentProxy

While this does work, it is what I call a point-in-time solution… that is, it enables the Agent Proxy on everything that exists today… but how do we go about switching it so that we don’t have to do this over and over again? Here we go:

PS C:\> add-pssnapin “Microsoft.EnterpriseManagement.OperationsManager.Client”

PS C:\> new-managementGroupConnection –

PS C:\> set-location “OperationsManagerMonitoring::”

PS C:\> Set-DefaultSetting –Name HealthService\ProxyingEnabled –Value True

That should do it… have fun!

SCOM: Unmanaged?

Congratulations! You have installed System Center Operations Manager, and you have installed all of the management packs that you needed.  Unfortunately you are getting that big, ugly, EMPTY green circle… you know, the one that is supposed to have green check marks in them?  Yeah, it happens to me too.  Not Monitored

The solution, often enough, is as simple as enabling the Agent Proxy on all of your agents.  To do so, from the Operations Manager Shell type the following:

PS C:\> Get-SCOMagent | where {$_.ProxyingEnabled -match “False”} | Enable-SCOMAgentProxy

This should solve your problem.  Good luck!

SCM is gone… Say Hi to SCT.

For the past several years nearly every client of mine (that I have consulted on Active Directory) has been introduced to the Microsoft Security Compliance Manager (SCM), a great tool that helped create Group Policy Objects (GPOs) for any number of Organizational Units (OUs), including Default Domain Policy, Domain Controller Policy, Client Workstation Policy, and many more.

Last week Microsoft announced the retirement of the SCM, and the launch of the Microsoft Security Compliance Toolkit (MST) 1.0.  According to the download site, the MST is a set of tools that allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. 

If you are wondering how this product is different from the SCM, you can read the write-up by Aaron Margosis here.

I like that Aaron points out that there are gaps in the new offering, and assures us that Microsoft is working to fill those gaps.

Hyper-V Server Clustering Network Issue: Validation Failed?

If I’ve told you once I’ve told you a thousand times… When you build a Failover Cluster on Windows Server make sure you run the Validation Tests… and make sure those tests succeed (or at the very least nothing FAILS… Warnings are acceptable).

So as I sit at a client trying to cluster two Hyper-V Server 2016 hosts, I am frustrated by the big red FAILED on my Cluster Report.


Should you ever encounter this error, it is important to note that the network vEthernet (Data) is not the same network as Data.  So the solution, which stymied me for about an hour, was simple:


In other words, I have to disable to TCP/IP v6 on the problematic binding, which I do with a simple PowerShell cmdlet:

PS c:\> Disable-NetAdapterBinding -Name “vEthernet (Data)” -ComponentId ms_tcpip6

(Remember that I have to put the “quotation marks” around the name because there is a space in it… otherwise I could leave them out.)

Also remember that because these hosts are Hyper-V Servers and not actual Windows Servers, I couldn’t use the GUI to do this.  (There actually is a netsh command to accomplish this as well… but PowerShell rocks!)

Once I ran this cmdlet on both hosts, I re-ran my Validation Tests, and bingo!


Everything comes up roses, and I can continue my day happily.

I hope this helps you!

Fifteen Tabs: Shut em all down!

helpThose of us who try to keep  the banging of our heads against a wall to a minimum will have long since learned that we don’t know everything, and more often than not there is someone out there who knows more than we do.

“But Mitch, how can you say that?  I read your blog religiously, and when I don’t know something about computers I can usually find the answer on your blog!”  I know, but even I have to go looking for the answers sometimes… in fact, more often than not.

The problem is, very often the answer is not so easy to find…

This week I found myself trying to solve a problem that concerned a High Availability SQL Cluster.  It was maddening… I spent three days trying to find the answer, and from very early on I knew that I was going to have to look to others for help. 

As a blogger, the first place I start looking is… other blogs of course!

FrustrationNow here’s the problem with that… when the answer is not as simple as a yes/no to track down, you may have to look through myriad blogs and articles and documents and forums before you actually find the answer… and often enough one blog or article or document or forum may not give you the solution, but it will point you in the right direction – either down a rabbit hole or sometimes into a snake pit.  Either way, I keep each page open in a new tab in my web browser, because often enough I will want to document how I got from zero to hero – or hero to bum, as the case may be.

So three days into trying to solve this problem, which took me to a dozen different articles, forums, and conversations on Facebook, Twitter, and LinkedIn (which indeed led me to three other articles), I found in four of those articles the pieces to the puzzle that eventually helped me to solve my issue.  It was done, I solved it… not alone mind you, but I solved it.

I looked at my desktop and sighed… I hadn’t rebooted in three days for fear of losing track of my path toward the solution… which of course I had to document for my client.  I could now close them all down.  Each browser tab (and yes, there were actually fifteen of them, excluding Facebook, LinkedIn, and Twitter) was now beckoning to me to shut them down.  One by one I clicked on the X in the top right-hand corner… and I was quite satisfied as they all disappeared into the ether.

As frustrating as technical problems may be – and I always tell people that knowing more will only lead to more technical and even more frustrating problems – when you solve them the feeling is truly euphoric.  That stress-relieving satisfaction that you fought AND WON.

Now how is that for a way to end a day? Happy Friday everyone, and have a great weekend!

Will you pay?

CPUsAn article showed up in my Inbox today: Intel Core i9: It’s not whether you need 12 cores, but whether you’ll pay for them.  It is an interesting read, and a very good question.

I have always liked ZDNet.  Their people do a good job of keeping a pulse on the industry.  Their question is a valid one… will people be willing to pay for 12 CPU cores (presumably on the desktop… people will definitely pay for them in servers).

I used to be very good friends with a man named Willem.  Willem is brilliant, and was (almost) always a positive influence on me.  He is an IT Professional who moved to Virginia some time ago, but until then he owned and operated a company in Montreal called Saturnus True Data Services.  They were not the first computer company I ever worked for… but they were certainly one of them.

One day in late 2005 I was talking to Willem about the new laptop I was buying, an Acer Ferrari 4000.  It was sleek, it was gorgeous.  It was the first computer I ever owned that had a 64-bit CPU.  When I told Willem about it he asked why I would ever need or even want a 64-bit CPU?  I admit I did not really have a good answer for him then.  Later on I would… starting with the 3.2GB limitation on 32-bit CPUs.  However, when he asked me in November of 2005 I couldn’t tell him why I would even need more than 3GB of RAM, because back then nobody really did.

Fast-forward nearly twelve years, and 64-bit CPUs are ubiquitous.  I haven’t tried in a while, but I doubt you could even buy a laptop today with a 32-bit CPU.

The hybrid laptop I am writing this article on – my Surface Pro 4 with an i7 CPU – cost quite a bit more than my Ferrari laptop did, and it has a 4-core CPU with 16GB of RAM.  Had Willem asked me 12 years ago why I would ever want 4 CPU cores on a hybrid laptop I would have answered honestly with a question: What’s a CPU core?  And yet, here I am and it is my go-to machine.

The way our world works is simple: Something is invented and it is expensive… at first.  As time goes on prices go down… usually as newer versions are invented.  Eventually they become obsolete, and if you are lucky they become collector’s items… usually they become junk.  The Ferrari that I paid over $1500 for in 2005 is now selling (used) on eBay for $200… and that is probably because of the Ferrari logo because equivalent laptops from other manufacturers are selling for much less than that.  One day my Surface Pro 4 will be nearly worthless too.

CPUSo Intel invented a desktop CPU (the Intel i9) with 12 cores.  Today nobody needs it.  In 20 years nobody will understand how we got by with such primitive technology.  The founder of that company, Gordon Moore, predicted in 1965 that “…the number of transistors on integrated circuits doubles about every two years.”  So 12 cores is simply what was next.  Our computers get faster and as they get faster they get more expensive.  Then something even faster comes out, and that other one becomes less expensive… until they become obsolete.

So who will pay for the 12-core CPU on a desktop?  Probably very few people… now.  But give them time; prices will come down, and we will see them out there.  Slowly at first, but eventually 12-core CPUs will probably become the standard desktop processors.

…Now who among us feels really old, and nostalgic about our 4.77MHz CPUs?

A New Perspective…

This blog is older than I ever thought it would be.  So every once in a while I like to give it a facelift.  This morning you should notice a big difference.

I picked a new template last week.  I have modified it though… the pictures in the cover are shots I took in Cuba this year.  I hope you like it!  Let me know if you don’t!


Windows Server 2016: A pet peeve

Windows Server 2016Over the next few weeks, as I do my first production infrastructure implementation based on Windows Server 2016 and System Center 2016, I am sure this list will grow longer.  In the meantime, I have uncovered my first pet peeve in the new version.

Don’t get me wrong, overall I like Server 2016… but to find out that it is no longer possible to install Windows Server with a GUI (Graphical User Interface) and then later to uninstall the GUI (see article for Windows Server 2012) is fairly annoying.

Throughout the launch of Windows Server 2012 I was with the Evangelism Team at Microsoft Canada and I traveled the country – first for the launch events, and then evangelizing and teaching that platform.  I spent a lot of time talking about Server Core because of the benefits for security, as well as for the reduced resource requirements (which, in a virtualized infrastructure, can be staggering).

Of course, Server Core looks a lot like where we started out… if you were a server administrator back in the 1980s and most of the 1990s, you were using command line tools to do your job.  However it had been too long ago, and the vast majority of admins today were not admins back then.  So I was able to discuss a compromise… Install Windows Server with the GUI, and when you were done doing whatever it was you needed the GUI for (or thought you did), you could uninstall it… or at the very least, switch to MinShell.

I showed up at my client site this week and was handed a series of brand new servers on which to work.  They all had the GUI installed.  So I went to work, and typed in that familiar PowerShell cmdlet to remove the GUI.  I was greeted by that too-familiar red text which meant I had done something wrong.  I will spare you the boring details, and after several minutes of research I discovered that Microsoft had removed the ability to remove the GUI in Windows Server 2016.

I understand that the product team has to make difficult decisions when developing the server, but this was one that I wish they had not made.  However confirmation comes directly from the product group in this article, in which they write:

Unlike some previous releases of Windows Server, you cannot convert between Server Core and Server with Desktop Experience after installation. If you install Server Core and later decide to use Server with Desktop Experience, you should do a fresh installation.

I wish it weren’t so, but it is.  Once you install the GUI you are now stuck with it… likewise, if you opted for Server Core when you first installed, you are committed as well.


Firewalls: Trust me!

I have several clients who have multiple sites, as well as multiple Active Directory (AD) forests.  As security is so important they want to lock things down the best they can, but they also need to open up the necessary ports to allow the domain trusts to work.  The ports required for this are:

Port Number Protocol Traffic Type
53 TCP/UDP Domain Naming Service (DNS)
88 TCP/UDP Kerberos
445 TCP Server Message Block (SMB)

These ports should work for every version of Active Directory dating back to Server 2000, but I have not tried anything earlier than 2012.

Windows To Go Gotcha in Windows 10

So here’s an interesting fact about Windows To Go.  When Windows 10 first came out I was still running Windows 8.1 on my corporate desktop, and when I went to create my WTG image I couldn’t because the Windows 8.1 WTG engine did not support building Windows 10 WTG keys.  Ok, that is understandable.

Windows 10: The last operating system Microsoft will release, right?  Well my corporate laptop is on Build 1607, and when I downloaded the latest build (1703) it would not recognize it.  So my two options are:

  1. Download the earlier build and make my key based on that build; or
  2. Take the time to upgrade my laptop.

With all due respect Microsoft, if you are going to tell us that Windows 10 is the last desktop OS, don’t pull these games.  As a tech guru I understood right away what the problem was… How much time do you think the regular Joe trying to use your products would have spent on this?

Scheduling Server Restarts

If you manage servers you have likely come to a point where you finished doing work and got a prompt ‘Your server needs to reboot.  Reboot now?’  Well you can’t reboot now… not during business hours.  I guess you’ll have to come back tonight… or this weekend, right?

Wrong.  Scheduling a reboot is actually pretty easy in Windows.  Try this:

  1. Open Task Scheduler (taskschd.msc).
  2. In the Actions pane click Create Basic Task…
  3. Name the task accordingly… Reboot System for example.
  4. On the Task Trigger page click the radio button One Time
  5. On the One Time page enter the date and time when you want the server to reboot.
  6. image
  7. On the Action page select Start a program.
  8. On the Start a Program page enter the name of the program shutdown.exe.  In the Add arguments box enter /f /r /t 0.  This will force the programs to close, restart the server (instead of just turning it off), and set the delay time to 0 seconds.
  9. image
  10. Once you have done this your server will reboot at the precise time you want it to, and will come back up.

**NOTE: Don’t forget to check.  it is not unheard of in this world for servers to go down and not come back up as they are supposed to!

Do it in PowerShell!

Using PowerShell to script this will allow you to not only save the script, but also run it on remote servers.  From Justin Rich’s blog article I found this script:

register-ScheduledJob -Name systemReboot -ScriptBlock {

Restart-Computer -ComputerName $server -Force -wait

Send-MailMessage -From -To -Subject "Rebooted" -SmtpServer

} -Trigger (New-JobTrigger -At "04/14/2017 8:45pm" -Once) -ScheduledJobOption (New-ScheduledJobOption -RunElevated) -Credential (Get-Credential)


Have fun!

A Big, HUGE Microsoft Security FAIL.

(NOTE: This article was written December 7, 2016. Not one word has been changed since that date.  To understand why it can only now be published, read the article on this site called 107 Days: A Microsoft Security Nightmare. -MDG)

For reasons that will become obvious, I am going to delay posting this article until the issue has been resolved.

A few days ago a colleague of mine discovered the password to my Microsoft Account.  I won’t go into the how and why… I knew that my password had been compromised and I took the immediate steps to change it.


Ok, I understand that things break… I tried a few times, and then I decided to follow the advice and try later.  I trust my colleague not to actually use my password, so even though I felt uncomfortable with it being compromised, I knew I could wait a couple of hours.

Throughout the evening I tried (unsuccessfully) to change my password.  As I was sitting with my father having dinner, as I had drinks and cigars with my friends… no joy, I still got the same message.  ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

I want to be clear… if my network had an error that was preventing users from changing their passwords I would consider it reasonably important, and I would take immediate steps to fix it.  But having trusted Microsoft for so many years, I assumed this would be fixed eventually.

Four Days Passed.

Yes, it was literally four days before I decided that my passivity would not eventually lead to a solution.  I sat down and figured out how to request support. I was hoping to be able to speak with a human being.  Before I could, however, the Virtual Support Assistant got me to try this link and that link.  It then made me go through seventeen steps to finally confirm that the account in question was mine… and once it confirmed that I really am me, it tried to reset my password… and I ended up with the same error message that ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.

Okay, it’s been nearly an hour… and I am chatting with someone who is quite obviously not their first round draft pick.  After all, I asked for help with, not with something that people actually pay for.  I spent twenty minutes explaining to him the situation, and the added (and I assume rare) complication that I have two accounts with the same address… my Office 365 account and my Microsoft Account are both the same address that are completely different.  ‘Please don’t touch my Office 365 Account, I only want to change my Microsoft Account.’  This led to another five minute discussion on the meaning of the word change.

He had me fill out another form on-line.  I did.  At the end of that form I got a message that said that the product team would contact me within 24-48 hours to help me.  I told the Support Agent that I had filled out the form.  He told me that now I had to wait until they contacted me.

All in all, my Microsoft Account (which is the account I use for my MCT & MCP Benefits, Skype, and myriad other features) will have been compromised for the better part of a week… and there was nothing I could do about it.  Yes, I could have contacted Answer Desk a few days earlier, so it would have been compromised for only three days.  I want to know in what world is that considered an acceptable delay to be able to change a compromised password?

Some time ago I started using Multi-Factor Authentication (MFA) for many of my most important systems, which is why I am never concerned that my blog or my password vault could be compromised.  For various systems I have a hard key (Yubikey) and soft keys (Google Authenticator and Microsoft Authenticator) which keep most of what I do safe.  But most of the Microsoft systems do not support MFA and I am stuck with only a password.  I use reasonably complex passwords so I usually am not concerned, but in a case where my password is compromised and I am not able to change it, I wonder how it is that a company as advanced as Microsoft (in this case) does not allow me to use MFA.  I would love to be able to require my Yubikey in order to log in to Windows and many of the on-line systems I use, but it is simply not an option.

I am disappointed by Microsoft this week… and I hope that they take the lessons learned from this experience to improve.  However I sit here today, thinking of the myriad occasions I stood on stage in over a dozen countries on five continents and defended Microsoft’s security systems as among the best in the world; I was always sure in my knowledge that I spoke the truth.  Today I would not feel comfortable making that claim… and my faith in their systems, like shattered glass, will not be easily fixed.