I Think… therefore, I am uncertain.

I spend a lot of time speaking with clients about their environments.  From time to time, my job is to ‘interview’ them, so that I can properly document their environments.

Recently I was speaking with a couple of admins at a private sector company who were very proud of their environments.  They had hired a sub-contractor to deploy much of their infrastructure, and they were pleased to answer my questions.  They had engaged my serviced to audit the work performed by the other contractor, and were pretty sure that the meeting would be pro-forma, and I would sign off on everything that had been done.

MDG: How often are backups performed?
Client: Daily for most systems, hourly for highly transactional servers.

MDG: How long are your backups retained?
Client: Hourly and Daily backups are retained for 30 days, weekly backups are retained for 6 months, monthly backups are retained for a year.

MDG: How often are your servers patched?
Client: Monthly… we think.

Those last two words send chills down my spine… and I hear it more often than you would think.

Is it our job to know everything about our environments?  Maybe, maybe not… but if you think and you do not know, then you should be following up and making sure.

Why does it scare me that this was their answer?  Because one of the people in the room was responsible for the security and stability of the environment, and an unpatched server will eventually be an unsecure server.

It is not surprising that in a large environment that the manager does not know every detail of the day-to-day operations of his network; he has people reporting to him who are responsible for these things.  In fact, the person responsible for testing, approving, and applying patches was not in the room for this meeting.  He was, we can assume (as this meeting was held on Patch Tuesday), somewhere testing patches.  The manager does not need to know everything… but he has to be able to get that information.

question-markSeventeenth Century French philosopher René Descartes stated: “Cogito ergo sum” (French: Je pense, donc je suis; I think, therefore I am).  He was claiming that he knows that he exists, because he is able to think.  While I feel this philosophy can be disproven by a great many zealots who certainly are but seem unable to think, he was essentially saying that thinking is a good thing.  Socrates – the Athenian philosopher of the Fifth Century B.C.E., claimed that “The only true wisdom is in that you know nothing.”   He was not saying that stupidity is a good thing, rather that it is important to question everything.

So, is it better to think that you know how often your systems are patched, or to know that you do not know, and thus inquire?  While I have never spent a great deal of time studying philosophy (Athenian, French, or otherwise), I think when we are unsure, it is better to inquire.

In my follow-up meeting a few days later, the manager came equipped with a sheaf of printed reports that I had asked for… including the one that showed that patches were indeed applied on a monthly basis, and a list of pending patches, failed patches, and unprotected systems.  The client was doing exactly what they needed to do, and the consultant who had deployed their infrastructure had indeed implemented two separate and complementary patch-management systems, including System Center Configuration Manager (SCCM) with Windows Server Update Services (WSUS), and System Center Virtual Machine Manager (SCVMM) for their virtual servers and hosts.  My client, whose systems integrity were never an issue, was happy that he had gone to make sure, and in fact extracted reports that he had never actually checked before.  His systems were fine… and so was his peace of mind… now.

Going back to the philosophical questions for a minute, we have all heard the question: “If a tree falls in a forest and no one is around to hear it, does it make a sound?”  This is attributed to Eighteenth Century philosopher George Berkeley (in his work “A Treatise Concerning the Principles of Human Knowledge” published in 1710.  In systems administration, the unheard tree can lead to eventual disaster, depending on the scope.  If a system is not properly patched, it can be vulnerable to myriad vulnerabilities.  If systems are not reporting properly, it might mean that the systems are not available… or something more sinister.  That is why we have to check these reports, to make sure that what we believe to be our solid environment is indeed solid, and will remain so.

My client (the company’s IT Manager) had a mostly stable environment, but three systems listed on the reports he brought had not been patched in several months, thereby missing a critical patch that we knew had led to an exploited vulnerability.  The lack of noise – very few admins get active alerts that a system failed to patch – was deafening, and left unchecked could have had disastrous results.  Fortunately, that did not happen; the three unsecured systems were immediately flagged and quarantined, and after a few minutes with the Desktop Support Team were again right as rain.  All is well…

While we may wax poetic, IT is not about philosophy.  Knowing is important; Certainty is crucial; Silence can be Critical.

…And yet, as IT Professionals, just as with long-dead philosophers, it is important for us to keep asking questions, to keep actively seeking the truth, and questioning the silence.  If you don’t?  Well, that tree may fall on your head, and your thinking will mean you are… out of a job.

The Perils of a Manual Environment

I am not going to lie to you and say that every environment that I manage or have managed is an optimized Secure, Well-Managed IT Environment.  It’s just not true.

In a secure, well-managed IT environment we monitor to make sure that things are working the way they are supposed to.  When we spin up a new server, for example, the proper agents are installed for anti-malware and monitoring without our lifting a finger.  Tuesday evening a new server is spun up, Wednesday morning it is already letting us know how well it is running.

But what about the other environments?  Many smaller environments do not have automated deployment infrastructures that make sure every new server is built to spec.  What do we do for those?

The answer is simple… where automation is lacking we have to be more vigilant in our processes.  When a new server (virtual or otherwise) is created, we not only install an operating system… we also make sure we add the monitoring agent, the anti-virus agent, and make sure you schedule proper backups because if you don’t it will all ne for naught if everything goes down.

So the answer is to make my environment completely automated, right?

Well, yes of course it is… in an ideal world.  In the real world there are plenty of reasons why we wouldn’t automate everything.  The cost of such systems might outweigh the benefits, for example… or maybe we do not have an IT Pro managing it, just the office computer guy.  Ideally we would get that guy trained and certified in all of the latest and greatest… but if you work in small business you know that might not always be the reality.

So what IS the answer?

Green-Check-MarkSimple.  I have a friend who has made a fortune telling people around the world how to make checklists.  I am not the guru that Karl is, and you don’t have to be either.  But if you do have a manual environment, spend the time to make a checklist for how you build out systems – make one for servers, one for desktops, and probably one for any specific type of server.  You don’t have to do it from memory… the next time you build a machine write down (or type!) every step you take. 1) Create virtual machine. 2) Customize virtual machine. 3) Install operating system… and so on.  When you are satisfied that your system is built the way you want it (every time) then you should try it again… but rather than using what you know, follow the checklist.

These checklists, I should mention, should not be written in stone.  There are ten rules that were so written, and that’s enough.  Thou shalt not murder is pretty unambiguous.  Thou shalt install Windows 8.1 may change when you decide to upgrade to Windows 10.  So make sure that every time you use the checklist you do so with a critical eye, trying to see if there is a way to improve upon the process.  The Japanese word for this is Kaizen.  They are pretty good at a lot of things from what I have seen Winking smile

True story: I gave this advice to a colleague once who thought it was great.  He started creating checklists, and had his employees and contractors follow them.  One day he invited me for a drink and told me a funny story.  His client had been using System Center Operations Manager (SCOM) to monitor all of their servers.  He had a checklist that included installing the SCOM agent in all servers.  One day the client decided to switch from SCOM to SolarWinds (a great product!) and after several weeks he decommissioned his SCOM infrastructure.  Six months later the client (a pretty big small business) complained that since they switched from SCOM to SW all of their new servers kept reporting a weird error.  It seems that the IT Pro who was following the checklists had continued installing the SCOM Agent into their servers, and since it could not find a SCOM server to report to, it was returning an error.  As I said, these checklists should be living documents, and not set in stone.


There is no one right or wrong answer for every environment.  What is a perfect inexpensive solution for one company might be cost prohibitive for another.  The only thing you have to do is use your mind, keep learning, use common sense, and keep reading The World According to Mitch!

Where’s My… <Fill in the blank Admin tool>?

If you are me you like that every few years we get a new version of Windows.  Great new features, new tools, new this, new that… and new frustrations trying to figure out where the hell all of my tools are!

Yeah yeah I know… this is the last version of Windows we are getting as a major release; from now on it’s going to be incremental updates released as patches.  Frankly I don’t know how crazy I am about that idea, but okay I’ll live with it.  In the meantime I want to know where I go to adjust my time and date, set default programs, add devices, set up ODBC data sources, and so much more. 

We know where those were in Windows XP, and then Windows Vista came about but nobody really used it anyways.  Three years later we got Windows 7 and they were moved, but we got used to them.

Windows 8 came about and they were moved again… crap, now not only do we have to find them, and this time I don’t have the Start Menu to look in.  Oh wait, here comes Windows 8.1, and my Start Menu is back… but they’ve moved my tools again!  Phew, I found them… just in time for them to release Windows 10.

So there is a hidden trick in Windows… it has been there since Windows 7 (DO NOT try it in Windows Vista… as if there was a lot of chance of that!) that allows you to place a full ‘Admin’ file on your desktop.  Do this:

  1. Right-click on your desktop and click New – Folder.
  2. Name the folder Admin.{ED7BA470-8E54-465E-825C-99712043E01C}.

That’s it!  You now have a shortcut on your desktop called Admin (Although technically you can call it anything you want).  It will look like this:


When you open it up it will look like this:


Notice the scroll-bar along the side… there are dozens of categories, which are:

  • Administrative Tools
  • AutoPlay
  • Backup and Restore
  • BitLocker Drive Encryption
  • Color Management
  • Credential Manager
  • Date and Time
  • Default Programs
  • Devices and Printers
  • Display
  • Ease of Access Center
  • File Explorer Options
  • File History
  • Fonts
  • HomeGroup
  • Indexing Options
  • Internet Options
  • Keyboard
  • Language
  • Mouse
  • Network and Sharing Center
  • Pen and Touch
  • Personalization
  • Phone and Modem
  • Power Options
  • Programs and Features
  • Region
  • RemoteApp and Desktop Connections
  • Security and Maintenance
  • Sound
  • Speech Recognition
  • Storage Spaces
  • Sync Center
  • System
  • Tablet PC Settings
  • Taskbar and Navigation
  • Troubleshooting
  • User Accounts
  • Windows Defender
  • Windows Firewall
  • Windows Mobility Center
  • Work Folders

Wow… 42 categories, and 250 items.  That’s a lot of admin tools all in one place! Smile

So go ahead and try it… It won’t hurt, it will just be one more icon on your desktop.  Frankly if you are like me, it will allow you to remove several desktop shortcuts that you placed previously Smile

Distinguished Names: How do I…

powershell1Yeah yeah, I know… A little while ago I talked about how to determine the Distinguished Name (DN) of an Active Directory Object, and I got a flurry of requests for doing it with PowerShell.

Now, normally I do like to show you how to do things via the GUI, and then what the PowerShell cmdlet would be for the same task.  However since I didn’t actually show a GUI way of doing it, I didn’t think to show you the PowerShell way of doing it.  My bad… Here you go!

1) Let’s say you want to get the DN of all objects with the name Mitch in it.  We can use the Get-ADObect cmdlet.  Like so:

Get-ADObject –Filter { CN –like “Mitch*” }


Okay, that’s not bad… but what am I going to do with a DN that includes an ellipses? Of course that is useless, so instead let’s use a full list,… or |fl:

Get-ADObject –Filter { CN –like “Mitch*” } |fl


So here we see the full DN (with the domain name hidden to protect the customer’s identity). 

Of course, if you don’t want a whole list, and you know the exact name of the Active Directory Object, you can change the parameters, so:

Get-ADObject –Filter { CN –eq “Mitchell Garvis” } |fl


We have eliminated the need for wildcards by changing the switch from –like to –eq, but we now need the exact name (no typos now!) for it to work.

2) The problem is, that doesn’t seem to work with Organization Units, which is what I was talking about in the first place.  So try this:

Get-ADObject –LDAPFilter “(objectClass=organizationalUnit)” |fl


Here we have changed the switch from –Filter to –LDAPFilter, and are able to see the entire list of our Object Class… in this case OUs, but you can change that for sites or domains or users.

Windows PowerShell may look complicated to those who grew in the GUI, but here’s the best part… you don’t have to memorize anything to become a PowerShell PowerUser!  All you have to do is know how to use Google (or Bing, if you are still drinking the KoolAid).  Type into the Search Bar PowerShell AD Distinguished and you will come up with a good starting point.

Now go forth and script!

An Experienced Eye

There’s an old adage about a guy who takes his car to a mechanic.  The car is coughing and banging and sounds like it is dying.  The mechanic listens for a minute, then takes a hammer and takes a big whack at the engine, which then starts purring perfectly.  That will be $200 please.  ‘WHAT? You want me to pay you $200 for hitting my engine with a hammer??’ No, replies the mechanic.  I want you to pay me $200 for spending the time to know where to hit it, how hard to hit it, and that the hammer was the right tool.

I was dropping something off for my son the other day when Theresa asked me to look at the computer.  ‘It seems to work fine, but it won’t connect to the Internet.’  This can mean any number of things.  I booted it up, logged in, and sure enough, I could not surf the Internet.

I ran a couple of very quick tests and then proclaimed ‘Yep, it’s malware.’

My sixteen year old son looked at me quizzically and asked how I knew.  The answer is simple… experience.  When you have been in the industry long enough, there are some things that you are going to know.

He was sceptical of course, and asked why I didn’t just re-install Windows.  Instead I went to another computer, downloaded the installation package to Windows Intune (which includes Windows Intune Endpoint Protection), and installed it.  I told him to leave the computer on and then try it in the morning.

Over the next couple of hours I got several texts – from him and Theresa – telling me the computer wasn’t doing anything.  ‘Is there anything I am supposed to be doing?  What should I be seeing? Nothing is happening!’ I kept reassuring them that it was working in the background, and to confirm I told them a couple of things about the computer that I wouldn’t have known, unless the Windows Intune agent was actually reporting back to my account from that computer.

The next morning I got a text from Theresa telling me that the computer was now fixed.

The moral of the story is not ‘Trust your IT guy!’, nor is it ‘You may have a virus.’  The moral is that experts are usually experts for a reason, and the seasoned ones don’t spew out platitudes.  If you think your IT Pro is charging you a ridiculous rate, he is not doing it because he is greedy; it is because like any other professional he has invested the time and effort into learning his trade.  If it hurts to think that he or she charges you $150 an hour to get your computer back up and it only took him 15 minutes, stop thinking about it as an hourly rate because what you are really doing is paying him to fix your computer.  If it takes him 5 minutes or 45 you are paying him the same, yes… but not for time, for expertise. 

Surface Pro 3: Two weeks later

Are there problems with it?  Yes.

Do I absolutely love it? I love my kids and my dogs… but I suppose I do like it as much as I have ever liked a laptop or tablet… and I have had quite a few of them over the years!

What are the problems? There is really only one that you should be aware of if you are thinking of going out to buy one.  It’s the patches and the battery.

How, you may ask, do patches and batteries wind their way into a single problem?  Simple… as you probably know, everything in computers is managed by software drivers… and that includes the battery to some extent.  When you buy the device (or any device) you are prompted to apply patches, and at this point a couple of them for the Surface Pro 3 are firmware updates.  You apply the first one, and then you have a problem…

…Windows tells you there is no battery detected.  Worse, if you unplug the device it shuts off immediately.  The firmware update actually tells the computer that there is no battery installed.

BUT THERE IS! Wait a minute!  I was using it unplugged just a few minutes ago!  Where did it go?  Oh… I get it!  The pesky firmware is what screwed me up.  Let’s check to see if there is ANOTHER firmware update.  Plug it in, connect to the Internet, run Windows Update… By Jove, there it is!  Install it, and presto changeo, there’s my battery!

…and what a battery it is!  My original Surface Pro probably gave me 3 hours of battery (with Hyper-V and a bunch of other things draining it).  The Surface Pro 2 was probably closer to 5.  The Pro 3? I haven’t had it run dry on me yet… for the first time in my laptop-owning life I am not afraid to leave the house in the morning without the charger.

(Imagine the voice of Hervé Villechaize if you would…)

Yes, there are a lot of improvements over the Surface Pro 2, but wow I never would have imaginged that the 1.4″ difference in screen size (12″ over 10.6″) would make that much of a difference.  As I told you recently I have an external 16″ screen that I keep in the trunk of my car so that I can have the dual screen experience on the go.  I don’t know that I have pulled it out once since I got the Pro 3… the combination of the slightly bigger screen and the much improved screen resolution make the extra screen redundant… at least when I am on the go.

Don’t get me wrong… the day the Pro 3 docking station is available I am buying it – I have pre-ordered it from the Microsoft Store, and I have the voucher for it (from something else I returned).  All I need is the e-mail saying it is in… and I expect that to be around the same time the remaining Surface Pro 3 models (with the Intel i3 and i7 CPUs) are released, sometime in August.  When I am at home (or an office) I will still want the multi-screen experience.  On the go?  Not necessary anymore.

A lot of people are saying I should have waited for the Intel i7 version, but the reality is I have not found myself lacking.  The Surface Pro 3 runs everything I need it to with 8GB of RAM and the Intel Core i5 CPU, and frankly I don’t want to spend the extra money (the i7 version will come in two models – 256GB storage for $1,599, and the 512GB model for $1,999.  Too rich for my blood, but thanks!


I am asked pretty often (including 3 minutes ago, as I sit at the Microsoft Store in Square One Mall blogging) whether the Surface Pro 3 is really a laptop replacement.  The answer, as with everything, is that it depends.  I would think that for the vast majority of people the answer is yes.  If you are a true hard-core gamer? Maybe not; there are some gamers who need more than 8gb of RAM.  If you are a coder? I have a friend who is a programmer who needs to run virtual machines running more than 8gb of RAM at all times.  (Did I mention that I LOVE the fact that it runs Hyper-V?  Well I do…). Aside from them?  I don’t know too many users – even power users – who need more than 8gb of RAM ever, not even occasionally.  For them (like myself) I would say that this is the device for you.

If you are in the Greater Toronto Area come down to the Microsoft Store at Square One or Yorkdale Malls to check it out! 🙂

Sad Times for an Industry

I used to say to my audiences that while the number of jobs in IT will go down, the best will always be in demand.  I then spent several months essentially unemployed.

The IT field has changed dramatically over the course of the last few years.  I suppose it is natural for an industry as young as ours to evolve drastically and violently… but I didn’t expect it would happen to me.  When I did find a job I was relieved to say the least.

During the time when I was looking I noticed that a lot of people turned their backs on me.  I thought for a while it was personal, but I have realized that people in our field are becoming a lot less secure than they were even a year or two ago… yes, some of the people who disappointed me did it out of malice or jealousy, but I have realized that there are also a lot of people who have realized that if they are not protective of what they have, someone else might get it.

I am not naming names… but one of the people who didn’t turn his back on me – someone who commiserated, and did everything that he could to help me – pinged me this morning telling me that he had been let go.  I know that a few months ago I had counselled him on a position at Microsoft, but realized before I even replied (because of time zones it was the first message I saw this morning) I realized that while I remembered him telling me that he found something, I had no idea where it was.  I suppose now it doesn’t matter… he’s not there anymore, and through no fault of his own.

There are a lot of reasons for someone to leave their company… often they will leave because of a better job offer elsewhere (I e-mailed a friend at VMware Canada last week and the message bounced… he turned up at Microsoft Canada this Monday).  Sometimes we are just fed up, and we leave of our own accord.  Of course there is also the termination for cause, and we all hope to avoid that.

All of those are reasons we could have done something about… but when the company simply cannot afford to pay us anymore – they don’t need five IT guys and are downsizing to three, or the project we were hired for was cancelled – it can come as a shock… we did nothing wrong, and there was nothing we could have done to prevent it.  We’re just… gone.  This is a lousy situation.

A few years ago when I went to the US border to apply for my TN visa so that I could work in that country.  Please remember that US border agents are quite loyal, and very protective of their country.  I was trying to explain to the agent what I did as an IT Pro helping companies to virtualize did.  After a few minutes he said to me ‘Let me get this straight: you want me to let you come into my country to teach companies how they can become more efficient and need fewer American workers.’  I could feel his eyes boring into me like lasers.  But the truth is I always felt that the students who learned from me would always be safe, because I was helping to prepare them for the inevitable shift in the industry.  And yet there I was, looking for work… for a long time.

The friend who pinged me this morning was one of those students… I taught him virtualization and System Center, and those are two very important skills to know.  But how do you prepare yourself for the company canceling the project?  It’s not easy.

I have said for years that one of the worst advancements in IT with regard to the IT Pro field was the advent of Microsoft Windows.  In the days of DOS, Novell, and AccPac computers were a mystery to most people, and it was only the real IT Pros who could make sense of everything for the masses.  With Windows `Press Here, Dummy!’ interface myriad people figured it out, and started calling themselves IT Pros.  Some of those people would eventually learn what was really under the hood, get certified, and thrive… but a lot of them did a lot of our customers a disservice and made those people and companies distrust the entire profession.  I see that coming back to haunt us even worse, in a time when automation and virtualization are making thing easier for the fewer IT Pros needed, we are living through the worst of times for the profession.

What is the solution?  I don’t know… but I do know that we can’t put the genie back into the bottle, and it is going to get worse before it gets better.  I hope we are all able to weather the storm.

Surface Pro 3 and Windows 8: Not everybody’s cup of tea

I’ve said it before and I’ll say it again… I do like my Surface Pro 3.  With that being said, I know everyone has different tastes, and some people are not going to like it.  A couple of months ago my sister, a long time Mac user (and Apple Fanboi) told me that her new job would be giving her a Pro 3, and asked what I thought of it.  I told her – it predated my realizing the extent of the network issues – that I loved it, and expected she would too.

Last week she e-mailed me to tell me that she really hated it.  It crashed a number of times in the first week, and she does not have the patience for these errors – she said her Macs (all of them) just work, and don’t have blue screens of death or other issues.

Now to be fair to the Surface team, a lot of the issues she outlined had to do with Windows 8.1, Microsoft Office, OneDrive, and the Microsoft Account.  I understand her frustration – if you take the device out of the equation, those are four different products from four different teams that are all supposed to work together seamlessly… but don’t.  I respect that Microsoft has a lot of different products, but if you are going to stop talking about products and start talking about solutions then you should make sure your teams work together a lot closer to make sure that seamless really is seamless.

I probably know Windows better than 99.5% of the population, and work very fluently across these four products… but one of the reasons for that is because I have come to understand that sometimes the seams between them are going to show, and like a Quebec driver I have learned better than most to navigate the potholes.  However if Microsoft really wants to stay at the top in an era where customers do want things to just work, they had better get off their butts, come down off their high horses, and start making sure that seamless really is just that.

I want to be clear… I am not trading in my devices for Macs (or Linux).  While I do have an iPhone (See article) I would just as soon have an Android or a Windows phone.  I love Windows 8.1, and even now at my office I cringe at having to work with Windows 7 (Ok, cringe is a strong word… I just wish it was Windows 8.1!).  However I have worked with iPads, Androids, Macs, and more, and I know that those solutions do make for a better experience with regard to some features than the Microsoft ecosystem.  I hope that under Satya things get better… but nearly a year into his tenure and I don’t see much progress.

In the meantime I am strongly considering going to open an account at one of the banks that is currently offering free iPad Minis to new account holders!

The Price of Quality

macallan18s During the summer I was sitting with a student of mine having a drink after class.  For those of you who do not know me, let me reassure you that I have not in many years taught anyone who was not old enough to drink.

We were sitting in a bar in Portland, Maine and after reviewing their brief list of scotch whiskeys I ordered an eighteen year old Macallan.  He ordered a beer, and as we took our first sips he told me that he couldn’t justify paying $12 for a scotch when the $7 scotch was just as good.  For the record this was a very reasonable bar.

I told him that for my tastes they are nothing near the same.  He said ‘Okay, so let’s say the more expensive scotch is 10% better than the cheaper scotch, does that really justify the expense?’  I asked if he had ever tried the ‘good stuff’ and he admitted that he had not.  He did like scotch, and was happy to be proven wrong.

I called the bartender over and explained our disagreement.  I asked her to pour him a glass of the eighteen year old Macallan, and asked if she would mind giving him just a sip of the twelve year old Glenfiddich (no slouch, but definitely the inferior of the two) to compare it to.  He tasted the Glenfiddich, and then (after a sip of water) tasted the Macallan… and you could see in his eyes with that first sip that he knew I was right… the difference was definitely substantial!

Of course, there was a time when I did not appreciate the difference either.  When I was in the army I drank cheap scotch and smoked cheap cigars; my first car was a used Subaru Justy.  The truth is that in life you get what you pay for.

The day I took my first sip of single malt scotch was the day I stopped drinking blends.  The day I smoked my first Cuban cigar (yes, my American friends, it is legal in Canada… although I smoked it in Israel where it was also legal) was the day I stopped smoking the crappy ones.  As I have said many times I would rather have one good scotch than three mediocre ones, and I would rather have one good cigar than three crappy ones.

For the record I drove that Subaru Justy for 9 months until it started falling apart, and didn’t trade too far up.  There is a difference between relatively inexpensive consumables and transportation, and in the years after my release from the army I was in no financial shape to buy anything nicer.  However I had driven better cars and looked forward to the day when I would be able to buy one… and I did.

Quality costs money.  You can buy an inexpensive suit and it will last a few months before the signs start to show, or you can buy a better suit that will last longer (I am told… I haven’t bought a lot of good suits in my life).  You can buy a cheap suitcase and expect to replace it after a number of uses (been there, done that!) or you can buy high-end suitcases that will last.  When my wife told me what she paid for my Briggs and Riley luggage I nearly fainted; five years and hundreds of flights later I swear by those suitcases, and have since bought several of the matching bits to complete the collection.

It is no different when you buy a computer, or when you hire an IT Professional.  You (more often than not) get what you pay for.  Higher end systems last longer and work better, and higher end IT Professionals will save you money in the long run.

Unfortunately when it comes to IT Pros sometimes you do not get what you paid for.  I have heard horror stories from customers and community members about consultants who over-charge and under-deliver.  That is why, just like when you choose a tailor, price should not be the only factor.  You have to do your research… look them up on-line, ask people for recommendations, and when interviewing the IT Pro (yes, you can and should do that) you should ask for references.  While a list of certifications is important, it means nothing without a list of prior satisfied customers.  Let’s face it, people can cheat on exams… it is a lot harder to cheat on your clients.

It sounds like I am perpetuating the cycle that you can’t get experience without a job and you can’t get a job without experience.  That is absolutely not the case.  Inexperienced IT Pros should spend some time working for more seasoned IT Pros who can show them the ropes, guide them, and have them work on projects which will give them experience.

Of course this means that more often than not an IT Pro will not work for the same company for his entire career.  That was the case before anyways, even though it may not have been explained as such.  However as an IT Director it would be irresponsible of me to give a large architecting contract to an inexperienced IT Pro (IT Amateur?) who may have learned from books but has never been hands on.  In the same way that I would never let a new tailor who just bought his first sewing machine to make my suits… although it would not bother me if that young tailor was assisting with or being supervised by a more seasoned tailor.

While I am not a supporter of unions, I believe the electricians have it right.  After school you take an apprenticeship, and that could have you sweeping floors on some days and doing work that some people today seem to feel is beneath them.  It is how you pay the Master Electrician for whom you are working back for taking you under his (her) wing and teaching you.  After the apprenticeship you get licensed, and soon enough (I do not know when or how) you too become a Master Electrician.

I would love to see the same sort of system in place for IT Professionals, but I know that it is just a dream.  However without that sort of system it is incumbent upon our new IT Pros to seek out the mentorship of experienced IT Pros, and it if some of those were to take on that responsibility I believe that we would have a profession worthy of the respect that I hope we are generally afforded.

And now, as I close, I am going to put my laptop back into my Briggs and Riley laptop bag, and rest for the remainder of the flight which, I hope, is being flown by a very qualified and well-paid pilot.

This is getting interesting…

Last year I was asked to participate in the Canadian launch tour for Microsoft Office 365.  At first I was hesitant, but I am really glad that I did.  I got to meet and speak to a lot of interesting people across the country who do not usually come out to my sessions on Windows Server, Virtualization, and System Center 2012.

After my presentation and demos in Toronto my friend and local (well… Guelph) SMB-guru Sharon Bennett came to speak to me in the Microsoft booth, and told me that she was surprised by a lot of the features I was able to demonstrate with the new software and SAAS (Software As A Service) offerings from Microsoft.  We had a good discussion during which she confided that she had been a loyal GMail user for years, but based on my demos she was going to try out Office 365.

Like most of you, I get a lot of ‘interesting’ titles in my Inbox, although my spam filter does a great job of keeping most of them out of sight.  So when I saw one this morning with the title ‘50 Shades of Grey’ I was surprised.  When I saw that Sharon’s name was attached to it I decided to investigate… and sure enough, it was a legitimate article from my favorite SMB Blogger 🙂

E-Mail Affairs: My  Version of ‘”50 Shades of Grey” is a very interesting read about a relationship that many of us have – this almost sordid affair with our e-mail provider; how we are expected to be fiercely loyal, but how when we veer from that path it can be exciting and such.  As with real-life affairs it can even lead to an eventual break-up.

I am always happy to read Sharon’s writings, and hope one day to be able to attend one of her sessions.  If you are interested in SMB IT from a fresh and fun perspective I suggest you give her a read!

What not to Learn… Revisited for 2013!

In October, 2011 I posted an article called vPTA: What NOT to take away from my 1-day virtualization training!  It was only partly tongue-in-cheek on the environment that I have been using for several years to demonstrate server virtualization from a pair of laptops.  A few months later Damir Bersinic took that list and made some modifications, and published it on this blog as Things NOT To Take Away from the IT Virtualization Boot CampBecause we spend so much time in our IT Camps demonstrating similar environments, I decided it was a good time to rewrite that article.

Normally when I revisit an article I would simply republish it.  There are two reasons that I decided to rewrite this one from scratch:

  • The improvements in Windows Server 2012, and
  • My more official position at Microsoft Canada

Since writing that original article I have tried to revise my writing style so as to not offend some people… I am trying to be a resource to all IT Professionals in Canada, and to do that I want to eliminate a lot of the sarcasm that my older posts were replete with.  At the same time there are points that I want to reinforce because of the severity of the consequences.

Creating a lab environment equivalent to Microsoft Canada’s IT Camps, with simple modifications:

1. In our IT Camps we provide the attendees with hardware to use for their labs.  Depending on the camp attendees will work in teams on either one or two laptops.  While this is fine for the Windows 8 camps, please remember that in your environment – even in a lab where possible – you should be using actual server hardware.  With virtualization it is so simple to create a segregated lab environment on the same server as your production environment, using virtual switches and VLAN tagging.  In environments where System Center 2012 has already been deployed it is easy enough to provision private clouds for your test/dev environments, but even without that it is a good idea.  The laptops that we use for the IT Camps are great for the one- or two-day camps, but for longer than that you are going to risk running into a plethora of crashes that are easy enough to anticipate.

2. You should always have multiple domain controllers in any environment, production or otherwise.  Depending on who you speak to many professionals will tell you that at least one domain controller in your domain should be on a physical box (as opposed to a virtual machine).  I am still not convinced that this does not fall into the category of ‘Legacy Thinking’ but there is certainly an argument to be made for this.  Whether you are going to do this in physical or virtual, you should never rely on a single domain controller.  Likewise your domain controllers should be dedicated as such, and should not also be file or application servers.

3. I strongly recommend shared storage for your virtualization hosts be implemented on Storage Area Networks (SANs).  SAN devices are a great method of sharing data between clustered nodes in a failover cluster.  In Windows Server 2012 we have included the iSCSI Software Target that was previously an optional download (The Microsoft iSCSI Software Target is now free).  While this is still not a good replacement of physical SANs, it is a fully supported solution for Windows Failover Cluster Services, including for Hyper-V virtual machine environments.  It is even now recognized as an option for System Center 2012 private clouds.  As well the Storage Pools feature in the new Server is a compelling feature to consider.  However there are some caveats to consider:

A. Both iSCSI software targets and Storage Pools rely on virtual storage (VHDX files) for their LUNs and Pools.  While VHDX files are very stable, putting one VHDX file into another VHDX file is a bad idea… at least for long-term testing and especially for production environments.  If you are going to use a software target or Storage Pool (which are both fully supported by Microsoft for production environments) it is strongly recommended that you put them onto physical hardware.

B. While Storage Pools are supported on any available drive architecture (including USB, SATA, etc…) the only architecture that will be supported for clustered environments are iSCSI and SAS (Serial Attached SCSI).  Do not try to build a production (or long-term test environment) cluster on inexpensive USB or SATA drives.

C. In our labs we use a lot of thin-provisioned (dynamically expanding, storage-on-demand) disks.  While these are fully supported, it is not necessarily a best practice.  Especially on drives where you may be storing multiple VHDX files you are simply asking for fragmentation issues.

4. If you are building a lab environment on a single host, you may run into troubles when trying to join your host to the domain.  I am not saying that it will not work – as long as you have properly configured your virtual network it likely will – but there are a couple of things to remember.  Make sure that your virtual domain controller is configured to Always Start rather than Always start if it was running when the service stopped.  As well it is a good idea to configure a static IP address for the host, just in case your virtual DHCP server fails to start properly, or in a timely fashion.

5. Servers are meant to run.  Shutting down your servers on a daily basis has not been a recommended practice for many years, and the way we do things – at the end of the camp we re-image our machines, pack them into a giant case and ship them to the next site – is a really bad idea.  If you are able I strongly recommend leaving your lab servers running at all times.

6. While it is great to be able to demo server technologies, when at all possible you should leave your servers connected (and turned on) in one place.  If you are able to bring your clients to you for demos that is ideal, but it is so easy these days to access servers remotely on even the most basic of Internet connections.  If your company does not have a static IP address I would recommend using a dynamic DNS service (such as dyndns.com) with proper port-forwarding configured in your gateway router to access then remotely.

7. I am asked all the time how many network adapters you need for a proper server environment.  I always answer ‘It depends.’  There are many factors to consider when building your hosts, and in a demo environment there are concessions you can make.  However unless you have absolutely no choice it should be more than one.  For a proper cluster configuration (excluding multi-pathing and redundancy) you should have a production network, a storage network, and a heartbeat network… and that is three just for the bare minimum.  Some of these can share networks and NICs by configuring VLANs, but again, preferably only in lab environments.  Before building your systems consider what you are willing to compromise on, and what is absolutely required.  Then build your architectural plan and determine what hardware is required before making your purchase.

7a. While on the subject of networks, in our demo environment the two laptop-servers are connected to each other by a single RJ-45 cable.  BUY SWITCHES… and the ones that are good enough for you to use at home are usually not good enough for your production environment! Smile

8. When it is at all possible your storage network should be physically segregated from your production network.  When physical segregation is not possible then at least separating the streams by using vLANs is strongly recommended.  The first offers security as well as bandwidth management, the second only security.

9. Your laptop and desktop hardware are not good-enough substitutes for server-grade hardware.  I know we mentioned this before, but I still feel it is important enough to state again.

10. In Windows Server 2008 R2 we were very adamant that snapshots, while handy in labs and testing, were a bad idea for your production environment.  With the improvements to Hyper-V in Windows Server 2012 we can be a little less adamant, but remember that you cannot take a snapshot and forget about it.  When you delete or apply a snapshot it will now merge the VHDX and AVHDX files live… but snapshots can still outgrow your volume so make sure that when you are finished with a snapshot you clean up after yourself.

11. Breaking any of these rules in a production environment is not just a bad idea, it would likely result in an RGE (Resume Generating Event).  In other words, some of these can be serious enough for you to lose your job, lose customers, and possibly even get you sued.  Follow the best practices though and you should be fine!

Microsoft Canada Partner Summit: CATCH IT!


Hey folks!  If you are a Microsoft Partner in Montreal, Toronto, or Vancouver then I’m happy to tell you that I am coming back to town!  Of course, I won’t be alone… I am coming with the while Windows and Office Partner Summit! 

Windows 8, the new Office and Windows Server 2012 are coming soon and if you are a Reseller Partner, we would like to invite you to the Partner Summits on Windows and Office. This is your opportunity to get the latest sales training and information on Windows 8, the new Office, and Windows Server 2012. Join us for this in-depth training event delivered by Microsoft subject matter experts and experience the simplicity, speed, beauty, and power of these exciting new products.

HP, Intel, Lenovo, Samsung, Sony, Toshiba and Microsoft Hardware will be showcasing their latest hardware for you to try out.

Register today as space is limited for an event in the city near you:

Montreal, QC – November 15, 2012

Toronto, ON – November 21, 2012

Vancouver, BC – November 28, 2012

Additionally, connect with representatives from Microsoft authorized distributors in Canada.

This training will take you through what’s new in Windows 8 and the new Office and how you can take advantage of the great opportunities these products offer you. The day will also cover a breadth of valuable information including:

  • Value for Business
  • Sales Opportunities
  • Devices
  • Partner Incentives
  • Product Demos
  • Licensing
  • …and more!

I will be speaking on two topics: Windows 8 Device Management and Windows Server 2012.  Additionally, I will be doing some of the demos to help a couple of the presenters.  I’d love to see you there, so come on out and say hi!

…and remember to download your evaluation copy of Windows Server 2012 today!

Windows 8: Why you should be excited!

This post was originally published on the Canadian IT Pros Connection

It is finally here. Microsoft’s most anticipated operating system in years is ready for prime time, and all around the world the enthusiasts are downloading bits, stores are putting out their new offerings with the new OS, and IT Pros around the world are asking the same question they have asked for years: do I need to upgrade my organization?

Of course, this is not a question that is going to be new to you as IT Pros. You evaluated Windows 7 and the answer was a resounding yes. For many organizations that transition has only recently completed or, in some cases, is still going on. For enthusiasts the question may be as simple as ‘what’s new and exciting?’ but for professional organizations you as IT Pros will have to make a business case that demonstrates a solid return on investments (ROI) and a lower total cost of ownership (TCO).  In this article I will demonstrate the value of win8 that will help make the decision to begin a transition plan for your organization easier.

The Application Compatibility Story

One of the biggest roadblocks that organizations had to consider when planning their migration to Windows 7 was application compatibility. It really didn’t matter how good the new OS was, if their business applications did not work then they had a problem. Fortunately there were several mitigations for incompatible applications, and most organizations were in the end able to deploy Windows 7. Nearly all of those mitigations will port over to Windows 8 (including the Application Compatibility Toolkit shims, Microsoft Enterprise Desktop Virtualization (MED-V), and Remote Desktop Applications (RD Apps). In short, if your applications worked in Windows 7, they will work in Windows 8… period. The goal of the development team was a one hundred percent (100%) application compatibility story between Windows 7 and Windows 8, and it looks like they achieved it. Wow.

But what about Windows 8 (modern) apps?

Windows 8 apps are not backward compatible to earlier versions of the OS; but that is not what you are trying to achieve. All of your Windows 8 apps will work on Windows 8, as well as all of your Windows 7 apps – whether they be on the desktop, in an RD session, or in the modern interface.

I’ve already built this whole deployment infrastructure for Windows 7…

Whether you used the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager (ConfigMgr) as the engine to deploy Windows 7, you have already built the deployment infrastructure needed to deploy Windows 8. You may need to upgrade MDT (updating MDT is not a difficult process, and from there upgrading your MDT Deployment Points (DPs) is a right-click away) or apply a service pack for System Center, but once you have done that all you are going to have to do is import your Windows 8 into your DPs and then create a new Task Sequence (TS). That’s it… nothing more. Once your DPs are updated you are ready to deploy Windows 8, and since your application packages from Windows 7 are all compatible with Windows 8, you are golden!

But what about Windows 8 (modern) apps?

While your modern apps are going to install differently from your legacy apps, rest assured that they will still deploy from your MDT and ConfigMgr deployment points. Of course you have probably heard about the Windows Store, and as a one-off you will still be able to buy apps from there; however for your deployment scenarios you will be able to side-load your modern apps from your DPs.

Won’t I have to retrain my users?

When you start Windows 8 it is going to look different from Windows 7 – you guessed it, the Start button is gone. In its place is a full-screen Start Menu that is going to take most users 5 minutes to understand and not much longer to get used to. Beyond that, the OS goes out of its way to be more user friendly than its predecessor. The new interface is optimized for touch, but is just as easy for users working with the mouse and keyboard to navigate.

Now it is true, as the IT Pro you may need a little more training than your end-users; not much, but some. Chances are you will be able to read a few blog articles (such as those on the Canadian IT Pro Connection) to get up to speed, but if you do need more there is training already available for you in many forms – the Microsoft Virtual Academy will have lessons that you can go through in order to get up to speed quickly. Microsoft Learning currently has a number of courses in beta[MDG1] which you will be able to take at a Learning Partner; additionally there are several exams that you will be able to take to prove your competency in the new platform, both to yourself and to potential customers and employers. The Microsoft Certified Solutions Advisor (MSCA) is a great way to prove that you are not only competent, but that you have taken the time to learn it right and to prove it.

Microsoft Learning has revamped their certifications in this its twentieth year of operations. The Solutions in MCSA means that certs are no longer focused on individual products, but on the infrastructure as a whole, which means that you should not be surprised to see questions about some of the Solution Accelerators that Microsoft offers (such as the Microsoft Deployment Toolkit, and the extremely handy Microsoft Assessment and Planning Toolkit. They have been listening to you and understand that we are not deploying Windows in a vacuum, and understanding the different components of the ecosystem and how they work together is more important to you than knowing what button to press.

How do I know what SKU is right for me?

Once again Microsoft has listened to you; the Windows 8 SKU line-up is now simpler, with Windows 8, Windows 8 Pro, Windows 8 Enterprise, and Windows 8 RT (for ARM based devices)

For businesses large and small there are really only two editions: Pro builds on Windows 8 with key security, mobility, and virtualization features. The most notable feature improvement in Windows 8 Pro over Windows 7 is BitLocker, the drive encryption technology that was previously only available in the Enterprise SKU.

Windows 8 Enterprise brings key mobility benefits such as Windows to Go (WTG), Direct Access, and BranchCache, as well as even more virtualization benefits with Virtual Desktop Infrastructure (VDI).

Windows RT is a new member of the Windows family, and will come installed on devices with ARM processors. For users who have been asking for tablet devices that will be light, easy to use, has a long battery life, and delivers a high quality and predictable experience, tablet devices running Windows RT is the obvious answer. They are the only tablets on the market that run the same applications as you do on your desktop. That means there is no need to convert your files, and you will not lose any formatting going from one device to the other. Additionally if you buy a app from the Windows Store for your desktop it will immediately work on your tablet as well.

Windows RT offers another distinct advantage over competitive devices – security. With on-device encryption you can rest assured that the data that is important to your business remains secure.

But what about my legacy apps?

It is true, Windows RT will not have a desktop mode that other editions will have. However it will have the same Remote Desktop application that all Windows 8 devices have, and will be a great platform for RemoteApps and Remote Desktops, and is the ideal platform for Bring Your Own Device (BYOD) scenarios.  Additionally it comes complete with several VPN clients built in, including Cisco, CheckPoint, and of course the Microsoft VPN client.

Some of my users love the Windows 8 features, but occasionally need Windows 7…

It is not uncommon to hear of situations like this, which is why Virtual PC was such a popular download in Windows 7. Client-Side Hyper-V is going to be very popular for those people who want the speed and security of Windows 8, but also need to support older platforms. Hyper-V on Windows 8 offers the same Layer 1 hypervisor that you use in your datacenter servers, and allows you to run an operating system within your operating system – whether that is Windows 7, XP, Windows Server, or any supported flavor of Linux. In fact, as long as you can install it on x86 hardware, you can install it in a virtual machine.

If you are tight on RAM then dynamic memory in Hyper-V will be a godsend to you, allowing you to set Startup RAM, Minimum RAM, and Maximum RAM per virtual machine so that it only uses what it needs at any given point. For advanced users running multiple VMs in your client the Memory weight and Memory buffer make it easier to allocate contention resources where they are most crucial.

With very few exceptions, almost all of the features of Hyper-V in Windows Server 2012 are available on the client, with a few obvious exceptions that nobody is really going to miss. Knowing that, many IT Pros will seize this opportunity to get to know Hyper-V before they set out to deploy it in their datacenter servers!

I feel the need… for speed!

Windows 7 was the fastest OS that Microsoft had released in many years; once it was booted, it was faster on Windows XP (on hardware that supported both systems), not to mention Windows Vista. Windows 8 has only improved on this, with a much faster boot time, as well improvements to memory management that prevents memory clogs where applications that are loaded but not in use cause your system to slow down. The development team was very conscious of the fact that modern users do not want to be kept waiting by their PCs, laptops, and tablets; you need devices that move at the speed of life, and Windows 8 will do just that.

Microsoft has made the hardware certification process much stricter on Windows 8 than it has been, ensuring higher quality devices and minimizing compatibility issues. However if you have recently gone through a hardware refresh never fear… Windows 8 runs amazingly well on legacy hardware as well!

Where do I start?

The best way to get to know any operating system is to start using it. Download your free trial today, and if you do not have hardware to dedicate to it, there are several ways you can try it out without having to go out and spend the money – there are a number of articles on the best ways to do that, and we recommend you try out one of them on your existing laptop today.

Of course, if you are a real enthusiast, then you may want to head down to the nearest retail outlet (such as the Microsoft Store) and purchase a new Designed for Windows 8 device on October 26th, and if you are like me, you will want to get a touch-enabled device!

Windows Server IT Camps: Server 2012!

Although our events are usually quite well attended, few have ever been as well received as the IT Camps that we’ve been holding across the country since last January. To date we’ve held Windows Server 2008 R2 SP1 Virtualization Camps , Windows Server 2012 Install Camps , Private Cloud Camps with Windows Server 2008 R2 SP1 and System Center 2012 and we’re currently making our way to a city near you with Windows Server 2012 IT Camps .

An IT Camp is a fun and collaborative event where you will get hands-on experience with the tools and products while completing a series of team challenges. Our Windows Server 2012 Camps are complementary, full day sessions where we cover the basics of Windows Server 2012, Hyper-v 3.0, virtual machine migrations and then dive in to scalability, capacity, storage and high availability. We go through an overview of System Centre 2012 and look at Virtual Machine Manager. We take our lab environment through its paces as we enable the Hyper-V role, complete Shared-Nothing Live Migrations, configure Storage Spaces, create a cluster and make one of our virtual machines highly available on a private cloud. It’s quite a jam-packed day and you certainly can’t beat the price!

Find out more about Windows Server 2012 IT Camps>>

Can’t join us in person? Don’t despair — there are plenty of online resources to help you out. Here are a few of my favourites:

– Download an evaluation copy of Windows Server 2012 for your own lab
– Download the PowerPoint deck for the Windows Server 2012 IT camps
– Get free, online, modular training with Microsoft Virtual Academy
– Download and read the free eBook, Introducing Windows Server 2012
– Try the Windows Server 2012 and System Center 2012 Online Virtual Labs
– Study for your Private Cloud Certification
– Read the IT Pro Connection blog

The Shoemaker is No Longer Barefoot!

This post was originally written for the Canadian IT Pro Connection blog, and can be seen there at http://blogs.technet.com/b/canitpro/archive/2012/09/13/the-shoemaker-is-no-longer-barefoot.aspx.

For years I have been espousing the need to and value of locking down client workstations in a corporate environment.  Part of the SWMI Story – the secure, well-managed IT infrastructure for which I named my company – is that every user in the organization should have the rights and permissions to do their job… and nothing more.

Most corporate users are issued a computer that they use in the office (and at home or on the road) that are domain-joined, and because of all of the security threats out there the SWMI Story is very clear that they should be locked down.  If they want a computer to surf websites that are not business-related, play games, watch movies or anything else then they should invest in a home computer (or laptop).  I know that it is not fun to travel with multiple laptops (better than most!) but the bottom line is that unsecure client workstations are a stepping stone on the path to compromised server infrastructures… and that is bad news for everyone but the hackers.

One of the reasons that client machines have to be locked down is because most people do not think about IT security during the course of regular computer use.  Because I am always thinking about security, coupled with the fact that if something goes wrong I am pretty good at fixing it, I have been quite lax with my own laptops over the years.  After all, I own them and the servers; I built and maintain the infrastructure, and of course I am in charge of IT security.  So for the last few years, as I have been advocating otherwise, I have been logging on as the Domain Administrator on every laptop I have carried.

Last week I joined Microsoft Canada’s DPE Team as a Virtual Technical Evangelist.  Although it wasn’t actually a requirement, there were real advantages to reimaging my primary laptop (an HP EliteBook 2740p) with the Microsoft corporate image.  I was all happy once it was done… until I went to perform a simple operation and got a UAC window asking me for administrative credentials.  I entered my corporate credentials… and had a sinking feeling in my stomach when it came back with a DENIED message.

Fortunately the internal image allows you to install Windows with a local Administrator account; I was able to add my corporate account to the Local Administrators group so I don’t have to keep going into that account to make changes.

For the first time in many years I am not an exception to the rule… and rather than trying to find a way around it, I accept that while I need to be a local administrator, there is no way that anyone is going to make me a domain admin.  However this means that I am exactly in line with the statement I made in the opening paragraph… I have the permissions to do my job, and nothing else.  In order to do my job I need to be a local administrator… and nothing more!