I learned something new today: SCOM 2007 R2 certificate based communications not only checks the validity of the certificate you use, but also the CA that issued it…let me expand:

Like many organisations there is a root CA (we’ll call it ROOTCA01), and then a subordinate CA (we’ll call that SUBCA01). OPSMGM01 has a certificate to identify itself and has certificates for ROOTCA01 and SUBCA01 in it’s Trusted Root Certificate Authorities.

Just a quick script to set the Path Selection Policy on any LUNs on a host that do not have your target policy enabled. The script sets the server to Maintenance mode first, evacuating any VMs if you are in a full DRS automated environment. While this is not strictly necessary, it was required for my production environment just to be safe.

The DFS monitoring tool in SCOM 2007 has some great features, which will replace many a custom VB script running in enterprises. As with a lot of Management Packs, to get the most out of it you need to have a dedicated RunAs account with local admin permissions on the servers you are monitoring (e.g. for the Backlogged Files reporting).

The easy (and wrong) option here is to go with the less secure option and distribute a RunAs account to ALL servers. There are lots of reasons why you wouldn’t want to distribute the credentials to every server in your SCOM installation – but just from a security standpoint, you shouldn’t do it! Selecting the “More Secure” option and distributing credentials only to servers which will require them is a much safer bet.

It seems that despite my previous experiences with TMG 2010 , I still stumble when creating a TMG array . Here are some “notes to self”, which will hopefully stop me making the same mistakes next time

OTRS is an exceptionally flexible ITIL compliant ticketing/helpdesk solution, which runs beautifully on almost any LAMP (Linux, Apache, MySQL, Perl (yes, I know it’s PHP really;-)) server, but what happens when you work in a Windows-only environment? OTRS does have a Windows installer, but it is somewhat clunky and requires almost as much work to configure as manually installing. Installing as components allows you to upgrade portions of the system and have more granular control over the setup.

It’s a fairly common requirement – setting up a guest WiFi network that is secure from the rest of your LAN. You need a secure WLAN access for the domain laptops which has full access to the Server and Client VLANs, but you also need a guest WLAN for visitors to the office which only allows internet access. Since the budget is limited, this must all be accomplished via a single Access Point – for this article, the access point is a Cisco WAP4410N.

As with all things IT the pace of technology change is relentless and we are constantly and rightly told that change is good and that being able to evolve and move with the times is an important skill and ability.

However I am often left wondering how we can maintain a balance. I have all to often seen IT professionals falling into the trap chasing the latest and greatest and rushing to try to implement or learn new emerging technologies without much thought to what they already have.

Configuring WSS or SharePoint Services for a small client is a pretty effective way of getting a document management solution for a reasonable cost point. One of the limitations that caused headaches was that it used to have a maximum storage of 4GB, which was the database limit. If you wanted to go larger, you would need either a) multiple SPS installations, b) a full version of SQL server, or c) the full version of MOSS. None of those solutions are particularly cost effective, and for a small company cost is king.

SSTP or SSL VPN connections are great for people working on client sites or behind very restrictive firewalls – they only require HTTPS (port 443) to be open to be able to connect. Unfortunately, you need to be running Windows 7 or Server 2008 (or newer) in order to make use of them. Threat Management Gateway 2010 is one option for an SSL VPN endpoint.

SSTP VPN Requirements

• Clients must be Windows 7/Server 2008 or newer
• Certificate – either commercial or an internal Certificate Authority
• Published CRL – SSTP clients check for the Certificate Revocation List of the CA
• If you already have an SSL listener (e.g. for Exchange publishing rules) then you need a dedicated IP address for the SSTP connection

TMG is configured as a “back-firewall” in this environment, with an adaptor in the LAN and one in the Perimeter (DMZ). The DMZ has a NAT relationship to the External public IPs.

I am a firm believer in trying to keep things simpler where ever possible (but not for the sake of it) In years gone by I have heard many admins lament about the complexities of deploying IIS to work alongside third party plugins such as PHP. I can remember numerous occasions where I have wrestled with the config and “best practice”.

I am however glad to say finally Microsoft have taken notice of this and produced a very simple and effective deployment toolkit.