Vendetta

Onlangs vroeg Michel bij Manuel wat ‘jullie’ hebben tegen Henk. Ik maak deel uit van de aangeschreven ‘jullie’ dus hier even mijn visie… Merk op dat mijn eerste antwoord trouwens niet het oude vertrouwde ‘napalm‘ is maar toch iets gestructureerder, althans een poging daartoe…

Allereerst heb ik niks tegen standup comedian Henk Rijckaert. De man doet iets waar ik absoluut geen zin in heb laat staan het zou kunnen en dat is op een leeg podium kruipen met een microfoon in de hand en daar dan grappig staan doen. Wat ik wel heb daarentegen is een mening - en dat mag in deze maatschappij iedereen hebben.

Die mening is dat ik Henk Rijckaert op bepaalde momenten gewoonweg niet grappig vind - misschien het soort gebrachte humor dat eerder mensen aanvalt in plaats van situaties en vergelijkingen met ‘populair’ culturen zoals gebracht door Nigel Williams, Alex Agnew, Philippe Geubels, Wim Helsen en Gunter Lamoot, misschien de ietwat overdreven ‘tshirt over het hoofd’ look met de pinguins - idonno. Gewoon niet ‘my cup of tea’. Waar de mening dan verder gaat is het storende element dat de rechtstreekse entourage van Henk Rijckaert de man echter zo ongeloofelijk staalhard en zonder weergang blijft ophemelen alsof hij op één maand tijd het Leids Cabaratfestival, de Humo’s Comedy Cup, het De Lunatic Comedy Award en de Comedy Casino Cup heeft gewonnen.

Mijn kritiek gaat dus niet richting Henk (zoals dhr Rijckaert steevast tutoyerend wordt aangesproken) maar de hype die er - en dat is mijn mening - ietwat onterecht wordt gegenereerd. ‘Henk’ is niet slecht, het is gewoon niet ‘mijn ding’ - en ik verkondig dit nu eenmaal… Wie het daar niet mee eens is heeft zijn mening maar moet zijn eigen mening daarom niet projectmatig opdringen aan anderen.

Linux / Apache veiliger dan Windows / IIS ?

De belgische pinguin-zealot-wereld kan het eindelijk zelf eens ondervinden dat dit meer afhangt van de (on)kunde van de admins dan van het platform !

Nah.

Links :
Belgische sites krijgen hackers op bezoek @ ZDNet
Tanguyveys.be hacked screenshot @ Flickr

One of the new features that came with Windows XP way back in 2001 was a new version of the Internet Explorer browser in its sixth incarnation. Sadly not much has evolved for IE6 since then giving other browsers such as Opera and the Mozilla-derivates (Netscape, Firefox, …) the chance to catch up.

With the release of Vista comes a new version of Internet Explorer as well, quite originally called Internet Explorer 7. This version is now available in public beta for everyone (that has a legal version of windows, ahem) to try. I downloaded my copy early this week and installed it on my company laptop that, after receiving its third hard disk in under a year, just received a fresh Win XP Pro install.

First looks are important. The main window has been reorganized a bit with the back/forward, reload and stop buttons having been redesigned and put in other locations. The menu’s are switched off by default as well so the overall view does seem fresh and new at first glance – yet I switched on the menu’s again after about 10 minutes but I have to admit that I haven’t really used them at all, so probably going to disable them again later on.

The big hoot is obviously that, finally, IE7 comes with “Tabbed Browsing” – a feature often claimed to be invented by the open source community in its Mozilla forks but having actually paid money for Opera on Windows 3.11 late in the previous century I clearly remember using tabbed browsing back then, we’re talking Netscape 4 and Internet Explorer 2 days here people. While working for DHL I also used the Netscape 7 version of tabbed browsing so mostly I’ll compare features with that browser, my system is Mozilla Free at the moment and I don’t intend to change that. Opera is installed on another system mostly to test my CSS and to fool sites where the webmaster intentionally makes them “Firefox Only”.

Pro’s :

• The small empty tab at the top right of the tab-bar where you can quickly open a new tab with the mouse
• The Quick Tabs (CTRL-Q on your keyboard) that will show all open tabs at a glance and you can just select the one you want
• In the Favorites a small arrow appears next to a link. Click the link and it will open in the current tab, click the arrow and it will open in a new tab.
• It takes getting used to, but I can cycle thru tabs with CTRL-TAB
• ‘Open in new tab’ is at the same location as ‘Open in new window’ in IE6 (right click, 2 times cursor down, enter - yes I’m a keyboard nut)
• CTRL-Click defaults to open in a new tab instead of new window

Con’s :

• Unable to close a tab without activating it first (possible however on the Quick View page)
• Open tabs are not saved when the browser exits (cfr Opera), you have to select ‘Restore last tab group’ when starting the browser and right clicking on the first tab
• ‘Open in new window’ anchors cannot be redirected to open in tabs instead of windows

Except for tabbed browsing IE7 includes an RSS reader as well. I’ve used FeedReader until now but since I’ve got IE7 installed I haven’t really used it anymore

Pro’s :

• Only new items are displayed
• The ‘Feeds’ icon in the toolbar automatically becomes active when a website has feeds available, no need to go hunting in the page

Con’s :

• The default refresh setting is located in a not too obvious position (Right click an entry, Properties, click the “Default Options” button)
• No option to refresh an entire folder at once, you have to click each individual refresh icon

There are plenty of others obviously but I’m just listing what I’ve enjoyed, and scratched my head about, during a single week of using this second beta. Some other random points I’d like to mention

Pro’s :

• Pages actually seem to load and render fasten when compared to IE6.
• Its now possible to (in Opera style) to already show empty blocks for the images while loading so that the site does not completely redraw multiple times when loaded.
• Clear error messages when something goes boom

Con’s :

• Pages still load faster in Opera
• CSS handling is at the moment even worse then IE6, whereas there is expected to be a large improvement in CSS handling in IE7.
• The installer added various “sounds” to my “no sounds” user profile (control panel stuff)

Now I fully realize that this is a public beta and final code is 6 months away at least when Vista will ship so probably many of the con’s listed will be taken care of, or improved at the least. Yet this is a good start of where it’s supposed to be going and I can’t wait to see the final version in full action.

Links :
Internet Explorer Beta 2 Preview

With my years of Citrix administration behind me, there is a single thing that you learn really quickly when administrating those environments: “Do NOT use client printers”. Mostly because they don’t ever work, secondly as you will end up in driver hell before you know it.

The old-fashioned solution for this was to ignore all client printers and put all printers that your users required on the network, use as less drivers as possible and hope it just works. Autocreated printers is a nice feature but this one also maxes out at about 1000 printers (Been there, done that).

Introduced in Metaframe XP (version 2) was the Universal Printer Driver but it didn’t really work that well.. This UPD became usable in Metaframe Presentation Server 3 (MPS3, version 3) and was further improved in Presentation Server 4 (MPS4, version 4 - obviously). Together with MPS4 came an entire rewrite and overhaul of the printing system, something that would do no harm. Well, unless you are used to administering MFXP and MPS3…

The issue I had with a recent setup of MPS4 is that, while you could do group-based autocreation of printers in MFXP and MPS3 this option had disappeared from the Citrix Management Console (CMC) as the entire printer management had moved to the Policies section of the CMC, again this is not a bad thing as such – just not very clear.

So how do you get group-based autocreated network printers in MPS4 ? It took me some time to figure it out but here goes :

• For each printer you have to create a policy, give it an obvious name such as “Create-*printername*”.
• Enable the “Session Printers” option, add the corresponding printer to the list, change settings as required for your environment
• Apply the policy to a “User filter”, set your corresponding access group that goes with your printer

This will ensure that the printer is created at logon for each user of the corresponding access group that is located in your domain.

Now the problem remains that these printers are created at logon and deleted at logoff. This means that, should a user select a default printer in his profile, these settings are not saved as the printer objects are deleted before the profile can be saved.

To prevent this you have to set an additional registry key that will either prevent network printers from being created at logon (you don’t want this) or being deleted at logoff (you DO want this). The key to create set is HKLM/Software/Citrix/Print with DWord value ‘DefaultPrnFlags’. A DWord value of 0×00400000 will prevent printers from being created, a DWord value of 0×00800000 will prevent them from being deleted. Obviously the second value is the one to go for.

What you have done now is that printers are created at logon and no longer deleted at logoff.. If you add a user to a specified access group that controls a printer being created this printer will be added to the users session at next logon to your citrix server. However when you remove the membership the printer will not be removed automatically from the users profile, as the existing printers are not removed at logoff.. If this really is an issue you can always set printing permissions on your printers, this way the printer will still be visible but the user will no longer have any printing rights to it.

Links:
Citrix Support : Imported Network Printers Do Not Retain the Default Printer Setting

Let’s get into a dangerous you-should-not-go-there zone… Browser wars… Well, to start there isn’t really any, now is there.. Each person has the right, and the possibility to choose their own browser, regardless of the operating system. Windows users have – obviously – Internet Explorer but don’t forget Opera or Firefox. Linux users have a plethora to choose from : Konqueror, Netscape, Firefox, Mozilla. Mac users also have a selection between – at least – Safari and – again – something Mozilla based. And to continue Amiga has aWeb and iBrowse, C64 has the Wave or Contiki, even BeOS has multiple browser.. So you see, enough choice !

Now where’s the problem ?

Some people will actually FORCE you to use the browser of their choosing. An example that pissed me off is the new design of Fallen Angels “Denktank”, designed by MrVazil. The CSS will not work in Internet Explorer whatsoever and the blaming is just done onto the Internet Explorer CSS interpreter… To go on with the politics there is a “Stop IE” button in the sidebar but to totally top it off, there is a fake, viral and utterly misleading “Internet explorer is not rendering this site correctly, please click here for more info” (the reason why I noticed something fishy is because, although my regional settings caused the banner to be displayed in Dutch, my system is configured in English. Many users are used to this banner popping up because ActiveX controls have been blocked (that is good) but this leads to a site called BrowseHappy, a site that tries to convince you to use something else.

Is there something wrong with websites trying me to convince another browser ? Hell no.. What DOES bother me is that some people will force you to use another browser in order to get their site shown correctly. It makes you no different from the top argument you use against Internet Explorer, namely that people are forced to use it.

Yes I am an Internet Explorer user, yes I use Opera as well, yes Firefox is a piece of bloatware. And the “Internet Explorer is more/less secure” argument is a no-go as well, as each browser has bugs – on any platform.

Links :
Konqueror
Opera
Mozilla and its derivates (Firefox, Thunderbird, …)
Internet Explorer
Safari
aWeb
iBrowse
Contiki
Browsehappy
Fallen Angel’s Denktank

What happened :
Going happy around in our Citrix farm all hell broke loose… One second everything is going around nicely and the next one all the licenses are vanished. Nothing more in the CMC, all users getting ‘you are using non licensed software’ popups and phones that start ringing.

Off we go to MyCitrix and re-add the licenses. Thank god they’re auto-activating so that should help a lot. Problem is that not all our licenses work… 50% of our client packs are non operative. This means we’re down to half our farm capacity… Not good !

As Licensing calls are free with Citrix (hurrah !) a call is opened but soon the guy on the phone (Euro tech support, USA tech makes you cry in agony) declared this was a database corruption and we could go and fu*k ourselves if we didnt pay.

Sweet

Now what ?
Talked a bit to our vendor who came up with a solution. They continued the call I logged with Citrix Euro support and they got a database with our faulty license entry removed. But then they also started asking for extra money.

Sweet

And ?
Off to the newsgroups, Citrix support sites and stuff like that. We decided to restore a backup from before our licensing problems so that was our procedure, at the same time we’d move from database server as we are consolidating those. Now it’s pretty hard to find much documentation on this issue except a small note in the Advanced Concepts Guide.

Now in the end it all boils down to this :

• See that you get a good copy of your Datastore on an SQL server.
• Open the mf20.dsn file on your citrix server.
• Change the database name to the one you configured.
• Change the server location to your server, preferebly you create a DNS CName for this.
• Open a command line and run the DSMaint application, use the Config argument and provide username, password and the location to the dsn file you just modified. Best practice is to drag & drop this onto your command line to prevent typo’s
• Restart your IMA service
• If you have some servers to do you can throw the DSMaint configuration and service stop and restart (net stop imaservice / net start imaservice) in a batchfile that you run on each server. The dsn file you’ll have to change on every server if it contains a client identifier.

Try this procedure first with a server you don’t really use that much - a live test machine or a management box. When those go smooth (open the CMC and connect to the local server to see if all is ok) you can do the rest.

Rebooting ?
This procedure goes smooth without rebooting a thing. To be safe I restarted the DataCollector in the end. You could also recreate the localhost cache (DSMaint RecreateLHC) to speed up things.

Imagine this :
You have a server running various applications and all of a sudden the machine just locks up, nothing happens anymore and the only way out is a long push on the power button. After a couple of times you start running perfmons on the basics : CPU, Memory, Pagefile usage, Disk IO but they all check out okay. But, to your fear, the problem remains. Then you turn to your Citrix Resource Manager - it also has a variety of monitors but one of the default is a rather strange one called “Context Switches”. And this one is going through the roof. But what the heck is this ? And what is the meaning ?

First question is ofcourse, what is a Context Switch ?
Google or any other searchengine often is your friend but not really in this case, you’ll find some info in online dictionaries, a Linux-oriented IBM document, and even a Unix / Linux consultancy firm. WikiPedia also gives a pretty accurate but not so easy to understand explanation.

This pretty much gets us nowhere so lets start from scratch.

Ok so what the hell is it ?
In general a Context Switch is something that is at the core of a multitasking operating system, as it is in fact the switching from one application running on the computer to the other. A CPU can actually do only a single task at a time, it sure can do a lot of them in a second so it looks like its doing various things at the same time but down-level you can only use the hardware registers once. Intel’s Hyperthreading tries to cheat around on this but in the end the CPU is still doing a single task at once.

Uh ?
Let’s say your CPU is currently executing an executable that is part of MS Word, now on your Citrix server this will not be the only application available so MS Excel is also running. The operating system wants to give Excel its slice of CPU cycles so it switches between the two. What happens is that the CPU registers in use by MS Word are written to memory, afterwards the CPU registers that MS Excel has been using are copied to the CPU. When these are in place the task the CPU is supposed to be doing will be executed.

So how does this cause hanging of the server ?
Well during the time that the register information belonging to MS Word is read from the CPU registers and written to memory followed by the informationg belonging to MS Excel is read from memory and written to the CPU Registers you server cant do anything else (remember, one task at a time). So for the user looking at the screen the server will be dead in the water when its switching.

Aha - now what ?
Now remember that today CPU’s count in the gigahertz’s speedwise so normally you will not notice this on a regular server. Now a regular (non Citrix) server quite often runs very few applications - for example MS SQL 2000 or IIS that dont have to switch that often. Now a Citrix server can have a multitude of applications published for a large amount of users causing for a lot of application switching. And (often badly-written) applications that tend to cause a lot of Context Switches can go into ‘Switching’ so hard that the CPU and/or OS lose track and lock up completely, causing the server to hang and requiring a long push of the power button.

So how do I prevent this ?
Well you should get applications that don’t cause that many Context Switches. Now if you are stuck with one you can do some pro-active monitoring. Out of experience NetIQ AppManager does a pretty good job at this. Keeping an eye on the Resource Manager also is a good indication to show you that something is wrong. What to look for actually is an application that is abnormally high in user-cpu cycles (not system). Your normal Taskmanager will not display this but a third-party application such as Hyena will display this.

Aha, you’re the expert !
No I’m not.. This is all from personal experience and some knowledge on how an operating system actually works (digging thru the insides of the C64 and Amiga has been usefull it seems). Actually it can be that most of the stuff on this page is wrong, but I dont think so. If you have some additional info or comments, feel free to let me know. The e-mail adress is somewhere on this website normally.

With Windows 2000 came a new piece of software called ‘Terminal Server Licensing’ that requires to be installed when you run your Windows 2000 servers’ Terminal Services in Application Mode.

The idea behind it was/is pretty straightforward. You could give a user with a non Windows 2000 based computer access to your Windows 2000 server, hence giving the user features he/she was/is not paying for. Windows 2000 based clients also need to contact it but will receive a built-in (read : free) license from the Terminal Services Licensing system.

Terminal Services on a Windows 2000 server will try to find the Licensing server in 4 ways : Domain Mode, Enterprise Mode, Workgroup Mode and Direct Mode.

• Domain Mode and Enterprise Mode require that you set up the Licensing server on a domain controller. Many (large) corporations want to keep their Domain Controllers only for a single task, controlling the domain, so it’s not always an option to install Terminal Services Licensing on them.
• Workgroup Mode equals to good old broadcast. Can’t find a Licensing server ? Yell a bit on the network and you will find it. This ofcourse limits the system to having the Licensing server in the same (V)Lan and many routers and switches could be configured to discard broadcast messages.
• Direct mode works by a registry key that points to the server holding your Terminal Services Licensing service.

Now imagine that you are in the following situation : You are migrating from an NT4 domain towards Active Directory. With it you are moving your Terminal Servers (or Citrix servers) from NT4 to AD. The Terminal Servers ofcourse require a connection with the Terminal Services Licensing service. In Domain and Enterprise Mode this would require you to set up a new Terminal Services Licensing service on one of your Domain Controllers and getting the Microsoft Clearinghouse in action to move your licenses from one domain to the other. I myself didn’t find this an option as it can take pretty long and probably will be pretty complicated. Workgroup mode relies on broadcasting so that won’t work on many networks. This leaves only the 4th option, Direct Mode.

For Direct Mode to work open the registry editor of your choice and browse to HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters. There you add the value “DefaultLicenseServer” (REG_SZ). In the value you type the WINS entry or FQDN of the server that holds the Terminal Services Licensing service.

With this intalled you can put the Terminal Services Licensing service pretty much anywhere you want without having to worry about domain boundaries, subnets and broadcast adresses. Potential drawback could be that you are relying heavily on that single server to be up and running in order to distribute the licenses. Now this is not a complete single point of failure as Terminal Services will hand out temporary licenses that will work for 3 months should the Terminal Services Licensing service be unavailable. Also you will notice event “1010″ in your System Eventlog, this is normal and can be ignored.

Links:

• Q239107 : Establishing Preferred Windows 2000 Terminal Services License Server
• TechRepublic - Understanding Terminal Services licensing server discovery
• EventID.Net - Event ID 1010

I didn’t find much problems in publishing and configuring Project 2000 as it seems to follow the Office 2000 policy templates quite good when it comes to default folders. Only tweak I added was not to display the ’splash screen’. However on some clients the application closes imediately after launching it. After some time it was only happening on clients that had Speedscreen installed.

Trick is (thanks to DABCC) to disable some part of Speedscreen for Project 2000. How to do this :

• Open the Latency Reduction Manager
• If you configure Speedscreen on a per-server base (all applications) add an entry to the MS Project file, else edit the MS Project entry.
• Click the “Advanced” button
• Activate “Treat all input fields in native mode”
• Exit the Latency Reduction Manager

I’ve tried to find out exactly what this option does but I haven’t really had the time to dig deep for this. Important is that Project 2000 is now usable for clients that have Speedscreen enabled.

Update : Citrix released document CTX102858 in their Knowledge Base describing this problem and workaround.

Getting your uses to delete their printjobs isn’t always easy from within a published application. Therefor you can publish the printer management however it’s not too straightforward. Browsing thru Windows 95 Annoyances (note that the link is for Windows 98 as the O’Reilly site mentions the Win 95 book nowhere) I’ve found a solution for this.

First go to your application partition or whereever you have your stuff installed and there create a folder called

” Printers.{2227A280-3AEA-1069-A2DE-08002B30309D} ”

If you did it correctly (and I made no typos as well) your folder should get the Printer Folder icon. Next you must create a copy of your explorer.exe. If you publish “explorer.exe” you will actually publish a desktop. If you publish it under a different filename such as “printexplorer.exe” you’ll get a filebrowser. Going with a filebrowser to the folder you just created turns it into printer management. So when you publishing this you’ll get a printer management such as the user knows on his own PC :

Command Line : <path>\printexplorer.exe <path>\Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}
Working Directory : <path of printexplorer>