Not Good Enough

Cisco Unified Communications Manager v6 (formerly called Call Manager and then Unified Call Manager) can synchronise its user list with Active Directory (it’s actually a one way synchronisation), and can authenticate users against Active Directory. It does this using LDAP. That’s no surprise and pretty standard. Unfortunately, it doesn’t allow you to specify any search filters. You specify the base DN (or multiple base DNs) and that’s it. It seems that if an account in AD has a first name and last name CUCM adds it to its directory. The account doesn’t need to have a telephone number, it can even be disabled. Note that you can only synchronise accounts – CUCM ignores Contacts.

Didn’t anyone at Cisco think that their clients might possibly want to filter their imports? Did it not occur to them that the structure in AD might not reflect the way clients want to import users into CUCM?

It’s just not good enough!

Opened up SQL 2000 Enterprise Manager the other day to look at a performance problem (which turned out to be someone purging WSUS of old updates). Anyway, I went to look at Process Info (under Management –> Current Activity) to see what was happening. Process Info displays details on various SQL process IDs (e.g. Open Transactions, CPU, Physical IO, Memory Usage). It also lets you sort by various columns – which can be quite useful. I say “can be”, because, unfortunately, Enterprise Manager seems to do an ASCII or alphanumeric sort, rather than a numeric sort:

Process Info sorted by CPU

What bright spark went to all that trouble to provide all this information in Process Info, and then didn’t do the last bit to allow us to sort it in an intelligent manner. I mean, it can’t be that hard.

It’s just not good enough!

I had a server run low on disk space on one of the data volumes (a bit over 1 GB free on a 2 TB volume). When this happened, CPU utilisation went up to 100%. Task Manager showed System was the offending process. This is not the first this has happenedto us (although it’s the first time I’ve looked at it).

So, I ran Process Explorer on the server and took a look at the threads for the System process. Here’s what I saw:

TmXPFlt.sys threads in the System process using excessive CPU

It turns out TmXPFlt.sys is part of Trend Micro Office Scan’s virus scan engine. I tried unloading Office Scan but it made no difference. In the end I had to restart the server.

We install anti-virus to protect our servers, not to take them down.

It’s just not good enough!

We have some spare slots in an IBM EXP810 disk tray attached to our DS4000 series storage system and thought of filling them with 1TB SATA disks. MCG Technology have 1TB Seagate drives (ST31000340AS) for $179 including tax (or 16c per GB). Note that these drives come with a 5 year warranty. So I figured a drive from IBM would probably be around the $500 mark. That would allow for an enterprise spec’ drive, the enclosure and IBM’s usual exorbitant markup.

Boy was I wrong.

Our Australian dollar ex-tax purchase price for a 1000 GB/7.2K SATA EV-DDM drive is $2100.00 each. I couldn’t believe it. That works out to $2.10 per GB – and they’re not proper sized gigabytes either.

By contrast a 750GB SATA drive from IBM comes to $850.00 or $1.13 per GB.

Now I know that the world is in a financial crisis. But that doesn’t excuse IBM ripping its customers off. It appears that the robber barons of Wall Street have moved to 1 New Orchard Road.

It’s just not good enough!

[Edited to add]

Seagate have an enterprise SATA 2 1TB disk – the Barracuda ES.2 ST31000340NS. The cheapest price on staticICE is $299.

OpenLDAP is open source LDAP software. It’s used on a lot of Unix and Linux distributions. ldapsearch is a utility that comes with OpenLDAP. It allows you to search an LDAP directory from the command line. This is potentially very useful when you need to access LDAP from a shell script. You can even use it to access Active Directory, as Phil Lembo shows here.

Unfortunately, when ldapsearch returns its results it wraps the output after 76 characters – and it doesn’t appear to give an option to turn line wrapping off. Now what bright spark thought that this would be a good idea. That makes it a pain in the arse when you’re trying to grep the output of a directory search.

Someone does seem to have come up with a patch back in 1999, but it doesn’t appear to have made it into production.

It’s just not good enough!

I went to shut my computer down last night and received the following error (it turns out that “No” was the option I wanted – “Yes” didn’t seem to do anything):

It’s just not good enough!

Ah, criticising Microsoft is a bit like picking on the disabled kid.

Anyway, one of the issues we have with Windows is when a user accidentally moves a directory.  How do you accidentally move a directory you ask. By moving your mouse across the screen. Sometimes, for one reason or another, as you drag the mouse the left button gets held down and suddenly you’ve moved a directory. If it’s a small directory the user may not even be aware that they’ve done it – and sometime later we get asked to restore the “missing” directory.

This has happened often enough that I’ve been asked to modify permissions on directories so that users can’t do it. The problem is I can’t – the permissions on the directories are fine. The users concerned are supposed to be able to do what they do.

Really this isn’t a security issue, it’s a usability issue. If Microsoft had provided an option in Windows so that the user would be asked to confirm a move then we would all be happy. Unfortunately, they haven’t.

You might be thinking “so what – it’s the user’s fault, they should have been more careful”. However, it’s easy to do. Browse to your favourite search engine and enter Windows Explorer move confirm and you’ll see that plenty of other people have the same problem.

So, Microsoft, why haven’t you fixed this issue? It shouldn’t be hard – you only need to provide a tick box under the Folder Options menu and then, if it’s ticked, ask the user to confirm a drag and drop move. One of your gun Windows programmers could probably knock it up over lunch.

It’s just not good enough!

I’m big on virtualisation. I think it’s the way of the future, especially from a DR perspective. The combination of VMware ESX and SAN replication means that the downtime due to the loss of a data centre can be minimised. Virtualisation potentially makes DR a lot easier. As a matter of fact, I think it’s worth virtualising everything, even if you only run one virtual server per physical server. VMware ESXi is now free so it doesn’t even have to cost anything to do it. In my mind it makes a compelling argument.

The only fly in the ointment is the problem of those products that won’t work without a licence server. Some products require a USB or parallel port dongle. They obviously can’t be virtualised.

However, licence servers that don’t require dongles (e.g. FlexLM based) are prime candidates for virtualisation. We can virtualise these servers and know that if we have to fail over to our backup data centre everything will still work.

Intergraph now require a licence server if we want to use their SmartPlant Materials (formerly called Marian) product. Thta’s fine, it’s their product. Unfortunately, they won’t allow us to virtualise the licence server. To my mind, this means that Intergraph are saying that they don’t care about us or our business.

It’s just not good enough!

We have an IBM Blade Center with two Management Modules, two Nortel Ethernet switches and two Brocade Fibre Channel switches.

The Management modules are used to provide the I/O Modules (the Ethernet and Fibre Channel switches) with basic network configuration (IP address, etc.). The rest of the configuration of the I/O Modules is done directly on the modules themselves (i.e. via telnet or a web browser and Java).

We have had an issue with the Blade Center where after an outage the external ports on the I/O Modules come up disabled. I had to connect to each of the modules and enable to external ports. Now, the first time this happened I assumed that some twit (me) had forgotten to save the configuration of the I/O Modules. So, of course I made extra sure that I saved the configuration.

The next outage we had the same thing happened. The external ports where disabled. However, it was obvious that the configuration had been saved because all the other settings (VLANs, etc.) were correct.

Later I discovered by accident that there’s a setting in the Management Module that overrides the I/O Modules. This setting is tucked away in the Admin/Power/Restart screen when all other configuration is access via the Configuration screen (or by connecting to the modules directly). And it seems that this setting defaults to disabled (although I can’t confirm that):

I/O Modules Advanced Setup

Now, I can perhaps think of a reason for allowing the Management Module to override the I/O Modules (maybe – if you want to disable all external I/O to a particular module, although we can do that by connecting to the modules themselves, the place where we would normally configure them). But why default to disabled? And if we enable the ports on the I/O modules themselves, shouldn’t the above setting also change to enabled?

It’s just not good enough!

Ah IBM. Their Remote Supervisor Adapter II allows for the creation of up to 12 login ids. The problem is, when you create a password it doesn’t tell you if the password is too long. From trial and error, it seems that the maximum password length is 15 characters. I’ve looked at the source code of the page and I can see that the password field is restricted to that many characters (perhaps I should have saved myself a lot of trail and error testing by looking at the source first):

RSA II Password Length - HTML Code

Now 15 characters isn’t that bad (plenty of systems allow only 8 and it seems one UK bank only allows six). The problem is that it lets you think you have created a password with more than 15 characters – but it only stores the first 15 characters. So, if you set your password to a123456789012345 you can’t login using that password (however, you can login using a12345678901234). Imagine the consequences if this is the only log in account, and you don’t realise the 15 character limit.

Surely it couldn’t have been that hard for the programmer creating the page to have done a basic check and popped up an error message if the password is too long. After all a message does appear if the password doesn’t contain both alphabetic and non alphabetic characters:

RSA II Password Error

So, if they can pop up an error when the password isn’t complex then why can’t they pop up an error when the password is too long.

It’s just not good enough!