Microsoft has published a number of scripts used to backup TPM (Trusted Platform Module) and BitLocker information for Windows clients. Windows Server 2008 and 2008R2 have support for the attributes required to centrally manage Microsoft’s BitLocker and TPM. Windows Server 2003 has the ability to run these (they require some searchFlags be set to confidential, so pre-2003 Active Directory cannot support these attributes).
To extend the schema is pretty easy. To do so, use an administrative account for the forest (the administrator account for the first domain in the forest is a common one to use). Then log into the server running the schema operations FSMO role for the forest and download Microsoft’s ldif file with these attribute definitions from Microsoft.
Once downloaded, use the ldifde command to import into your domain:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=ad,dc=krypted,dc=com" -k -j .
Once downloaded, check out the vb scripts that Microsoft has provided for key escrowing and other tasks here.
krypted September 29th, 2011
Posted In: Windows Server
Microsoft has a great feature called autotuning. Autotuning though can be problematic when it comes to network connections with Microsoft Outlook, Internet Explorer 7, RDC and even some file sharing protocols over the WAN. This is mostly because not all firewalls support TCP Window Scaling for non-HTTP-based protocols.
If you’re running into problems where these applications give you errors like “Outlook is trying to retrieve data from the Microsoft Exchange Server Exchange_Server_FQDN” then you can try disabling autotuning to see if that is your problem (usually this involves wan connections, btw). To disable autotuning, use netsh to set tcp for autotuninglevel to disabled:
netsh interface tcp set global autotuninglevel=disabled
To turn autotuning back on, just set the autotuninglevel to normal:
netsh interface tcp set global autotuninglevel=normal
krypted September 28th, 2011
Posted In: Windows XP
Server.app in Lion is a pretty good app for most tasks. But I find myself frequently doing things that I don’t think developers intended me to do. One such item is setting up and tearing down Open Directory to test various iterations of enabling a master. I frequently use slapconfig to destroyldapserver:
Doing so almost immediately allows me to demote an Open Directory master to a stand-alone server and then repromote the server to a master or replica for testing purposes. If you do this, then Open Directory cannot be set back up using Server.app. The fix is to use Server Admin to repromote your server back to an Open Directory master and then use Server Admin to more graciously demote the server back to stand-alone. Until you do this, the Server.app will error out on Open Directory promotions that the server is already an Open Directory master.
A change I’ve made to my workflow when nukin’ and pavin’ OD is to just use Server Admin for the paving part. If you demote with Server Admin you won’t have these issues. Hope this helps someone who finds similar wonkiness.
krypted September 27th, 2011
Posted In: Mac OS X Server
I’ve done a few articles over the years on customizing the team server in OS X Server. This is one of those places where Lion really changes things. Once upon a time you could just swap out the graphics and have a fairly custom-looking wiki or implementation.
In Lion, Apple has really simplified and stripped down the Lion elements in the interface for the server. There is less Apple branding and more functionality than ever. Gone is the time Apple spent building templates, but in the place of all those templates is a much more integrated and functional collaboration server. Added are features dedicated to navigation (e.g. the ribbon was borrowed from MobileMe) document management and writing personal wiki articles. Added is a more seamless integration with podcasts and better ways to find content that is pertinent to you. Also added is a sidebar that allows you to insert blocks, similar to widgets in WordPress, but far less useable (for now).
You can still customize the graphics. They are now stored in /usr/share/collabd/coreclient/public/stylesheets/cc/img. You can also add your own banner or edit the look and feel in the css files stored in the /usr/share/collabd/coreclient/public/stylesheets/cc. For example, editing the core.css file to change the color (not background-color) setting in the body section will change the color of the text (use my color chart to pick a new color if you’d like). Also in the core.css file is the background color for the unused space, located in the background-color setting of the main section. The blue title bar for wikis can also be customized to include a background image or just change the color. For example, use the banner.css file to add the background-color field into the banner section with #FFFFFF to set that to white.
As usual, be careful when customizing Apple’s services. Personally, I find that whenever I customize their settings, I end up making them look worse. Apple is known for design. If you’re looking at my web site, you’ve likely noticed that I am not. If you decide to walk down this path though, I have a good tip. Use a browser plugin for Firefox to help you. You can make changes on the fly, see what works and what doesn’t and gradually change settings until you find a look and feel you can live with. I like Edit CSS, but as with many of these kinds of things, it’s just preference – search for CSS in the Firefox add-ons for one that you find that you like better.
krypted September 27th, 2011
Posted In: Mac OS X Server
Lion Server moves a few things around. Not only in regards to a little window dressing in the GUI apps, but also under the hood. One such example is the /ical extension often used to direct users to iCal’s little section of the web portal in OS X Server, no longer around in Lion. One could just redirect requests for /ical to /webcal as was done previously. But what if you wanted to actually redirect the CalDAV traffic to look at a directory other than /calendars on the web server (e.g. maybe your site already uses /calendars).
To do so, check out /etc/apache2/servermgr_web_apache2_config.plist. About half way down are the proxies for com.apple.webapp.webcal. Each of the directories has a path. I like to change both the name of the key and the string for the path. However, don’t change the urls key or the site will stop outputting dynamic data. Save the changes and then restart the service:
serveradmin stop web; serveradmin start web
/webcal is also defined here. So if you would prefer to use /ical then it can be changed, albeit likely breaking many of the internal links for the portal. One may be tempted to add /ical by adding an “Alias /ical /usr/share/webcal.html” line in the httpd.conf file in /etc/apache2, but that simply results in an error. So doing a redirect, as I showed previously seems to be the only way to get the response of the actual /webcal page (401 redirects do not seem to work).
Another issue that I’ve run into is getting virtual hosts to work in the first place, in order to define non-page centric forwards. This was fixed by uncommenting the following line in the httpd.conf (removing the # in front of the line):
Then, you can add vhosts as usual in /etc/apache2/extra/httpd-vhosts.conf. Having said that, the only redirect I’ve gotten to work so far have been per page. I’ll likely figure out more on these subtle changes as time goes on, but more important than these specifically, hopefully this will point others to where some of these settings are stored (e.g. for webmail and other services in OS X Server). For example, let’s say you wanted to disable the web calendar and webmail altogether (for whatever reason). In that case, look for these two lines in /etc/apache2/httpd.conf (respectively):
Alias /webmail /usr/share/web/webmail.html
Alias /webcal /usr/share/web/webcal.html
Put a # in front of each to comment them out and then restarting the web service. It’s not pretty and webmail should be disabled in the Web service, but web calendars aren’t exposed in the GUI at this time and I wanted to show both. Anyway, this article is rambling on a bit like a Douglas Adams book. So, so long, and thanks for the phishing attacks!
krypted September 22nd, 2011
As many of you are aware, I will be speaking at the MacTech Conference in November. Krytped.com is also a sponsor of MacTech and I personally very much find everything they’re doing over there with these events to be great stuff. And now there’s more coming out of their incubator.
MacTech has announced a great new series called MacTech In-Depth. This takes the existing format for the MacTech Conference and MacTech BootCamps that have gone on the road and brings a much more in-depth (as the name implies) approach, looking at a single topic for a full day. The first topic that is getting tackled is Mobile Device Management, in San Francisco. Register by October 31st to take advantage of the Early Registration and pay only $295 to register for MacTech In-Depth: Mobile Device Management (a $200 savings). As with the other MacTech events, it’s a great deal.
For more information, see the official site at http://www.mactech.com/indepth or here’s the official press release:
September 19, 2011 — WESTLAKE VILLAGE, CA — On the heels of the incredible success of MacTech Conference for IT Pros and Developers, and MacTech Boot Camps held all around the United States, MacTech has announced today a new (third) type of event: MacTech In-Depth — a series of one day seminars each focusing on a single topic. MacTech In-Depth is a single-track, hotel-based seminar that is specifically geared to serve the needs of IT Pros, consultants and techs looking for a deep dive on a single topic. The first MacTech In-Depth will focus on Mobile Device Management, and will be in the City of San Francisco on Wednesday, December 7th, 2011.
“MacTech Conference 2010 was an enormous success delivering amazing content and a quality conference to IT Pros and developers in the large organization, Enterprise, and ISV markets. MacTech Boot Camp events have been a terrific success in helping consultants grow their company and support small business. What’s been really clear from the feedback is that attendees want even more from MacTech. Our new MacTech In-Depth series of seminars will squarely address that request,” said Neil Ticktin, Editor-in-Chief/Publisher, MacTech Magazine. “The In-Depth format gives us the flexibility of not only having different seminars on different topics, but to make them available in regions all over the country.”
Using MacTech’s proven “running order” approach, we pack in the maximum amount of sessions possible into the time available combined with the opportunity to talk to sponsors, network with peers and meet new contacts. Event topics expected include:
MacTech In-Depth: Mobile Device Management (first one scheduled)
MacTech In-Depth: Network and WiFi Design and Troubleshooting
MacTech In-Depth: Lion Server Administration
The first event, MacTech In-Depth: Mobile Device Management (MDM) will spend the entire day focused on MDM. Topics will include:
• Security and Mobility
• Solutions Requirements
• Asset risks and security threats
• Mobility Business Drivers
• Monitoring and Control
• Protecting the Enterprise, business, and the organization
• Enabling Employees
• Protecting data and devices
• Mobility creating new business intersections
• How to develop a mobility strategy for your organization
• Securely supporting social media, commerce and sales
• Defining Technology Initiatives
Additional information on topics and sessions at http://www.mactech.com/indepth/mdm/sessions
“Now that Apple is pouring it on with the onset of OS X Lion, iOS, and mobile devices, there is no better time than right now to fully integrate, deploy and maintain mobile operations along with securing valuable mobile assets and company proprietary information. This is exactly what we do when working with organizations of all sizes, helping our clients create seamless solutions through every stage of mobile operations,” said Russell Poucher, MacTech In-Depth: Mobile Device Management Sessions Chair, and Principal of Creative Resources Technology Group. “MacTech does an amazing job of putting live events together. As sessions chair for the event, we’ve been working with MacTech to create their MDM curriculum and secure some of the best speakers in the industry.”
“We are extremely pleased to be involved in this event to share best practices on how to fully embrace Mac and iOS devices in the Enterprise,” said Jonathan Dale, Fiberlink Communications. “With the rapid pace of change in mobility, cloud-based mobile device and application management platforms, such as MaaS360, are critical to enable the full adoption of the comsumerization of IT.”
MacTech In-Depth events are economically priced, include the full day of sessions, and lunch. Those who register by October 31st can take advantage of the Early Registration and save $200.00 and pay only $295 to register for MacTech In-Depth: Mobile Device Management.
More information on the MacTech In-Depth series at http://www.mactech.com/indepth
More information on MacTech In-Depth: Mobile Device Management at http://www.mactech.com/indepth/mdm
Registration is open now at http://www.mactech.com/indepth/mdm/register
About MacTech Magazine
Established in 1984, MacTech Magazine is the only monthly magazine focused on Macintosh at the technical level. Each month, MacTech and MacTech.com is read by 150,000 technical Macintosh users in over 175 countries … from network administrators to programmers, from solution providers to Enterprise, and in general anyone that’s interested in the Macintosh beyond the user level.
For more information about MacTech Conference, see http://www.mactech.com/conference/ and for more information on MacTech Boot Camp, see http://www.mactech.com/bootcamp/
If you’re interested in getting under the hood of your Mac, if you want to know how to make things happen inside the box, you should be reading MacTech Magazine. Contact the magazine. Toll free: 877-MACTECH, International: 805-494-9797, firstname.lastname@example.org, http://www.mactech.com
For more information, contact:
publisher at mactech.com
krypted September 21st, 2011
LaunchPad is the OS X Lion version of the old Launcher, or the iOS home screen, according to how you look at these things. A few notes on issues I’ve seen with LaunchPad. First, I’ve had to nuke LaunchPad and have it rebuild. To do so, delete the database.
rm ~/Library/Application Support/Dock/*.db
You might also need to kill the dock:
In a deployment scenario, I’ve started doing both as post flight tasks. Getting to the point where you’re granularly adding and removing items is done by editing the .db file in ~/Library/Application Support/Dock. In here is a generatedID followed by .db that makes up a SQLite database. This database can be managed using a number of SQLite management tools, such as Base or SQLite Inspector.
The management of databases from within these tools is pretty straight forward. You browse the apps, locate the offending rule and delete it. Then killall on the Dock (shown earlier) to actually have it disappear. You can also use the sqlite3 command line (where the string that begins with BF is the generated ID of the database):
sqlite3 ~/Library/Application Support/Dock/BF222CEA-E6B2-4804-BAA2-DED0428E6C90.db "select * from apps"
Assuming you see a row in the output that you’d just love to get rid of, you can look at the bundleID and then get rid of it using a command like this:
sqlite3 ~/Library/Application Support/Dock/BF222CEA-E6B2-4804-BAA2-DED0428E6C90.db "DELETE from apps WHERE bundleid LIKE 'org.videolan.vlc'"
Don’t forget to kill the Dock afterwards. That’s basically it. If you install an app and then want to toss items from Launchpad as a post flight use the bundleID, run sqlite3 and then a second query to verify that the item is gone. As you don’t know the generatedID for the database name, you can also replace it with * in scripts:
sqlite3 ~/Library/Application Support/Dock/*.db "DELETE from apps WHERE bundleid LIKE 'com.microsoft.uploadcenter'"
Oh, and the easy way to clean up LaunchPad is to use something like Launchpad Cleaner…
krypted September 20th, 2011
When Lion was new, I put up a post about clearing out information on saved applications states. Saved application states are a new feature in Lion that remembers the screens that were open and where each was when you quit applications. The reason for that post was that those states were causing a few minor issues with applications.
There are a few applications that the saving of application states is really awesome for. I think it will mostly be different for each persons workflow. Personally I like saving the state of Terminal, Safari and a few others. However, the state of some others can be a bit annoying for me. For example, Word.
Luckily, you can control which applications have saved states and which do not. To do so, first find the application in ~/Library/Saved Application State. These usually are the bundleid of the application followed by .savedState. Using the bundleid (or whatever is listed if not the bundleid), you’ll then send a NSQuitAlwaysKeepWindows key to the defaults domain for that id with a boolean setting of true or false. For example, to disable the saved state for Microsoft Word:
defaults write com.microsoft.word NSQuitAlwaysKeepsWindows -bool false
To re-enable it, just send a true value into the same key:
defaults write com.microsoft.word NSQuitAlwaysKeepsWindows -bool true
krypted September 16th, 2011