• The default Ubuntu 12.04 LTS AWS image boots on a 8GB  root partition created on EBS. This allows you to run a a normal Ubuntu server. If you create a larger EBS partition, Ubuntu will automatically expand the file system on first boot, but 8GB should be plenty for a typical DNS server.
• The Micro Instances includes 600MB of RAM
• I thought I read that the Micro Instance includes 2 CPU cores, but the image I booted only shows 1 CPU.

This should be fine for a backup DNS server.

The AWS documentation is large and intimidating. In the past, AWS encouraged a lot of specialized AWS development to create paravirtualized kernels that worked under Xen combined with VM instances that booted up and automatically configured  themselves to use S3 storage. This is a great model for web sites and other Internet based services that require scaling across many nodes, it seemed like overkill for something like DNS that typically only requires a couple of high availability servers. Fast forward several years later and now AWS lets you easily create VM backed by EBS storage that can be managed like a typical server. Here are the steps I followed to create my AWS based DNS server:

1. Opened an AWS account  - credit card is required (!)
2. Configure and start a new Ubuntu 12.04 LTS micro instance. The free instance is clearly identified and the defaults end up with an EBS backed server with a 8GB root partition.
3. Add a public IP address: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
4. Login to the new instance with the AWS generated SSH key pair: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
5. Configure your new instance normally

Now we just have to wait and see if it is really free!

Getting a Deal 

FIrst, let’s look at how to get the great deal everybody wants: Retail stores know you want a $400 laptop, so they use this item as a loss leader. If you watch the newspapers around popular days for big sales (back to school tax holidays, July 4th, Black Friday, etc), you will often find impossible deals advertised. These really are great deals if you are willing and able to jump through the required hoops. Be aware that there are more people looking for the deal then there are systems available at the sweet price. In fact, the stores are counting on this… they sell 4 systems at the loss leader price and 100 systems at the “sale” price that they can make money at. 

If you want the best deal, I highly recommend that you watch the newspaper advertisements. You’ll find prices you can’t even get online.  Also, check out this link: http://www.notebookreview.com/deals/. There are probably other lists of laptop deals – I don’t buy them very often – this is just one I happen to know of.

Since it is easy, it is always worth checking out the deals available online. Two online stores I check a lot are NewEgg and Buy.com. Amazon.com also has good deals from time to time, but I hate their search interface.

Then, there are just the random deals you have to be on the lookout for. Here is an example: I wanted to buy my two older kids notebooks for Christmas to take to school. I did the usual initial searching around. I wasn’t willing to get in line for black Friday sales. One day, I just happened to pull up microcenter.com and do a search. I found an impossible deal – budget Lenovo 15″ for $400. I printed the price and went to the store. The price on the display was like $700, but I asked. They guy said the $400 deal was for real and sold me two at that price. I am sure I could have sold them on ebay for $600! Crazy.

There are ultra budget systems available that normally cost around $400. A typical example is the Asus Eee PC. Though they are interesting and competition is always good, I personally would not want one of these notebooks… the keyboards are bad and the screens are too small. Most people I know want a Windows OS. Windows XP was a solid notebook OS. Everybody knows how to use it. I am starting to wonder if Ubuntu (a popular Linux distribution) is not a better choice than Windows Vista, though.

Choosing a Model

All the the name brands (Dell, Sony, NEC, HP, etc.) are going to have about the same reliability. Sony and Lenovo’s (formerly IBM) ThinkPad  are the premium laptops. If you are going to use the built-in keyboard a lot, consider the feel of the keyboard. I think the Lenovo’s keyboards are the best. I have a 13″, 4 pound Sony. I like the small form factor, but if I were to buy again, I’d look for a similar form factor in Lenovo because I really don’t like the Sony keyboard and I’ve now ended up using mine enough to where it has become annoying. The Lenovos also have a keyboard light… this is very useful and I wish my Sony had one.

I have a customer that bought 2 state of the art 13″ 3 pond Sonys. They are similar to mine but have carbon fiber cases and hybrid hard drives (normal hard drive plus some flash). It turns out that the hybrid hard drives aren’t any faster or better for batteries than normal hard drives… also, these 2 notebooks have already been replaced twice each (one is in the shop for a 3rd time) for failed hard drives. The problem with the hard drives is probably just a coincidence, but, overall, I would not opt for the hybrid hard drive if I had a choice.

Your notebook will come with Vista. Technically, OEMs can’t sell Vista after July 1. Too bad because Vista is a poor match for the slower components (RAM, hard drives) used in notebooks. On some recent Vista notebooks I have setup for a client, I had to uninstall Norton Anti-Virus just to make them usable. With Vista, you’ll want at least 1GB RAM. A 7200 RPM hard drive would be good, too, but these are hard to find.

Backups

The new high capacity hard drives are the major weakness of all modern notebooks. Your notebook’s hard drive will fail! Unlike failures with desktop hard drives, the chances of a total hard drive failure (where only a backup recovery service can get the data off for a cost of $500 and a week wait) are very high. Don’t lose your family pictures! You definitely need a backup solution. I recommend something you can set and forget. The home version of http://mozy.com/ is pretty good and the 2GB account is free – OK for My Documents (say for a computer to take back and forth to school), but not big enough for a large Outlook archive or a big collection of pictures. I am still searching for a really good and free or inexpensive set and forget backup solution.

Antivirus

I put AVG on my kid’s notebooks. The free version is very popular and gets OK reviews, but there are a lot of complaints about the resources required by latest version (8.0). Also, I noticed that at least on one of the notebooks, it had not been running automatic updates… Really, this kind of software must be set and forget.

Office Suite

You can save some money with the free Open Office. It really is a good program. If you configure it to save as .doc and .xls by default, most people will barely notice they aren’t using Microsoft Office. The only problem comes when somebody sends an Office 2007 docx or xlsx XML format file (the default “open” file format for Office 2007). Now that the competitors have mastered .doc and .xls, Microsoft had to change things up to keep customers coming back!

After promoting the 2008 server to a domain controller, I noticed that our file server running Debian Etch could no longer resolve Windows domain usernames and groups. This server runs winbind, so normally you can use the Windows domain usernames and groups as if they were usernames and groups from /etc/passwd and /etc/group. In the smb and winbind logs, I noticed a couple of recurring errors:

ads_krb5_mk_req: krb5_get_credentials failed for not_defined_in_RFC4178@please_ignore(Server not found in Kerberos database)
ads_connect for domain MYDOMAIN failed: Server not found in Kerberos database

One of the troubleshooting steps I read about was to install krb5-user and run kinit, klist and kdestory to see if basic Kerbose tickets worked. That is when I noticed that our server was trying to use the new 2008 PDC. From this, I suspected compatibility problems between Samba and Windows Server 2008. I saw quite a few mentions of Windows Server 2008 compatibility issues and fixes in the Samba mailing lists, so I wanted to try a more modern version of Samba.

The version of Samba I wanted was in the Debian unstable archive. Running a mixed stable/unstable system currently looks like a mess and was something I did not want to try on this customer’s file server. So, I decided to try backporting the unstable samba packages to stable. The backport turned out to be very easy: added my version number to the samba changelog, installed a new build dependency. Then, I rebuilt the .deb packages and installed the ones I needed.  Samba and Winbind are working again.

I am surprised that flat rate carrier, MetroPCS, doesn’t already offer this service (if only to offload their cell network!), but I’m not suprised to see T-Mobile offer it first. Verizon, Sprint and AT&T get a lot of highly profitable income from local phone lines.

T-Mobile could jump into commercial service as well by having your cell phone become an an office phone extension (only when you are in the office, of course!) when it detects your corporate WLAN.

I can understand why they wanted a bit of money for the work that was required for validation that first year, but overall, SSL certificates have long been overpriced for the value they provide. After that first validation, the next year’s renewal costs the CA practically nothing, but they used to give no renewal discounts at all and, even now, renewal discounts don’t exist and multi-year discounts are not as substantial as they could (should?) be.

Then there were (are) silly SSL cert upgrades that supposedly provided stronger encryption. Well, I suppose those upgrades actually could enhance encryption if you just happened to be running an old, obscure version of IE that was only available outside the US, only for a short time and has not been available since early 2000. Funny how even today, you’ll find that even the biggest CA charges extra for Server Gated Cryptography, even though no browser modern enough to be secure needs or supports it.

If you want to spend even more on your SSL cert, CAs will happily add on various types of hyper-specific insurance policies and all manner of “site seals” and  “trust logos”.

The entire verification and trust thing is just silly. The percentage of Internet users that would recognize Verisign, Thawte, Comodo or any other CA is vanishingly small. Even if we were to assume your average Internet buyer were a sophisticated, educated, rational consumer, why would they trust some company they’ve never heard of to tell them how trustworthy amazon.com is? On top of all this, given the year after year rape attempts committed by big CAs with their over pricing of renewals, fake SGC upgrades and other kinds of fake “strong cryptography” upgrades, the only thing I personally trust CAs to do is to make as much money as they possibly can with any means at their disposal.

With the useless state of verification and trust, it’s no wonder that some smaller CAs eventually started verifying less and charging a lot less. Now days, you can buy an SSL certificate that certifies nothing other that you are using SSL. Fair enough – even that tidbit is more than most consumers are interested in knowing. Practically speaking, SSL is only a technology for the vendor. Vendors should use SSL properly because they care about the consumer enough to not transmit their personal information in the clear over the Internet.  Frankly, if my wife, my Mom or one of my kids finds something they want to buy, as long as the browser don’t completely refuse to accept the connection, they will be happy to click through all manner of browser warnings to put in a credit card number. Haven’t we all been trained to ignore these peskey warning messages by now? A few shoppers might be consoled by a a happy, friendly padlock icon, but how many users are fully aware that the pad-lock icon is supposed to be in the browser’s status bar. “What’s a status bar”, you ask?

Given all this, I’ve been using the least expensive SSL certs I can find. Here are a couple of different examples – can you tell what kind of validation was used?

• https://www.searchenginecommando.com/order/  (cheap)
• https://www.t3city.com/ (cheaper)
• https://www.embracegroup.com/index2.html  (cheapest)

I suppose the SSL CAs all got together and decided something just had to be done before everybody started using self-signed SSL certificates. Enter now the “Green Address Bar” SSL Certificate. The real name is the “Extended Validation”  SSL Certificate, but my name would be better. At least with my name, there is a slight chance that consumers (of SSL certs) will notice.  If you have one of these super-duper certificates, IE’s address bar is supposed to turn green (as in the color of money, eh?). I think this is a Vista only feature, though.

The SSL vendors want $500 and more for these “EV” SSL certs. Personally, I think they are pricing themselves out of the market. Yes, a handful of sites like amazon.com will pay the extra $489 for the SSL cert that makes the browser’s address bar turn green (as in the color of envy?). I have to guess, though, that the vast majority of SSL certs are purchased for small e-commerce sites like searchenginecommando.com, t3city.com and embracegroup.com. These small operators will rightly assume that public will pay no attention to the fact that the address bar is not green. Personally, I doubt if many people really even look for the SSL lock icon anymore. If EV were just a $50 up-charge, then a lot of small shops might would go ahead and get it (at least for the first year until they find out it didn’t effect sales). Right now, since the new certs are so expensive, practically nobody will buy them and buyers will just forget all about the green address bar. If they do notice, they’ll probably just have a vague notion that something wrong with their computer (again). “Wasn’t Vista supposed to fix these kinds of problems?” they’ll wonder.

It turns out that the ability to listen to .wav files was added to Blackberry Enterprise Server 4.1 Service Pack 2. We were only running Blackberry Enterprise Server 4.1, so an upgrade was in order. After downloading the 225MB “upgrade” file, the upgrade program managed to run just long enough to wipe out our Blackberry Server. The error message I was getting said something about being logged into a different account than the one that started the setup program. I might have even believed that message if I weren’t so very careful about logins. After a sort time of trying to get things fixed on my own, I decided to wait until morning to call BES support.

With the first guy Keven, from BES support on the phone I uninstalled the original BES installation and downloaded another 225MB file (this time, the full setup with the service pack included). We also checked a bunch of permissions related to the Windows user account named bes that I had setup for the BES service to run under. After waiting for the monster download to complete, I finally got the software installed. Things seemed to be working, but I eventually got reports from my users that they couldn’t send emails from their Blackberries. Time for another call to BES support.

This time, I got Brandon. Together we sent some test messages that all failed and checked about a zillion permissions for the bes account. Eventually Brandon tells me it’s all Microsoft’s fault and we need to get a hotfix mentioned in a MS Knowledgebase (KB) article. With the information from the MS KB article, I finally got BES working again (I hope). FWIW, here is the email I sent to Brandon after I got things working:

MS stores email related permissions in both Exchange Server objects and augmented Active Directory objects (such as Users). Previously, there was a global “Send As” permission that applied to user’s mailboxes that could be granted at the Exchange Server level on Exchange Server objects such as the mailbox store. The latest patches from MS removed the global Exchange Server level “Send As” permission. Now the only way to grant Send As permission is to grant them on the individual mailboxes associated with Active Directory users.

Ideally, there would be a way to globally grant the bes service account Send As permission for all the individual mailboxes at once. This is what we attempted to do when we added the bes account with Send As permission for “User objects” to the domain object in Active Directory Users and Computers. In my case, however, this grant won’t work. The reason it won’t work is that in our domain here, the individual Active Directory User objects are set to not inherit any permission from their container. You can see this in the User’s properties in Active Directory Users and Computers: Click the Security Tab, then the Advanced button – the “Allow inheritable permission from the parent to propagate…” check box is cleared. Why it is set this way? I don’t know, but it must be common. As long as the User objects (and their associated mailboxes) don’t pick up permissions set at the container level, no amount of waiting is going to get the bes account the Send As permission it needs.

Here are some different ways to fix the permissions problem:

1) Apply the hotfix mentioned in MS KB article 907434. I didn’t try this, but I assume it works.

2) Go to each Blackberry user in Active Directory Users and Computers and enable permission to propagate. There are a lot of different permissions and I have no idea what kind of problems this might cause. I wouldn’t recommend this solution.

3) Go to each Blackberry user in Active Directory Users and Computers and grant the bes account Send As permissions. This is the safe, straightforward solution.

4) Create a program or script to do (2) or (3) automatically. In the MS KB article 907434 there is a script you can use to identify the accounts that might need Send As permissions, then grant the Send As permissions to all the individual User accounts at once. Automating option (3) with this script from the MS KB is the solution I chose. I found the script to be pretty well written and fairly easy to use. However, I am familiar with this type of scripting.

In my case, now I’ll have to remember to execute step (3) each time I add a new Blackberry user to our system.

I still say the entire BES architecture is way, way too complicated and brittle. If RIM is interested, I could write a specification for a much simpler and much more robust set of programs that could accomplish the same tasks with fewer resources (both computer and people). I know it’s unlikely, but I throw it out there mostly in frustration with the continuing sad state of BES.

In the short term, it seems to me like you either need to require the hotfix (maybe secure permission to distribute it from MS) and/or figure out a way for your Setup and Blackberry Manager programs to grant the bes service account the Send As permission for individual Users. Obviously, this can be done with some Active Directory programming, but that is a little tricky in your case as you are instructing us users to create the bes account without Domain Administrator permissions and run your Setup program as the bes account. Overall, I think it would be wise for you to take complete responsibility for the bes account – creating it, granting it the correct permissions, a menu option to fix permissions and passwords later, etc.. That way, Setup can be run as Administrator. As long as you don’t take full responsibility for the bes account and the delicate set of permissions it requires, we will all pay the price on the back end with technical support calls.

Then there are problems with the “enterprise” software running on the servers. Exchange Server is a well known offender (at least in my book). It’s getting slightly better with each release (I don’t miss the M: drive, do you?), but they still have fundamental problems with their database. Why do you have to rebuild the database (and lose data) whenever the server doesn’t get shutdown cleanly? I run lots of databases (and file systems that work like databases) that don’t have this problem. Why is it such a pain to backup and restore? When the Exchange Server acknowledges receipt of a message from another email server, Exchange Server should have already stored that message in its DB and flushed the disk so that no message ever gets lost – even if the power fails. That’s the way our big UNIX email servers work. Microsoft rushed Exchange Server out, then layered features without cleaning up the engine.

Now, we add Blackberry on top of already fragile Exchange Server. If these guys were smart, they would make their software extremely tolerant of any possible problems with Exchange Server. But no, they have to use every MAPI bell and whistle to access the mailboxes (making their software picky about what other software is installed on the software – there is an entire chapter in the install guide about getting Calendar synchronization to work) and store half the data in their own MSDE database (one more database to manage) and the other half in Exchange Server mailboxes (now, we have to keep 3 data stores synchronized – Exchange Mailbox, MSDE database and Blackberry mailbox). Why doesn’t the activation email work? I guess the support guy knew that it wouldn’t… he said something like: Well, the activation password in the email should work, but I always manually set the activation password.  The number of versions, service packs and hot fixes is mind boggeling. Do you really need 4 versions of the software to figure out that users want to to synchronize contacts, calendars, messages and to-do lists quickly, reliablty and with a minimum of fuss?

If I were designing this stuff, the world would be a different place. In fact, I designed and wrote a large enterprise software packages that solved complex business problems. At a user’s conference, one of the users of a package I wrote told me that it was the most bug free piece of software he had ever used. That wasn’t by accident. I carefully minimized my dependencies (so the install wouldn’t be fragile), used an ultra reliable database engine (it didn’t have as many features as some, but we never had database corruption problems), had a super reliable install/uninstall program (I had to write my own to get the quality level I wanted) and carefully tested on every platform we supported (we had automated testing tools).

Server hardware has gotten inexpensive and gigabit Ethernet networks are really fast. The opportunity is there for fast, ultra reliable enterprise applications that run on clusters of inexpensive servers. Failed hard drive, motherboard, CPU, RAM chip, power supply? No problem – the other servers in the cluster keep serving requests and we fix and restore the failed server at our leisure. Applications running a little slow since you added 20 new users? Just add another server to the cluster. None of the “enterprise” vendors are taking advantage of this capability, though. Instead, they continue to create software that is overly complicated (internally and for end users) and fragile.

The web UI is a little clunky, but overall, it’s better than most other switch configuration UI’s I’ve used in the past. I still prefer a script based configuration, but you don’t get that in these lower cost “web managed” switches.

The switch’s rules for VLANs are a bit weird. For example, I don’t like the “default VLAN” concept they have implemented. Also, you can’t mix tagged and untagged traffic on a single port (as you can with most hosts and many other switches). Really, VLANs are simple. A packet can be VLAN tagged or untagged. A switch port can be granted access to 1 or more VLANS. For each VLAN for which a switch port has been granted access, the port can either tag or not tag outgoing traffic. That’s it. I can see why the default configuration of a switch should be to grant very port untagged access to VLAN 1, but that doesn’t imply to me that there needs to be some kind of “default” VLAN for each port.

The switch’s management IP does not have to be on VLAN 1. This is a nice touch that I appreciate.

The statistics in the web GUI are pretty sparse. You can view basic interface counters for each port. It would be nice to get some idea of the bandwidth in use on each port. The 5 minute input and output rates on Cisco’s “show interfaces” output is a good example of what is useful.

SNMP support is also basic, but I had no problem configuring Cacti to create traffic graphs for each port. That is all I need.

Jumbo frame support is either on or off. Most switches let you set this per port. Setting it per VLAN would make the most sense to me. But, unless you could program the switch to automatically fragment packets for hosts that don’t support jumbo frames (and what switch does this?), a global switch is fine. Ultimately, you have to deal with the individual hosts on each VLAN – support for jumbo frames on the switch is just a simple yes or no (and can probably always be set to yes as long as the switch itself does not generate any jumbo packets).

The switch supports trunking. That is fairly common for switches that support VLANs. I haven’t tried out trunking. A GigE pipe is big enough for me right now.

You can have up to two ports configured to monitor (sniff) traffic on other ports. I haven’t tried this out yet, but I’m sure it will come in handy when one of our beloved unmentionable security agencies hits me with a court order for eavesdropping.