If you want users to think they are using a windows desktop it’s possible.
http://community.citrix.com/display/ocb/2011/05/23/Believe+it+or+Not+…+This+is+a+XenApp+Desktop
I didn’t say it was easy, just possible !
Anti Virus Exclusions
May 20
If you re running a windows operating system you will want to set up some standard anti-virus exclusions. Most people ust install their A/V product and don’t configure it leading to complaints around slowing down of the computer or things just plain not working. A classing is the secedit.sdb fil becoming corrupted and preventing GPO’s being sunsequently applied.
Microsoft (and Citrix) list their standard exclusions as below.
AV on ALL windows computers
http://support.microsoft.com/kb/822158
Additional AV exclusions on servers running MS Server products
http://support.microsoft.com/kb/943556
Citrix AV exclusions
http://support.citrix.com/article/CTX127030
Download today from MSDN and technet. Public download available next week.
When installing XenApp 5.0 Web Interface on Windows Server 2003 the following error can be observed when users visit the XenApp Websites.
“Internal Error. The Web site is experiencing technical difficulties. We apologize for any inconvenience. The internal error may only be temporary. Try reconnecting and, if the problem persists, contact your system administrator.”
Easy one to solve, its just that the NT Authority\Network Service account does not have the correct permissions to the “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files” location.
Just give it the following NTFS permissions:
Read & Execute
List Folder Contents
Read
Write
and away the problem goes – see full article at http://support.citrix.com/article/CTX126933
If you ever want to test something that requires lots of files to be created, whether it is is configuring Robocopy of writing files to disk to test throughput or for alert generation then HP have a great free tool you can use, CreateData.exe. Download it here.
If you want a similar tool to generate “read” type access then the ReadTool can be downloaded here.
Encrypting SQL Server databases couldn’t be easier and is something you definitely want to consider doing from a security point of view.
If we take a backup of a standard SQL Server database (here I am using the AdventureWorks sample database downloaded from Codeplex) then it’s a simple matter to restore it to another server. This makes it incredibly easy to obtain, for example, credit card details stored in a SQL database.
One way to protect against this is to encrypt the database either at the cell level (encrypting individual items of data) or by encrypting the whole database. Encrypting the data cell by cell involves using code to program the encryption and leads to very slow searches for data as the data needs to be decoded for each search.
Encrypting at the database level requires no code in your final application and provides transparent access to the data. You should still be aware that data flowing from the server to the end user is still un-encrypted and can be read in the clear and so you will still need to encrypt data transfer to the end point using IPSec or similar. Transparent Database Encryption (TDE) is only supported in the SQL Server 2008 Enterprise and Developer editions.
Microsoft has a jolly good article on encrypting at the database level which can be found here and from which the majority of this article is taken. The steps to enable database encryption are described in the following flowchart.
In simple terms this means that a Service Master Key is created at the time of installation of SQL. This key is used to create a Database Master Key which in turn is used to create a certificate which we use to create the Database Encryption Key for any database of our choice.
In order to recover from a failure of any database or server it is critical that this certificate and its associated private key are backed up. The whole process above is implemented by use of the following commands.
USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘myStrongPassword679!!!‘;
GO
CREATE CERTIFICATE NameForMyServerCert WITH SUBJECT = ‘DEK Certificate‘;
GO
USE NameOfDatabaseToBeEncrypted;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE NameForMyServerCert;
GO
ALTER DATABASE NameOfDatabaseToBeEncrypted
SET ENCRYPTION ON;
GO
–To backup the Certificate use the following code
BACKUP CERTIFICATE NameForMyServerCert
TO FILE = ‘C:\BackupLocation\Certificate’
WITH PRIVATE KEY (file=’C:\BackupLocation\PrivateKey’,
ENCRYPTION BY PASSWORD=’PasswordToEncryptBackup‘);
GO
I’ve coloured the bits you need to amend in the code above in red.
Running the above in the scripting window in SQL Server Management Studio does all of the work for you. Below is the script amended to encrypt the AdventureWorks database and export the certificate and private key.
In a similar fashion you should also backup your Master Key – the instructions for that are here.
Once the database has been encrypted it cannot be restored to a different server without first importing the certificate. If an attempt is made then it is met with the “Cannot find server certificate with thumbprint” error below.
You will also need to restore the Master Key backed up previously.
To backup the Master Key use T-SQL similar to the below.
To restore the Master Key use the RESTORE MASTER KEY command
Note, if you are backing up from one instance and restoring to another you may need to change the NTFS permissions to the exported key files as they are restricted by the process to the instance that backs them up.
To re-import the certificate use code similar to the below.
Once the master certificate and the certificate used to encrypt the database have been re-created you can then restore your database. However, because the database has been encrypted you will not be able to use the GUI to restore it, instead you will need to use T-SQL.
An example of code to use is below. First we open the Master Key to use it and then we just perform a standard restore. The one below restores to a database with a different name and moves the data into different files as I was restoring to an alternative instance to the same server.
Use Master
OPEN MASTER KEY DECRYPTION BY PASSWORD = ‘Password1′;
RESTORE DATABASE [AVWorks] FROM DISK = N’E:\Backup\AdventureWorks.bak’ WITH FILE = 2, MOVE N’AdventureWorks_Data’ TO N’E:\DATA\AVWorks.mdf’, MOVE N’AdventureWorks_log’ TO N’F:\Data\AVWorks_log.ldf’, NOUNLOAD, REPLACE, STATS = 10
GO
Once restored your data will still be encrypted but will be accessible once more to authorised users.
Commenting in SQL Scripts
Jan 19
As you probably know, it’s a good idea to comment any script or other development work that you do. Adding comments to a SQL script is very easy, simply prepend any comments with two hyphens and whatever you type on that row will be a comment.
If you want to enter a block of comment the add /* at the start of the comment block and */ at the end. Doing this means you can type freely without the need to add – at the start of each line.
Finally, if you want to comment against an individual line of code, just enter – at the start of your comment on the same line.
Commenting your code is exceptionally easy and when you return to review what you have done months or even years later helps you understand the flow of the solution and why you made certain decisions.
One of the best things about System Center Operations Manager is the ability to add Company Knowledge to its database. What this means is that, when an error occurs (when a monitor creates an alert) then you can add company knowledge stating why that alert occurs in your environment and how to resolve the situation. The next time that the issue occurs you have to hand the knowledge how to resolve it. In any environment with more than one administrator in IT this can drastically reduce the Time To Fix for any issues as individual administrator do not need to keep re-inventing the wheel every time a situation occurs.
So, how do you configure this ? Well, it’s rather simple really. You just need to install a compatible version of Word (2003, 2007 or 2010 Professional Edition – 32 bit only, no 64 bit Word support – should be latest service pack) and also the Microsoft Visual Studio 2005 Tools for the Microsoft Office System onto any system running the Operations Manager Console. Word needs to have .NET programmability support enabled. If not you will get the error “Failed to launch Microsoft word. Please make sure Microsoft word is installed“.
If you do need to add in programmability support then click on “Add or Remove Programs” or similar in Control Panel, select your version of Office and select Modify or Change as appropriate.
Select Add or Remove Features and click on “Continue“.
Change .Net Programmability Support to Run From My Computer and click on “Continue“.
It’s a best practice to access the Root Management Server using the console remotely rather than on the server itself as this reduces load on the RMS. That is, from a Management Workstation (or an administrators laptop). In this regard, it’s usual that a full / default installation of Office has already taken place and a separate additional license for Word is not required as would be the case if Word were installed directly on the Root Management Server.
Microsoft Visual Studio 2005 Tools for the Microsoft Office System can be downloaded from http://go.microsoft.com/fwlink/?LinkId=74969. This is the version you will need to install even if you are installing Office 2010.
To install the SCOM console you will need the .NET Management Frameworks 2.0 and 3.0 installed. If you also want to install the command shell then install PowerShell 2.0 first.
Once the prerequisites, console, Word and Visual Studio Tools have been installed Company Knowledge can be updated. Simply right click the appropriate object and click on Properties
Click on the Company Knowledge tab and click on “New” to create a new management pack if appropriate.
Name the Management Pack in a fashion that will allow you to identify it later and add in some descriptive text. Click on “Next“.
Click on “Create” to create the new management pack.
You will then be returned to the original company knowledge screen. Click on the “Edit” button to edit the company knowledge for this item.
Word will launch and you can enter information in the template.
Ensure that you click on the “Save” button 
before closing the Word interface. The Company Information will now be held against the individual item. Ensure you click on the “Save” button on the Company Knowledge tab.
If an alert is created for this item in future then the Company Knowledge tab is populated.
As knowledge of items and their resolution increases you can click on “Edit Monitor” to take you to the monitor that fired the alert and update the Company Information. As you can see a little effort means that knowledge of how to maintain the network and services need no longer reside in the heads of individual technicians and engineers but can be immediately available to all members of the team.
There’s a little known tool that sits on your computer called eventcreate.exe. Its a command line tool and it lets you create your own event log entries in the event viewer (but not the security log for obvious reasons). You can create any event with an event ID up to 1000 (events above that value tend to be used by Microsoft).
To use the tool simply go to a command prompt and create an event with appropriate switches – you can get a list of all these and an example of how to use the tool by entering
eventcreate /? at the command prompt.
Why would you want to do this ? Well, one thing is to test any monitoring tools you have. The other thing is you can call the tool to easily write to the event log from any scripts you create, for example when deploying software from a batch file you can write an event to the log showing that the software was deployed.
My favourite use is around April Fools Day. A typical example would be:
EVENTCREATE /T ERROR /ID 69 /L APPLICATION /SO iexplore.exe /D “<username> has now spent a total of 465 hours browsing www.facebook.com this calendar year”
Just run the command using a remote command prompt on the users machine and then ask them and why you have received an alert about their browsing then point them to the event log.
