Windows server 2003 licencing

"Guy Macon" http://www.guymacon.com/ wrote in message
...
How is WebX going to allow a user at home to login to a system
in the office?

The WebX thin client runs on Internet Explorer. A ClearSCADA-specific
ActiveX control is downloaded from the WebX server. Data is displayed
to the users as secure XML and HTML pages on standard web ports with
128-bit SSL encryption.

All that is required is a bog-standard installation of Windows, a
firewall that allows web access, and a local user willing to click
the button giving the remote user control of his desktop.

So my requirement is for access to a remote machine without any manual
intervention.


And why in the name of security would I ever allow a third party
computer that I do not administer to have access through our firewall
to our most sensitive infrastructure?

Unless you are blocking web access or blocking all ActiveX
(really blocking it, not just requiring the user to click on
a permission dialog box), you already are allowing a third
party computer that you do not administer to have access through
your firewall to whatever the logged in user can access.

On DMZ hosts, we certainly do block outgoing access to just about
everything.


If you are allowing ordinary users access to your "most sensitive
infrastructure", that's another problem. I will assume that is
hyperbole.

We allow the people who need access to services access to those services,
not more and not less.


Your mileage may vary, and I am the first to understand that the software
RAID approach has many shortcomings. But for low importance end user
computers, they have proven themselves over and over.

In my opinion. you should set up a system that cannot lose data
no matter what the failure mode is. Back up the configuration,
operating system and apps -- the things that don't change from
day to day -- and keep your data on redundant network storage.

You mean put end users directly onto the SAN and have them boot from it?
That's something I have always wanted to do but have misgivings about how
reliable it might be, and of course we would have to wire fibre everywhere.
I keep waiting for iSCSI to get cheap and easy, and it's getting close to
the witching hour on that one.

--
Will



--
Guy Macon
http://www.guymacon.com/

In my opinion. you should set up a system that cannot lose data
no matter what the failure mode is. Back up the configuration,
operating system and apps -- the things that don't change from
day to day -- and keep your data on redundant network storage.

You mean put end users directly onto the SAN and have them boot from it?
That's something I have always wanted to do but have misgivings about how
reliable it might be, and of course we would have to wire fibre
everywhere.
I keep waiting for iSCSI to get cheap and easy, and it's getting close to
the witching hour on that one.

--
Will


you are totally missing the point of Guys feedback.

"Nut Cracker" wrote in message
t...
In my opinion. you should set up a system that cannot lose data
no matter what the failure mode is. Back up the configuration,
operating system and apps -- the things that don't change from
day to day -- and keep your data on redundant network storage.

You mean put end users directly onto the SAN and have them boot from it?
That's something I have always wanted to do but have misgivings about
how
reliable it might be, and of course we would have to wire fibre
everywhere.
I keep waiting for iSCSI to get cheap and easy, and it's getting close
to
the witching hour on that one.

--
Will


you are totally missing the point of Guys feedback.

So make his point?

If his point is make backups, then sure of course we make backups. But
backups take time and backups don't actually always guarantee a recovery.

Hardware RAID is fine, but it has failure modes as well, and for simple end
user machines can be problematic to effect recoveries that are software
based corruption and not hardware failures.

Software RAID has for us worked well for such machines. It's not the only
recovery method we use.

And I may indeed have missed his point so I would appreciate someone
elaborating it.

--
Will

Nut Cracker wrote:

The more i think about it, the less suited WebX is for this guy. He says he
needs multiple independent sessions on his desktops. Yes, this baffles me
too. WebX gives secure sharing of a desktop session, but does not setup or
make available independent sessions on systems that dont normally support
them (like XP). So, WebX is out. I mentioned it in the beginning of this
thread because i wrongly assumed he wanted to shadow his users via RDP
sessions for support and whatnot.

Ah. I had the same impression.

It sounds to me like what he needs is a bunch of XP workstations, and a
proper terminal server solution for all these sessions. That would be the
conventional, and supported approach. Whatever it is that needs to be run by
several people at the same time should be in stalled on a server, and the
users can TS to that and have all the sessions they want. Yes, there is a
marginal cost per TS CAL, but when compared to licensing a large number of
server OS's for the desktop, the cost of the CAL's should be viewed as a
savings.

Sounds reasonable. At this point I would like to see a list of
applications and tasks before commenting further based on possibly
wrong assumptions.

--
Guy Macon
http://www.guymacon.com/

Will wrote:

Nut Cracker wrote

Will wrote:

Guy Macon http://www.guymacon.com/

In my opinion. you should set up a system that cannot lose data
no matter what the failure mode is. Back up the configuration,
operating system and apps -- the things that don't change from
day to day -- and keep your data on redundant network storage.

You mean put end users directly onto the SAN and have them boot
from it?

you are totally missing the point of Guys feedback.

So make his point?

If his point is make backups, then sure of course we make
backups. But backups take time and backups don't actually
always guarantee a recovery.

Hardware RAID is fine, but it has failure modes as well,
and for simple end user machines can be problematic to
effect recoveries that are software based corruption and
not hardware failures.

Software RAID has for us worked well for such machines.
It's not the only recovery method we use.

And I may indeed have missed his point so I would
appreciate someone elaborating it.

Will, please don't trim the "X wrote" lines when you reply.
It makes it hard to see who wrote what, and I have to go back
and manually recreate them every time I reply to you.

Let's look at your comments one at a time:

You mean put end users directly onto the SAN and have them boot
from it?

No. That's another technique with it's own advantages and
disadvantages.

I am saying keep DATA on a server. When the user composes an
email, writes a document, crates a spreadsheet, etc., save it
on a fileserver, not on his local hard disk. Design the
system so that no single failure of the fileserver system
will result in any data loss.

Back up the OPERATING SYSTEM and APPLICATIONS -- the things
that don't change. If designed properly, you can set the
user's PC on fire, buy him a replacement, do a restore, and
he will be exactly where he was before the fire without
having lost one single byte of data.

If his point is make backups, then sure of course we make
backups. But backups take time

They don't take time on my network. They happen automatically
every night.

and backups don't actually always guarantee a recovery.

The come a heck of a lot closer to guaranteeing a recovery
than software RAID does! I run a nightly backup and once
a month I do a test restore to a spare PC I keep on the
shelf and then swap it with the PC on one of the user's
desktops, making his old system a spare on the shelf. What
are the odds that this well-tested system will suddenly not
work when there is an actual failure?

Hardware RAID is fine, but it has failure modes as well,
and for simple end user machines can be problematic to
effect recoveries that are software based corruption and
not hardware failures.

And software RAID allows recovery in that situation...how?

Software RAID has for us worked well for such machines.
It's not the only recovery method we use.

It's not a recovery method at all. RAID does two things
and does them well: it lets you keep running after a hard
disk failure, and it increases I/O performance if the speed
of the drives is the bottleneck. A proper backup/recovery
method lets you recover from a hard disk crash, a fire, a
stolen computer, malware deleting all your data, a windows
update that leaves the computer unbootable, someone booting
from a DOS diskette and formatting the drives -- in short,
from any data loss. RAID -- hardware or software -- only
protects you from the hard disk crash.

Again I say, your best bet is to back up the configuration,
operating system and apps -- the things that don't change
from day to day -- and to keep your data on redundant
network storage. And don't be too much in love with
something just because it has worked for you in the past.


--
Guy Macon
http://www.guymacon.com/

"Guy Macon" http://www.guymacon.com/ wrote in message
...
I am saying keep DATA on a server. When the user composes an
email, writes a document, crates a spreadsheet, etc., save it
on a fileserver, not on his local hard disk. Design the
system so that no single failure of the fileserver system
will result in any data loss.

I agree with this. I would go a step further and say that someday I dream
of keeping both the applications and data on servers, and going to a pure
thin client architecture for access from the end user's workstations. It's
nirvana, and with very limited human and financial resources we crawl in
that direction, and I think we will get there.


Back up the OPERATING SYSTEM and APPLICATIONS -- the things
that don't change. If designed properly, you can set the
user's PC on fire, buy him a replacement, do a restore, and
he will be exactly where he was before the fire without
having lost one single byte of data.

Sure, but I've seen full machine restores from tape fail to work (inevitably
some critical open file was locked, or if you had an open file agent it
caught the file in a transition state, etc). My ideal backup product would
let me do exactly what software RAID 1 does, but the target would be a file
instead of a drive. You could create the mirror image with all files
open, break the mirror, then backup the mirror to tape. Once Symantec
releases the free version of its wonderful StorageFoundation product later
this year, I'm tempted to use that to break the mirror each night, backup
the broken disk (which would have no open files because it is no longer the
system drive in use), then recreate the mirror after the backup finishes.


If his point is make backups, then sure of course we make
backups. But backups take time

They don't take time on my network. They happen automatically
every night.

My bad. I meant restores take time, not backups. The point is a system
disk failure when you have a duplicate drive can be recovered quickly, in
the background, while the user works. All of our end user workstations
use hotswap drives. Restores from tape can take one plus hour, and
inevitably when they are done sometimes the system won't boot, or will boot
with a corrupted configuration.


and backups don't actually always guarantee a recovery.

The come a heck of a lot closer to guaranteeing a recovery
than software RAID does! I run a nightly backup and once
a month I do a test restore to a spare PC I keep on the
shelf and then swap it with the PC on one of the user's
desktops, making his old system a spare on the shelf. What
are the odds that this well-tested system will suddenly not
work when there is an actual failure?

I commend you for doing regular test restores. It's all about time and
resources.

However, I wasn't saying software RAID was a replacement for backups. I
was saying software RAID gives an additional restore capability beyond what
backups give.


Hardware RAID is fine, but it has failure modes as well,
and for simple end user machines can be problematic to
effect recoveries that are software based corruption and
not hardware failures.

And software RAID allows recovery in that situation...how?

Let's take an example like you a bad software install that altered your
registry and corrupted something in system32 and you cannot even boot:

We keep seven backups of the registry on the hard drive, made nightly by a
scheduled task. We remove the Windows boot drive from the system, and take
it to any server where you can mount the drive and import its configuration.
We manually backup the old (corrupt) c:\windows\system32\config directory,
then overwrite it with the last known good working registry files. If
needed, we backup the (corrupted) system32, then we can then restore from
tape (or on disk system state backups) the last known good image of
system32. Since the drive we operate on in this case is not the active
system drive, none of these critical files are locked.

Being able to work with the system drive in this offline state has saved so
many systems so many times I am just sold on its value. It does not
replace backups. It complements them.

--
Will

("Guy Macon wrote" added by hand. Again. Please don't delete the
attributions. Without them it is hard to figure out who wrote what.)

Will wrote:

However, I wasn't saying software RAID was a replacement for backups. I
was saying software RAID gives an additional restore capability beyond what
backups give.

I agree.

Sure, but I've seen full machine restores from tape fail to work (inevitably
some critical open file was locked, or if you had an open file agent it
caught the file in a transition state, etc).

Read about Volume Shadow Copy Service he
http://en.wikipedia.org/wiki/Volume_Shadow_Copy_Service
http://technet2.microsoft.com/Window...w+Copy+Service

Do practice restores. After seeing the resore happen without a
problem a couple of hundred ties, you will be assured that the
backup/restore process doesn't suffer from the problem described
above.

Hardware RAID is fine, but it has failure modes as well,
and for simple end user machines can be problematic to
effect recoveries that are software based corruption and
not hardware failures.

(Guy Macon http://www.guymacon.com/ wrote

And software RAID allows recovery in that situation...how?

Let's take an example like you a bad software install that altered your
registry and corrupted something in system32 and you cannot even boot:

We keep seven backups of the registry on the hard drive, made nightly by a
scheduled task. We remove the Windows boot drive from the system, and take
it to any server where you can mount the drive and import its configuration.
We manually backup the old (corrupt) c:\windows\system32\config directory,
then overwrite it with the last known good working registry files. If
needed, we backup the (corrupted) system32, then we can then restore from
tape (or on disk system state backups) the last known good image of
system32. Since the drive we operate on in this case is not the active
system drive, none of these critical files are locked.

Being able to work with the system drive in this offline state has saved so
many systems so many times I am just sold on its value. It does not
replace backups. It complements them.

You appear to be under the false impression that for some reason you
can do the above with software RAID 1 but cannot do the above with
hardware RAID 1. If so, I believe that you are mistaken. If not, I
don't understand what you mean when you write

"For simple end user machines [Hardware RAID] can be
problematic to effect recoveries that are software
based corruption and not hardware failures."

I am also having trouble understanding this bit:

"We remove the Windows boot drive from the system, and take
it to any server where you can mount the drive [...] Since
the drive we operate on in this case is not the active
system drive, none of these critical files are locked."

Again, the behavior of software RAID 1 and hardware RAID 1 are
identical in the situation you describe. Also, I don't see how
any file on the newly-mounted drive can possibly be locked.
Read more about file locking he
http://en.wikipedia.org/wiki/File_locking
http://technet2.microsoft.com/Window...ile+Locking%22

(When you reply, please don't delete the attributions.
Doing that makes it hard to figure out who wrote what.)

--
Guy Macon
http://www.guymacon.com/

"Will" wrote

Software RAID has for us worked well for such machines. It's not the
only
recovery method we use.


Software RAID is NOT a recovery method AT ALL. It is redundancy to improve
uptime.

If a sysadmin is telling you that RAID is a disaster recovery method, then
you ought to look at replacing the sysadmin.

"Guy Macon" http://www.guymacon.com/ wrote

("Guy Macon wrote" added by hand. Again. Please don't delete the
attributions. Without them it is hard to figure out who wrote what.)

I guessed from the writing styles...


Will wrote:

However, I wasn't saying software RAID was a replacement for backups. I
was saying software RAID gives an additional restore capability beyond
what
backups give.

I agree.

I don't. RAID gives you redundancy through uptime. Not "restore capability"

Sure, but I've seen full machine restores from tape fail to work
(inevitably
some critical open file was locked, or if you had an open file agent it
caught the file in a transition state, etc).

So have I. Invariably because the people assume that their backup is good
because they do it. You need to TEST your bckup and make sure that you can
use it to recover a machine if needs be. Otherwise, there's not much point
in doing it.

Reminds me of the story of a guy who wiped a machine, then rang us up to ask
how to restore from backup. He had a tape, but he didn't know what backup
software they used to create the tape with.

Do practice restores. After seeing the resore happen without a
problem a couple of hundred ties, you will be assured that the
backup/restore process doesn't suffer from the problem described
above.

Indeed. There speaks the voice of experience.


"For simple end user machines [Hardware RAID] can be
problematic to effect recoveries that are software
based corruption and not hardware failures."

RAID is not appropriate at all for simple end user machines. By the time
you've put RAID into 5 PCs, you could have better spent the money on a 6th
PC. Then you ALWAYS have a spare that you can swap out at the drop of a hat
to work on the PC that has a problem.

I am also having trouble understanding this bit:

"We remove the Windows boot drive from the system, and take
it to any server where you can mount the drive [...] Since
the drive we operate on in this case is not the active
system drive, none of these critical files are locked."

WTF??? Have you ever heard of OBDR?
Google it and see what comes up.

ODBR is good for servers in small environments (few servers). For PCs, you
backup any data to a server and reimage / reinstall the PC if necessary.

"Guy Macon" http://www.guymacon.com/ wrote in message
news
Read about Volume Shadow Copy Service he
http://en.wikipedia.org/wiki/Volume_Shadow_Copy_Service

http://technet2.microsoft.com/Window...w+Copy+Service

I read through that and it's great technology. How can you enable Volume
Shadow Copies of entire volumes on Windows XP Professional SP2? I see the
service installed under Windows XP, but I don't see any properties tab to
support it on any Windows XP volume. Perhaps it is used silently only by
the backup utility and there is no opportunity to control features like the
volume on which the shadow copy is placed?


You appear to be under the false impression that for some reason you
can do the above with software RAID 1 but cannot do the above with
hardware RAID 1. If so, I believe that you are mistaken. If not, I
don't understand what you mean when you write

"For simple end user machines [Hardware RAID] can be
problematic to effect recoveries that are software
based corruption and not hardware failures."

Let's say I have a mirrored hardware RAID volume. How can I work with it
in the case it does not boot. There are a variety of ways, all of them more
painful and sometimes destructive of data:

- I can install a parallel OS. That takes time. Sometimes there is not
enough space left on the drive as well.

- I can remove the drive and install to an identical hardware RAID
controller on another machine. However sometimes you don't have an
identical controller. It takes time to set up the environment and use it.
I have also had cases where importing a foreign drive to a RAID controller
simply erased the volume. Finally, I find that many junior
administrators simply don't "get it" when dealing with many different BIOS
level control interfaces for hardware RAID controllers. It means special
training for each kind of hardware RAID.

So while possible, it is rarely convenient, and it is not without some risk.


I am also having trouble understanding this bit:

"We remove the Windows boot drive from the system, and take
it to any server where you can mount the drive [...] Since
the drive we operate on in this case is not the active
system drive, none of these critical files are locked."

Again, the behavior of software RAID 1 and hardware RAID 1 are
identical in the situation you describe.

Not identical at all. A volume prepared by one make and model of hardware
RAID controller cannot be read by another make and model of hardware RAID
controller. With software RAID, I can take the volume to any Windows
server and mount it, and I simply don't care whose SCSI or SATA controller
is installed on that server. It's JBOD at that point. 90% of the
hardware RAID solutions I have used do not allow their disks to be read by a
JBOD SCSI controller of a different make/model.


Also, I don't see how
any file on the newly-mounted drive can possibly be locked.
Read more about file locking he
http://en.wikipedia.org/wiki/File_locking

http://technet2.microsoft.com/Window...ile+Locking%22

You forgot to read the words "none of" in front of "these critical files are
locked." I was saying that you do NOT deal with locked files when you
mount the drive on a foreign system, and you read it as the inverse.

--
Will