100 things net admin tasks

Copyright 2005 CNET Networks, Inc. All rights reserved.

For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Version 1.0 November 7, 2005

100 things you should know about handling net admin tasks more effectively

This collection of tips comes from TechRepublic downloads written by David Davis, Scott Lowe, Scott Robinson, Deb Shinder, Dr. Thomas W. Shinder, and Rick Vanover. To see a current listing of "10 things" resources, click here.

Table of contents 10 things you should know about troubleshooting VPN connections..........................................2 10 things you should know about securing wireless connections ...............................................5 10 things you should know about AD domain trusts ...................................................................7 10 things you should know about the NETSH tool......................................................................9 10 things you should know about working with permissions.....................................................12 10 things you should know about Microsoft SQL Server 2005 .................................................15 10 things you should know about Microsoft SharePoint Services.............................................17 10 things you should know about Microsoft Windows Server Update Services (WSUS)..........20 10 things you should know about Cisco IOS access control lists (ACLs) .................................22 10 things you should know about managing IT projects ...........................................................25


10 things you should know about troubleshooting VPN connections

Users can't access file servers

If the user can access the file server using an IP address but not a name, then the most likely reason for failure to connect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the client operating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNS server that can resolve internal network host names.

When using DNS to resolve internal network host names for VPN clients, make sure that these clients are able to correctly resolve unqualified fully qualified domain names used on the corporate network. This problem is seen most often when non-domain computers attempt to use DNS to resolve server names on the internal network behind the VPN server.

Users can't access anything on the corporate network

Sometimes users will be able to connect to the remote access VPN server but are unable to connect to any resources on the corporate network. They are unable to resolve host names and unable to even ping resources on the corporate network. The most common reason for this problem is that users are connected to a network on the same network ID as the corporate network located behind the VPN server. For example, the user is connected to a hotel broadband network and is assigned a private IP address on network ID 10.0.0.0/24. If the corporate network is also on network ID 10.0.0.0/24, they won't able to connect because the VPN client machine sees the destination as being on the local network and will not send the connection to the remote network through the VPN interface. Another common reason for communications failures is that the VPN clients are not allowed access to resources on the corporate network due to firewall rules on the colocated VPN server/firewall device to which they are connected. The solution is to configure the firewall to allow the VPN clients access to the appropriate network resources.

Users can't connect to VPN server from behind NAT devices

Most firewalls and NAT routers support the PPTP VPN protocol from behind a NAT. However, some high profile network equipment vendors don't include a NAT editor for the PPTP VPN protocol. If the user is located behind such a device, the VPN connection will fail for PPTP attempts but may work for alternate VPN protocols. All NAT devices and firewalls support IPSec passthrough for IPSec-based VPN protocols. These VPN protocols include proprietary implementations of IPSec tunnel mode and RFC compliant L2TP/IPSec. These VPN protocols can support NAT traversal by encapsulating the IPSec communications in a UDP header.

If your VPN client and server support NAT traversal and the client attempts to use L2TP/IPSec to connect to a NAT-T compliant VPN server from across a NAT, the most likely reason for this failure is that the client is running Windows XP Service Pack 2. Service Pack 2 broke NAT traversal for L2TP/IPSec VPN clients. You can solve this problem with a Registry entry on the VPN client computer, as described in a KB article at http://support.microsoft.com/default.aspx?scid=kb;en-us;885407.

Users complain of slow performance Slow performance is one of the most difficult problems to troubleshoot. There are a number of reasons for why VPN clients appear to perform poorly and its critical to have the users describe exactly what they are doing when they experience poor performance.

One of the more common reasons for poor performance for VPN clients is when those clients are located behind DSL networks employing PPPoE. These network connections often encounter MTU problems that can cause both connectivity and performance issues. For more information on MTU issues for Windows clients, check out http://support.microsoft.com/default.aspx?scid=kb;en-us;283165

4

3

2

1

Page 2 Copyright 2005 CNET Networks, Inc. All rights reserved.



Users can connect via PPTP but not L2TP/IPSec

PPTP is a simple protocol to set up on both the VPN server and client. All the user requires is the built-in VPN client software included with all versions of Microsoft operating system and a valid user name and password for an account that has remote access permissions. The VPN server component, if based on Windows Routing and Remote Access Service (and just about any other VPN server supporting PPTP remote access VPN client connections) is easy to set up and usually works automatically after running a short configuration wizard.

L2TP/IPSec is more complex. Both the user and the users machine must be able to authenticate with the VPN server. Machine authentication can use either a pre-shared key or machine certificate. If you use pre-shared keys (not recommended for security reasons), check that the VPN client is configured to use the same pre-shared key as the server. If you use machine certificates, confirm that the VPN client machine has a machine certificate and that is also trusts the certificate authority that issued the VPN servers machine certificate.

Site-to-site VPNs connect but no traffic passes between the VPN gateways

When creating site-to-site VPN connections between Windows RRAS servers, you may find that the VPN connection seems to be established, but traffic does not move between the connected networks. Name resolution fails between the networks and hosts are unable to even ping hosts on the remote site network.

The most common reason for this failure is that both sides of the site-to-site network connection are on the same network ID. The solution is to change the IP addressing scheme on one or more networks so that all networks joined by the site-to-site VPN are on different network IDs.

Users can't establish IPSec tunnel mode connections from behind some firewalls

Often, the VPN server and clients are correctly configured to use IPSec tunnel mode or L2TP/IPSec NAT-T connection to connect to a remote VPN server and the connection fails. Sometimes, youll see this happen after a first client makes a successful connection, but subsequent clients from behind the same NAT device fail.

The reason for this problem is that not all IPSec NAT-T VPN servers are RFC compliant. RFC compliance requires that the destination NAT-T VPN server support IKE negotiations from source port UDP 500 and that they be able to multiplex connections from multiple clients behind the same VPN gateway.

The solution to this problem is to contact your VPN server vendor and confirm that their implementation of VPN IPSec NAT-T is RFC compliant. If not, ask if there is a firmware update.

Users can't reach some network IDs on the corporate network

Users sometimes report that they can connect to some servers after establishing the VPN connection but not to other servers to which they should have access. When they test the connection, they can't ping the destination server using either a name or IP address.

A common reason for this problem is that the VPN server does not have routing table entries for all network IDs that the VPN clients need to connect to. Users are able to connect to servers that are on-subnet with the VPN server but are unable to connect to network IDs remote from the VPN server. The solution to this problem is to populate the routing table on the VPN server so that it has a gateway address for all network IDs that VPN must be able to connect.

8

7

6

5




Users can't connect to the Internet when connected to the VPN server

Sometimes, users are unable to connect to the Internet after the VPN link is established. Once the VPN link is disconnected, the users have no problem connecting to the Internet.

This problem arises when the VPN client software is configured to use the VPN server as its default gateway. This is the default setting for the Microsoft VPN client software. Since all Internet hosts are remote from the VPN clients location, Internet connections are routed to the VPN server. If the VPN server is not configured to allow Internet connections from VPN clients, the Internet connection attempts fail.

The solution to this problem is to configure the VPN server to allow VPN clients access to the Internet. The Windows RRAS server supports this configuration, and so do many firewalls. Resist the urge to disable the setting configuring the VPN client to use the VPN server as its default gateway, as this enables split tunneling, which is a well-known VPN client security risk.

Multiple users connect to the VPN server using the same PPP authentication credentials

A risk for all organizations implementing remote access VPN servers is that users will share username and password information with one another. Most VPN server implementations enable you to not only authenticate users before allowing a VPN connection, but also to authorize a VPN connection. A user might be able to successfully authenticate, but if that user is not authorized to access the network via VPN, the connection request is dropped. If users share credentials, this creates a situation where an unauthorized user can access the network with an authorized users credentials.

A solution to this problem is to use an extended authentication scheme. For example, you can assign users client (user) certificates for authentication, so that user credentials are never entered by the user. Other schemes include smart card authentication, biometric authentication, and other forms of two-factor authentication.

10

9




10 things you should know about securing wireless connections

Use encryption Encryption is the number one security measure, but many wireless access points (WAPs) dont have encryption enabled by default. Although most WAPs support the Wired Equivalent Privacy (WEP) protocol, it's not enabled by default. WEP has a number of security flaws, and a knowledgeable hacker can crack it, but its better than no encryption at all. Be sure to set the WEP authentication method for shared key rather than open system. The latter does not encrypt the data; it only authenticates the client. Change the WEP key frequently and use 128-bit WEP rather than 40 bit.

Use strong encryption Because of WEPs weaknesses, you should use the Wi-Fi Protected Access (WPA) protocol instead of WEP if possible. To use WPA, your WAP must support it (you may be able to add support to an older WAP with a firmware upgrade);your wireless network access cards (NICs) must support it (again, a firmware update may be necessary); and your wireless client software must support it. Windows XP Service Pack 2 installs the WPA client. SP1 machines can be updated to support WPA by installing the Windows WPA client with the Wireless Update Rollup Package (see http://support.microsoft.com/kb/826942/). Another encryption option is to use IPsec, if your wireless router supports it.

Change the default administrative password

Most manufacturers use the same default administrative password for all their wireless access points (or at least, all those of a particular model). Those default passwords are common knowledge among hackers, who can use them to change your WAP settings. The first thing you should do when you set up a WAP is change the default password to a strong password (eight characters or more in length, using a combination of alpha and numeric characters, not using words that are in the dictionary).

Turn off SSID broadcasting The Service Set Identifier (SSID) is the name of your wireless network. By default, most WAPs broadcast the SSID. This makes it easy for users to find the network, as it shows up on their list of available networks on their wireless client computers. If you turn off broadcasting, users will have to know the SSID to connect. Some folks will tell you that turning off SSID broadcasting is useless because a hacker can use packet sniffing software to capture the SSID even if broadcasting is turned off. Thats true, but why make it easier for them? Thats like saying burglars can buy lockpicks, so locking the door is useless. Turning off broadcasting wont deter a serious hacker, but it will protect from the casual piggybacker (for example, a next door neighbor who notices the new network and decides to try connecting just for fun).

Turn off the WAP when not in use

This one may seem simplistic, but few companies or individuals do it. If you have wireless users connecting only at certain times, theres no reason to run the wireless network all the time and provide an opportunity for intruders. You can turn off the access point when its not in usesuch as at night when everyone goes home and there is no need for anyone to connect wirelessly.

5

4

3

2

1




Change the default SSID Manufacturers provide a default SSID, often the equipment name (such as Linksys). The purpose of turning off SSID broadcasting was to prevent others from knowing the network name, but if you use the default name, its not too difficult to guess. As mentioned, hackers can use tools to sniff the SSID, so dont change the name to something that gives them information about you or your company (such as the company name or your physical address).

Use MAC filtering Most WAPs (although not some of the cheapest ones) will allow you to use media access control (MAC) address filtering. This means you can set up a sort of white list of computers that are allowed to connect to your wireless network, based on the MAC or physical addresses assigned to their network cards. Communications from MAC addresses that arent on the list will be refused.

The method isnt foolproof, since its possible for hackers to capture packets transmitted over the wireless network and determine a valid MAC address of one of your users and then spoof the address. But it does make things more difficult for a would-be intruder, and thats what security is really all about.

Isolate the wireless network from the rest of the LAN To protect your wired internal network from threats coming over the wireless network, create a wireless DMZ or perimeter network thats isolated from the LAN. That means placing a firewall between the wireless network and the LAN. Then you can require that in order for any wireless client to access resources on the internal network, he or she will have to authenticate with a remote access server and/or use a VPN. This provides an extra layer of protection.

For instructions on how to allow VPN access to your network from a wireless DMZ created with Microsofts ISA Server firewall, see http://techrepublic.com.com/5100-6350_11-5807148.html. [You'll need a TechProGuild subscription to access this content.]

Control the wireless signal The typical 802.11b WAP transmits up to about 300 feet. However, this range can be extended by a more sensitive antenna. By attaching a high gain external antenna to your WAP, you can get a longer reach but this may expose you to war drivers and others outside your building. A directional antenna will transmit the signal in a particular direction, instead of in a circle like the omnidirectional antenna that usually comes built into the WAP. Thus, through antenna selection you can control both the signal range and its direction to help protect from outsiders. In addition, some WAPs allow you to adjust signal strength and direction via their settings.

Transmit on a different frequency One way to hide from hackers who use the more common 802.11b/g wireless technology is to go with 802.11a instead. Since it operates on a different frequency (the 5 GHz range, as opposed to the 2.4 GHz range in which b/g operate), NICs made for the more common wireless technologies wont pick up its signals. Sure, this is a type of security through obscuritybut its perfectly valid when used in conjunction with other security measures. After all, security through obscurity is exactly what we advocate when we tell people not to let others know their social security numbers and other identification information.

A drawback of 802.11a, and one of the reasons its less popular than b/g, is that the range is shorter: about half the distance of b/g. It also has difficulty penetrating walls and obstacles. From a security standpoint, this disadvantage is actually an advantage, as it makes it more difficult for an outsider to intercept the signal even with equipment designed for the technology.

10

9

8

7

6




10 things you should know about AD domain trusts

Determine what kind of trust you should use

Before deploying a domain trust, you should ensure that the type(s) used are correct for the tasks at hand. Consider the following dimensions of a trust:

Type: Identifies the types of domains involved in trust(s). Transitivity: Determines whether one trust can let a trusted domain pass through to a third domain. Direction: Identifies the direction of access and trust (trusted accounts and trusting resources). Type Transitivity Direction

Parent and Child Transitive 2-way

Tree-root Transitive 2-way

External Nontransitive 1-way OR 2-way

Realm Transitive or Nontransitive 1-way OR 2-way

Forest Transitive 1-way OR 2-way

Shortcut Transitive 1-way OR 2-way

Get familiar with the Active Directory Domains And Trusts Console Trust relationships are managed via the Active Directory Domains And Trusts Console. It lets you perform these basic tasks:

Raise domain functional level Raise forest functional level Add UPN suffixes Manage domain trust Manage forest trust For details on using this tool, see "TechRepublic Guided Tour: Active Directory Domains And Trusts Console." (Note: A TechProGuild membership is required to access the article.)

Know the tools As with most other elements of the Windows Server family, command-line tools can be used to script repetitive tasks or to ensure consistency in the case of trust creation. Some of the top tools include:

NETDOM: Used to establish or break trust types.

NETDIAG: The output of this tool can give basic status on trust relationships.

NLTEST: Can be used to verify a trust relationship.

You can also use Windows Explorer to view membership to shared resources as they are assigned from trusted domains and/or forests. Active Directory Users And Computers can also provide membership details of Active Directory Objects that have members from trusted domains and/or forests.

Set up a test environment

Depending on your environment and usage requirements, a simple mishap in the creation of domain trusts can have enterprise-wide repercussions. But it's difficult to set up a completely similar test environment to replicate multi-domain and forest issues. Having similar domain scenarios is easier to facilitate, as a means to reinforce the

4

3

1

2




principles and test basic functionality. Consider also template Active Directory objects to test on the live domain relationships to ensure that the desired functionality is obtained but not exceeded before using live groups, accounts, and other objects.

Review privileges

When trusts are created, it's important to ensure that the desired functionality is achieved. But be sure to review the configured trust to verify that the direction of access is correct. For example, if domain A needs to access only a limited amount of resources on domain B; a two-way trust would suffice. However, an administrator from domain B may be able to assign access to resources on domain A. Ensuring the desired direction, type, and transititivity of trusts is critical.

Map out the trusts

Create a map of trusts with simple arrows and boxes illustrating which domains will be trusting and trusted and which trusts will be 1-way and 2-way. Then, with the simple picture(s) in place, map out which domains will trust whichand determine the transititivity as well. This simple chart will make more sense of the greater task at hand and allow you to determine which domains need direction of access and in which direction. Some domains will simply act as a gateway for transitive access to other domains.

Document trust relationships

As organizations marry (and divorce) in todays business world, it's important to have clear documentation of the trust inventoryand to make sure it's accessible without the trust or domain. For example, if you're in Domain B and your headquarters in Domain A sells your division and breaks your trust, your concise documentation saved on a server in Domain A does you little good. Document the type of trust, transitivity, direction, business need for the trust, anticipated duration of the trust, credentials, domain/forest principal information (name, DNS, IP addresses, locations, computer names, etc.), and contact person(s) for the corresponding domains.

Avoid making trust relationships too deep

In the interest of everyones time, don't nest membership more than one deep when using trusts in multiple domains and forests. Nesting membership can consolidate the number of manageable Active Directory objects, but determining actual membership administration is greatly increased.

Know how to manage different versions of Windows

When running in Windows 2000 and Windows Server 2003 native mode for Active Directory, full functionality is maintained for member domains and forests. If any NT domains or member systems are present in the enterprise, their trust entry functionality is limited by the inability to recognize the Active Directory objects. A frequent strategy in this scenario is to have domain islands of those that don't connect to the more common enterprise infrastructure.

Remove expired or overlapping trusts

Changes in business organization may have left unused trusts in place on your domain. Clear out any trusts that are not actively being used. You should also ensure that the trusts you have are set up correctly for the required access and usage patterns. An audit of your trust inventory can be a strong supplement to your well-rounded security policy.

10

9

8

7

6

5




10 things you should know about the NETSH tool

What is NETSH?

NETSH is one of the most powerful yet least known networking tools included with Windows 2000 and Windows Server 2003. It's installed by default and is located in the %systemroot%\system32 folder. NETSH is also available on Windows XP.

NETSH enables you to display, modify, import, and export many aspects of the network parameters of a system. It can also connect remotely to other systems with a remote machine parameter (-r).

Contexts for NETSH

Contexts are specific dimensions of the network configuration that can be managed by NETSH. The commands and options within NETSH are context sensitive, and the same command may exist in multiple context areas but have different commands and results in each context. Here are the Windows Server 2003 NETSH context areas:

Context Description

aaaa Authentication, authorization, accounting, and auditing

dhcp DHCP server administration

diag OS and network service parameters

interface NIC configuration; includes subcontexts

ipsec Alternative to IP Security Policy Management

netsh bridge Network bridging configuration

ras Remote access server configuration

routing Routing administration (instead of RRAS)

rpc Subnet and interface settings

wins Windows Internet Name Service administration

Now, to add to the confusion, a context can have a subcontext. For example, the interface context has three subcontexts, ip, ipv6, and portproxy. NETSH refers to these subcontexts as a context, such as the netsh interface ip context. Note that Windows XP has a different set of contexts. When using the import and export operations in noninteractive mode, you must specify context or subcontext configuration.

2

1




Coordinating network change control with NETSH

You can use NETSH to export and import network configurations. A good example of using NETSH with networking change control would be when a system is going to be placed on a different network, but the communication channels need to be maintained to various other systems. A NETSH export will allow all parties to agree on various network settings. For example, consider the following portion of a NETSH export of the interface context from a dump operation:

set address name = "Teamed NIC" source = static addr = 10.64.32.100 mask = 255.255.252.0 set address name = "Teamed NIC" gateway = 10.25.44.1 gwmetric = 1 set dns name = "Teamed NIC" source = static addr = 10.64.22.50 add dns name = "Teamed NIC" addr = 10.95.61.22 add dns name = "Teamed NIC" addr = 10.95.45.34 set wins name = "Teamed NIC" source = static addr = 10.95.45.70 add wins name = "Teamed NIC" addr = 10.95.45.25 Reviewing a NETSH export with all parties involved can ensure that the system will be routed correctly, using the correct DNS, WINS, and subnet mask. The best part is that you can then import the entire file into the Windows system after all appropriate entries have been made without any chance of entering the information incorrectly. And this is only for the interface context. The same applies for all other context scripts.

Using NETSH to dynamically change TCP/IP addresses

You can use NETSH to make dynamic IP address changes from a static IP address to DHCP simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when you're working on networks without DHCP and have a mobile computer that connects to multiple networks, some of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows Automatic Pubic IP Addressing. Here is an example of running a dynamic update of an IP address:

C:\NETSH f filename.netsh In this example, filename.netsh is the NETSH file that contains an interface dump configuration. You can make shortcuts in Windows to a .BAT file that will run that command so you can easily add shortcuts to get a DHCP address and switch to a static IP address for a customer site, DMZ network, or any other static IP network.

Best practice: Using a .NETSH extension

NETSH import and export operations are in a native plain text format and can be read and edited from any text tool. However, NETSH files should be handled as a special file type because they're used to document network configurations, as well as for the import and export process. A best practice would be to make all export operations refer to a FILE.NETSH, where this file is what has been exported from NETSH. This is especially important because a NETSH export file doesn't contain the word NETSH in it. This way, even a novice can figure out what the file contains.

The file extension from export (dump) and import (-f) operations are entirely user specified. For convenience, you can associate the .NETSH extension with your Windows installation to allow native double-click editing.

5

4

3




NETSH in interactive mode NETSH is one of the Windows tools that can be run in either an interactive or a noninteractive

environment. Interactive tools (such as nslookup and dnscmd) have effectively different usage scenarios depending on the mode chosen.

Interactive mode also has two submodes, online and offline. Online mode is a direct interaction with the networking components while in interactive mode. Offline mode lets you interactively make changes and then roll them all online instantly by going to online mode.

NETSH in noninteractive mode

In noninteractive mode, you can implement NETSH commands by importing a file. Using noninteractive mode is recommended for file import and export operations. With NETSH in noninteractive mode, you can export key settings from each context as a specific aspect of your system documentation. In addition, if an issue arises and you can trace it back to a specific networking topic for which you have a NETSH script exported from a known working time, you can re-import that NETSH script in noninteractive mode and restore your networking functionality to that point. Please note that NETSH does not back up data within the contexts, such as the WINS database.

Clarifying the scripts

When exchanging NETSH scripts, you can insert comments to solicit feedback. This will allow you to explain an entry or use it as a training tool for others. Simply insert REM in a NETSH exported file to add a comment. Don't put in too many comments, however; just what is necessary.

NETSH precautions

NETSH is a powerful tool and should be used with caution. Using interactive online mode (the default) for changes on the fly can be more risky than implementing a change in interactive offline mode and going online to commit the changes. However, using noninteractive mode to perform changes is popular as well because the changes can be scripted. Try your hand at NETSH on a virtual machine or test system first.

Navigating NETSH

The large array of features available in NETSH may seem overwhelming at first. It's helpful to get into NETSH to see the options available and practice using the interface in interactive mode (a little different for those of us used to noninteractive tools). Getting into NETSH in interactive mode is easy: Simply type NETSH at the command prompt. Then, use these guidelines to investigate the command options:

To change to another context, type the name of the context. For example, typing interface ip will go immediately to the interface ip context from which ever context you are presently located.

To change your mode, type offline or online. Typing offline will send the interactive session offline, so any changes won't be brought in immediately. Typing online will bring the interactive session online, so changes will immediately be brought into the networking elements of the system.

Typing show mode will display the current mode (offline or online). The default mode is online, so be sure to immediately jump offline if you are experimenting.

Typing ? or help will show the available commands for your current context location. If you're in the root of the tool, there is no active context and your interface to the tool will be a netsh> prompt.

10

9

8

7

6

Global commands, such as online and quit, are those you can use everywhere. Context commands are available only in the current context. For example, from the netsh interface ip> context, you can view the network configuration by running show dns, but this command may not work other contexts or subcontexts.

In contexts, running set and show will provide the context-sensitive command options.




10 things you should know about working with permissions

NTFS vs. share permissions

The biggest point of confusion about sharing with Windows systems is that the NTFS and share-level permissions both have an effect on the user's ability to access resources on a network. This is especially important to remember for Windows XP and Windows Server 2003and likely subsequent versions of Windowswhich have default share permissions as read-only. This makes the NTFS permissions limited to read when accessing them over the network.

The best way to distinguish share permissions from NTFS permissions is to consider share permissions as an entry point to the resources. Only after the share permissions offer Change and/or Full Control can the NTFS permissions of that type be used.

The combination of share-level and NTFS permissions can seem like administrative overhead, but consider this: Share permissions act as a point of entry for the NTFS permissions over the network. When you enter a network resource through a share, the share permissions dictate what you can do through the share as a whole. The NTFS permissions dictate what you can do to specific files and folders. In the troubleshooting mode, identify whether share-level permissions can be ruled out of the issue.

Avoid nested shares

Troubleshooting issues that deal with both NTFS and share permissions can seem overwhelming. Avoid having nested shares in your file structures because they can create conflicting behavior for the same network resources if accessed through different shares. This can be asking for trouble, especially when the share permissions are different. A nested share is a shared folder that resides in a separate shared folder. There are, of course, the default hidden shares (C$, D$, etc.), which make all shares nested beneath them, and they're a default. However, if your users use two separate nonhidden shares that are nested, there can be conflicting share permissions.

Use CACLS and XCACLS for granularity

You can use CACLS and XCACLS to gather information on files that are a reflection of the NTFS permissions you have configured. These tools will deliver data about the permissions for specific file and folder resources. What's the difference between NTFS permissions and an ACL (access control list)? The NTFS permissions are set in Windows Explorer or via an automated mechanism for files and folders, whereas an ACL (via these tools) is a display or management of allowed or denied file operations for the same resource.

2

3

1

You can use CACLS and XCACLS to add or remove NTFS permissions in a scripted fashion as well. So if you have a great deal of permissions to adjust, a sophisticated script using these tools may be in order.

A good matter of practice for important shared files and folders with unique NTFS permissions is to make a script utilizing the CACLS.EXE tool to document the ACL for individual files and folders (or manually execute the steps to do this). But be careful: You can easily document your NTFS permissions by running CACLS * /T from a command prompt and document a folder, its contents, and subdirectories. This is very resource intensive and can require 100% CPU utilization on some systems when traversing extremely large folder paths. Depending on many factors, a large recursive ACL audit can take large amounts of time as well. This is similar to the scenario where new NTFS permissions are propagated to a large folder.




Distinguish between basic and special NTFS permissions

Only a right-click away, special permissions give more options to particular access requirements. It's important to note that using special permissions will increase the administrative overhead associated with NTFS permissions simply by being more complicated. Therefore, a best practice would be to use the special permissions only when needed. The standard NTFS permissions provide most of the necessary functionality to offer secure access to shared and local resources. However, there are scenarios where using the special permissions makes sense.

Note: Be sure to rule out special permissions in troubleshooting. Every administrator has at one point not been sure of the application of various permissionsshare permissions, NTFS permissions, group memberships, multiple user accounts, etc. Taking a quick look at the special permissions can quickly provide a hint as to whether they're part of the issue you are troubleshooting.

Keep resources warranting special permissions separate

If the scenario permits, it can be a good practice to keep resources requiring special permissions grouped in separate shares or folders with other resources that have special permissions. Having standard permissions intermixed with special permissions in the same location can add administrative overhead.

Understand inherited permissions

Inherited permissions is a default attribute of NTFS permissions on Windows Server 2003 and 2000 systems. Inherited permissions allow NTFS settings for a folder be applied to its contents and all objects and folders contained within the top folder.

Inheritance is fairly easy to understand when all defaults are used. But when inheritance is blocked, it becomes more difficult to troubleshoot. This difficulty is manifested when a folder deep within another folder has the Inherit Permissions option cleared. In troubleshooting inherited permissions, it is best to start at the root of the problem and work your way up the folder structure.

If clearing inheritance, be careful

When you clear inheritance of NTFS permissions from a parent container, you are presented with two optionsCopy and Remove. The Copy option will recurse the child objects and write the NTFS permissions from the parent folder. The Remove option removes all default NTFS-created permissionsthat of Administrators, Users, Creator Owner, System, etc.from the list of Group or User Names. Exercise caution when using the Remove option on inheritance blocking!

Dont dodge the issue

The worst thing you can do to solve a rights problem is to make someone a member of Administrators or some other powerful group to circumvent a permissions issue. Simply giving more rights to a user does not address the issue. Always identify the issue to determine the best solution.

8

7

6

5

4




Never over-privilege

A common misstep is to provide too many rightsusually through group membershipsto users for access to resources. Especially if you are using Active Directory, a clearly organized structure with the membership and access requirements defined will lend to a more correctly administered user or group. Take the firewall stance of granting that which is explicitly required.

Too many permissions may not arise as a problem in a troubleshooting mode, but you may see one group or other membership attribute that gives too many rightsaccidentally.

Group membership is one of the easiest ways to over- or under-privilege access to resources. Especially in domain configurations, the complexity is increased by multiple memberships and/or nested groups. Use the Effective Permissions tool to see what the resultant set of access is, determined by group membership when using Active Directory. Although this is not a direct display of NTFS permissions, you can then examine each group membership for an object as part of troubleshooting NTFS permissions.

Know when to copy and when to move

Standard copy and move operations deliver default results that can maintain your configured permissionsor break them. A good way to remember this is that copy operations will create the permissions of the destination container, and move operations will maintain that of the parent container.

10

9

Memorization mechanism: CC/MM CopiesCreate/MovesMaintain or CopiesCreate/MovesMake.

Of course, there is also the need to copy resources and maintain NTFS permissions that would be difficult to re-create. The fallen SCOPY utility has given way to XCOPY with the /O and /X parameters to perform this type of function. Using XCOPY with these parameters will allow copy operations to copy the files and/or folders to a new location and create them with the NTFS permissions equal to that of the source container.




10 things you should know about Microsoft SQL Server 2005

There is now an XML data type

If there's any feature of SQL Server 2005 to jump up and down about, it's the new native XML data type. Why? Apart from the giant leap forward of an already Web-friendly agenda, the new type offers us design options that are atypical of Microsoft, which generally likes to do our designing for us. The new XML data type: Can be used in a table column. Can be used in a stored procedure, as a parameter or as a variable. Can store untyped data. Can check against a schema to see if data stored in a column typed as XML matches that associated schema

(if there's no schema, the data is considered untyped).

And the mapping between XML data and relational data is bidirectional.

Distributed Management Objects (DMO) becomes SQL Server Management Objects (SMO)

SQL Server Management Objects (SMO) is a .NET Framework -based management framework that lets you create custom applications for server management. SMO (like DMO before it) allows you to handle columns, tables, databases, and servers as objects, programmaticallyand SMO supports SQL Server 2005's new features, like Service Broker. SMOs are optimized, not instantiating objects fully (with all the properties retrieved) until the object is explicitly reference. You can also batch SQL commands, and create scripts to create objects. Your custom server management apps can be used to manage SQL Server 7 in SQL Server 2000 systems as well.

Common Table Expresssions (CTEs)recursive queries

A common table expression (CTE) enables queries to be recursive. A CTE can be self-referential, with an upper limit on the incursions. You can use the CTE as a part of a WITH, in a SELECT, UPDATE, INSERT or DELETE command.

The Service Broker makes SQL Server traffic asynchronous

There's a front-end queuing system, and it changes everything. You can now manage SQL Server traffic by rendering it asynchronous with the new Service Broker feature. It enhances scalability by enabling your system to handle more traffic logically that it can handle physically. The Service Broker can be accessed via SQL commands and allows transactions to include queued events. Those who know me well would never accuse me of being a Microsoft disciple, but this feature impresses me in no small measure and I'm pleased to call attention to it. Adding easily-configured asynchronicity to the data layer of an enterprise system is a boon to developers and opens up huge possibilities for Web apps. The economy with which those apps can now scale can't be overstated. Service Broker alone is a reason to consider upgrading to SQL Server 2005.

Create .NET triggers 5

4

3

2

1

SQL Server 2005 is .NET-integrated to a promising degree (it has distressed us for some time that Microsoft's commitment to .NET is as hedged as it is), and one useful consequence of this integration is the ability to create user-defined triggers (UDTs) through Visual Studio 2005. The Trigger option can be pulled from the template list in Visual Studio, generating a file for the code to be triggered. The mechanism tying this code to SQL is a SqlPipe. It's deployed in your Build | Deploy. You can work




it in the other direction (i.e., from CLR) by referencing the Trigger object in a T-SQL CREATE TRIGGER command.

SQL Server 2005 configuration is dynamic

If you're running SQL Server 2005 on Windows Server 2003, its configuration is fully dynamicyou can change configuration values on-the-fly without restarting the server, and get immediate response (the same is true for Address Windowing Extensions).

Define your own data types

The user-defined type, enabled by the integration of SQL Server 2005 and the .NET CLR, is a consolidation of previous practices, allowing you to create application- or environment-specific types. You can extend more general types into variations that only except values you defineno more triggering or constraints. Validation is built into the field.

Many active result sets, one connection

This is another feature not just to make note of, but to get excited about. MARS (Multiple Active Result Sets ) enables you to execute multiple queries yielding multiple results, over a single connection. An application can move between open result sets as needed. The performance and scalability benefits are obvious. This new trick is courtesy of the new ADO.NET, in tandem with SQL Server 2005's ability to accommodate multiple active commands. Since MARS is part SQL Server 2005 and part ADO.NET 2.0, it is only available if you're using both.

WAITFOR ... RECEIVE

In previous versions of SQL, WAITFOR was static. We fed it some wait-time value, and that was what it could do. Now WAITFOR is dynamic; tell it to wait for a RECEIVE statement's results, whenever that might be delivered. Beyond the usual this-is-cool, we can appreciate this feature because of the manner in which it accommodates the new Service Broker (see #2). Since Service Broker makes database query ability asynchronous via queuing (and therefore extremely dynamic), and a particular database query may sit in a queue for an undetermined period, the new dynamic WAITFOR his ideal for responding to RECEIVE results that will emerge at the discretion of Service Broker.

DTS is now Integration Services

There's a new architecture underlying data transformation. The very popular and widely used DTS is now Integration Services , and consists of a Data Transformation Pipeline and a Data Transformation Runtime. The pipeline connects data source to data target by means of data adapters, with transformations between them. It's a conventional structure, but implemented in such a way as to enable considerable complexity: for instance, you can do one-to-many mappings, and create columns with output derived from a transform.

10

9

8

7

6

The Data Transformation Runtime gives you components for organizing data loading and transformation processes into production-oriented operations, within which you can manage connections and manipulate variables. It's basically a run-time object framework that can be bundled into managed .NET apps. DTP and DTR components are used to create Integration Services packages, similar in principle to the familiar DTS packages but with much greater levels of configurability and control, particularly in the area of workflow.




10 things you should know about Microsoft SharePoint Services

SharePoint extends Exchange Server

If you're using Exchange Server to handle your e-mail traffic, SharePoint can greatly simplify distribution. You can create a SharePoint site as a singular point for receiving Exchange traffic and, at a stroke, have de facto distribution of that traffic to a particular group or groups, with all the security and membership built in. By setting up a public folder for SharePoint in Exchange, Exchange's work is doneSharePoint pulls from the folder and does the work.

SharePoint collaboration solutions are scalable

Its well publicized by Microsoft that SharePoint Services is essentially a collaborative solution toolkit. Creating sites for team interaction, sharing, and management of project-specific documents and files, testing, and other collaborative functions are a natural application of SharePoint.

A less hyped aspect of SharePoint is that this collaborative utility is highly scalable. What begins as a resource library shared by a team can be telescoped out to accommodate the entire organization or an even broader customer communitySharePoint Services can be readily deployed across multiple servers in a server farm, enabling the creation of massive data stores.

SharePoint sites are highly customizable

SharePoint Services comes fully integrated with FrontPage 2003, so all of FrontPage's WYSIWYG Web editing tools are available for use in crafting SharePoint sites. (If your organization swims in the deep end, development-wise, all of this comes with ASP.NET as well.)

Via FrontPage, you can leverage the utility of Web Parts, modular chunks of code you can re-use in SharePoint sites, to grab live data from a broad range of possible sources (Also see #8). You can allow users to control these modules of code by inserting Web Part zones in your sites, enabling sophisticated drag-and-drop controls. You have complete control over style through XSLT, which you can manipulate either directly or through FrontPageand you can employ conditional formatting if it desired.

SharePoint extends InfoPath

InfoPath 2003 is Microsoft's desktop application technology for integrated forms management and data transport. InfoPath is a powerful and underrated technology in itself, and both its XML backbone and forms-friendliness mesh well with SharePoint.

4

3

2

1

Specifically, youll find it useful to publish InfoPath forms directly to a SharePoint library. In such a library, forms can be stored and (more importantly) shared, and accessible to working teams leveraging SharePoint as a collaborative tool. (The base form is stored in the library header; populated XML result sets make up the library itself.)

And with SharePoint Portal, you can leverage SharePoint Portal Web services to enhance the utility of InfoPath forms for your desktop community, by accessing information in other systems within your organization (or from outside, for that matter) and populating forms with it as needed.




Metadata can be used to create dynamically parsed storage systems

Metadata is critical to the SharePoint Server concept, and comes in several flavors. With metadata you can effectively create customized search arguments that permit you to organize information dynamically, and to use search criteria from one document library to retrieve information from another.

Put another way, you can forego the traditional hierarchical folders in organizing your document libraries, if it's appropriate. Instead, you can create metadata lookups that can not only be used as organizational keys for documents in one library, but can be used as search arguments to locate documents in other libraries. In this way, you can create searchable document pools with effectively dynamic organization, not only searchable but re-organizable without any physical manipulation of the documents themselves.

SharePoint can be a data transport mechanism

SharePoint's primary features include the ability to set up shared distribution points for data from a wide range of sources, moved by different modes of transport (see #1, #4). But its data transport role doesn't end there. Depending on what your organization's sites contain, content-wise, and the role(s) the sites are playing in your system, you can actually distribute data from server to server by means of SharePoint's site-moving utilities (see #10).

For instance, if you have SharePoint sites deployed internally to represent data in different workflow stages, the SharePoint content databases of those sites can be rotated in a de facto batch process using these utilities (which are Command Line programs and therefore scriptable).

Use the Task Pane to turn Word libraries into collaborative systems with built-in administration

SharePoint Services is primarily about document management. Saving Word documents to SharePoint, placing documents in libraries, and checking them in and out are SharePoint's most obvious functions.

But the extension of those functions into shared workspaces is where those features become really empowering, rather than simply utilitarian. You have a Task Pane that ties documents to libraries, and within it lie a number of important features that take you from the simple management of documents to real collaboration and administration. Through the Task Pane, you can:

Track status and versioning of documents Define and track who has site/document access Do task monitoring Create alerts You can, of course, save from all Office applicationsnot just Wordto SharePoint.

SharePoint can pull data from external databases and other data sources

Web Parts and Web Part architecture (available to your SharePoint development by way of FrontPage 2003 or ASP.NET) can become a powerful component of your SharePoint sites. In particular, Data View Web Parts allow you to add views to your sites from a variety of data sources. You can create views specific to your SharePoint sites and link views together. Data sources can be databases, Web services, or any XML source (InfoPath documents, etc.).

8

7

6

5




Leverage Excel for data management

Exporting data to Excel is well-supported in SharePoint and makes graphing and printing convenient (via the Print with Excel and Chart with Excel options). But it's also possible (and may often be desirable) to export data to Excel just for the sake of manageability. The Excel Export function creates an Excel Web query linking to the original data. In this way, you can create spreadsheets that will accept data, and then push that data to SharePoint.

This can be done by generating an Excel spreadsheet, then linking the spreadsheet to SharePoint (by using Export and Link to Excel from a Datasheet Task Pane). Once this is done, data can be entered into the spreadsheet and pushed from the spreadsheet to Excel with the Synchronize List option.

Sites and entire site collections can be backed up in a single operation

The ability to move a site, lock-stock-and-barrel (and even more so a site collection, which includes primary site, sub-sites and all their contents), should not be underappreciated. Anyone who's migrated sites the hard way knows it can be maddeningly frustrating. SharePoint Services includes two utilities that will greatly reduce the frustration: STSADM and SMIGRATE.

SMIGRATE began life as an upgrade utility, shepherding data from old SharePoint to new. Now it's for backup/restore and for moving sites wholesale. It's a command line utility, so it's tailor-made for scripting, and can simplify the process of moving a site and its contents to the point that it can conceivably be a content distribution tool in some scenarios.

10

9

Its weakness is that when a site is moved with the SMIGRATE utility, its security settings don't all move with it. Remember to check your settings after a move or restore.

And while SMIGRATE will not preserve your security settings, STSADM will. This utility will move not only a site but a site collection, and does far more: you can use it to create sites, delete site collections, import templates, and move data (see #6).




10 things you should know about Microsoft Windows Server Update Services (WSUS)

Updates more than just Windows

SUS, the predecessor for WSUS, was able to keep Windows 2000 SP2 or later, Windows XP Professional, and Windows Server 2003 current with updates. WSUS manages updates for many more Microsoft products. The initial WSUS release will update Windows 2000 and later Windows versions, Office XP and 2003, Exchange Server 2003, and SQL Server 2000, including the desktop edition and MSDE 2000. Microsoft intends for WSUS to eventually handle all Microsoft product updates.

WSUS client and server system requirements

WSUS server components run on Windows 2000 SP4 or Windows Server 2003 and require the .NET Framework 1.1 SP1, IIS, MSDE (included with the WSUS download) or SQL Server 2000 SP3a+, IE 6 SP1+, the Background Intelligent Transfer Services 2.0 (BITS) and WinHTTP 5.1. On the client side, Windows 2000 SP3+, Windows XP, or Windows Server 2003 are required. On the hardware side, Microsoft recommends a 1GHz or faster processor and 1GB of RAM for systems that will update 500 or fewer clients, a 3GHz or faster processor and 1GB of RAM for systems that will updated 500 to 10,000 clients, and dual processors with 1GB of RAM for systems that will update more than 10,000 clients.

Microsoft Systems Management Server (SMS) vs. WSUS?

SMS and WSUS have much in common and both will patch servers and desktop systems. WSUS however, lacks SMS ability to deploy and manage systems beyond patching. SMS offers additional capabilities, such as inventory management, advanced reporting, and remote administration.

Bandwidth allocation is better with BITS

WSUS and Windows Update download client updates through the Background Intelligent Transfer Services (BITS) 2.0. BITS uses available bandwidth to download updates in the background. BITS can download large updates and survive network disconnections and other problems. This is an improvement over previous update mechanisms that, during large update downloads, could degrade overall network performance for all users. While its not a perfect solution to the bandwidth allocation problem, BITS does make an effort to keep update traffic in the background.

WSUS has reporting capabilities

SUS lacked a decent reporting function. Microsoft corrected this oversight by giving WSUS significant reporting capabilities. WSUS' patch status reports will help you identify machines that need patches and could pose a security risk. Other standard reports provide an overall look at WSUS configuration settings, client update compliance status for an individual update or for an individual computer, or the overall status of each computer using WSUS.

WSUS can handle updates in multiple ways

WSUS clients can download full updates from your WSUS server or directly from Microsofts update servers. Downloading updates from a local WSUS server provides the best performance when clients are connected to the WSUS server via a dedicated, high-speed network. For locations with limited connectivity to your WSUS server, clients can download updates directly from Microsofts servers.

6

5

4

3

2

1




You control update deployment via server-side or client-side targeting

WSUS lets you target your updates using machine groups created via two methods: server-side targeting or client-side targeting. To use server-side targeting, you create and define groups from the WSUS console's Computers tab. With client-side targeting, you assign to groups either through Group Policy or via registry modifications. To create a new group in the WSUS console, choose Computers | Create A Computer Group, provide a new name, and click OK.

WSUS includes command line capabilities

The wsusutil.exe program includes command-line options that allow you to import and export update metadata, migrate update approvals from a SUS server to WSUS, and list and remove inactive approvals. Wsusutil.exe is, by default, located at C:\Program Files\Update Services\Tools on your WSUS server. Type C:\Program Files\Update Services\Tools\wsusutil /? for assistance with WSUS command-line parameters.

WSUS is scalable

Even though a single WSUS server can support a great number of clients (more than 10,000), Microsoft built further scalability into the product through upstream and downstream servers. A downstream WSUS server gets its updates from the next server upstream. Eventually, one of the servers in this chain gets its updates directly from Microsoft Update. WSUS also supports the concept of replicas, where multiple servers can mirror most of the settings from a master WSUS server, providing a more distributed update topology.

WSUS requires the latest Automatic Update client 10

9

8

7

WSUS requires updates to the way that Automatic Updates are applied to some systems. While WSUS makes every attempt to appropriately update the clients version of Automatic Updates, its not always successful. An unsuccessful update can prevent clients from appearing in the WSUS console. Microsoft created a guide that helps you correct common client update problems. The guide can be found here.




10 things you should know about Cisco IOS access control lists (ACLs)

What is an access control list (ACL)? In the Cisco IOS, an access control list is a record that identifies and manages traffic. After identifying that traffic, an administrator can specify various events that can happen to that traffic.

What's the most common type of ACL?

IP ACLs are the most popular type of access lists because IP is the most common type of traffic. There are two types of IP ACLs: standard and extended. Standard IP ACLs can only control traffic based on the SOURCE IP address. Extended IP ACLs are far more powerful; they can identify traffic based on source IP, source port, destination IP, and destination port.

What are the most common numbers for IP ACLs?

The most common numbers used for IP ACLs are 1 to 99 for standard lists and 100 to 199 for extended lists. However, many other ranges are also possible.

Standard IP ACLs: 1 to 99 and 1300 to 1999 Extended IP ACLs: 100 to 199 and 2000 to 2699

How can you filter traffic using ACLs?

You can use ACLs to filter traffic according to the "three P's"per protocol, per interface, and per direction. You can only have one ACL per protocol (e.g., IP or IPX), one ACL per interface (e.g., FastEthernet0/0), and one ACL per direction (i.e., IN or OUT).

How can an ACL help protect my network from viruses?

You can use an ACL as a packet sniffer to list packets that meet a certain requirement. For example, if there's a virus on your network that's sending out traffic over IRC port 194, you could create an extended ACL (such as number 101) to identify that traffic. You could then use the "debug ip packet 101 detail" command on your Internet-facing router to list all of the source IP addresses that are sending packets on port 194.

What's the order of operations in an ACL?

Routers process ACLs from top to bottom. When the router evaluates traffic against the list, it starts at the beginning of the list and moves down, either permitting or denying traffic as it goes. When it has worked its way through the list, the processing stops.

That means whichever rule comes first takes precedence. If the first part of the ACL denies traffic, but a lower part of the ACL allows it, the router will still deny the traffic. Let's look at an example:

Access-list 1 permit any Access-list 1 deny host 10.1.1.1

6

5

4

3

2

1

Access-list 1 deny any What does this ACL permit? The first line permits anything. Therefore, all traffic meets this requirement, so the router will permit all traffic, and processing will then stop.




What about traffic you don't specifically address in an ACL?

At the end of an ACL is an implicit deny statement. Whether you see the statement or not, the router denies all traffic that doesn't meet a condition in the ACL. Here's an example:

Access-list 1 deny host 10.1.1.1 Access-list 1 deny 192.168.1.0 0.0.0.255 What traffic does this ACL permit? None: The router denies all traffic because of the implicit deny statement. In other words, the ACL really looks like this:

Access-list 1 deny host 10.1.1.1 Access-list 1 deny 192.168.1.0 0.0.0.255 Access-list 1 deny ANY

Can I name an ACL?

Numberswho needs numbers? You can also name your ACLs so you can more easily identify their purpose. You can name both standard and extended ACLs. Here's an example of using a named ACL:

router(config)# ip access-list ? extended Extended Access List log-update Control access list log updates logging Control access list logging resequence Resequence Access List standard Standard Access List

router(config)# ip access-list extended test router(config-ext-nacl)# router(config-ext-nacl)# 10 deny ip any host 192.168.1.1 router(config-ext-nacl)# exit router(config)# exit router# show ip access-list Extended IP access list test

10 deny ip any host 192.168.1.1

What's a numbering sequence?

In the "old days," you couldn't edit an ACLyou could only copy it to a text editor (such as Notepad), remove it, edit it in notepad, and then re-create it. In fact, this is still a good way to edit some Cisco configurations.

However, this approach can also create a security risk. During the time you've removed the ACL to modify it, the router isn't controlling traffic as needed. But it's possible to edit a numbered ACL with commands. Here's an example:

router(config)# access-list 75 permit host 10.1.1.1 router(config)# ^Z router# conf t Enter configuration commands, one per line. End with CNTL/Z.

9

8

7




router(config)# ip access-list standard 75 router(config-std-nacl)# 20 permit any router(config-std-nacl)# no 10 permit 10.1.1.1 router(config-std-nacl)# ^Z router# show ip access-lists 75 Standard IP access list 75

20 permit any router#

How else can I use an ACL?

ACLs aren't just for filtering traffic. You can also use them for a variety of operations. Let's look at some of their possible other uses:

To control debug output. You can use the debug list X command to control debug output. By using this command before another debug command, the command applies only to what you've defined in the list.

To control route access. You can use a routing distribute-list ACL to only permit or deny certain routes either into or out of your routing protocol.

As a BGP AS-path ACL. You can use regular expressions to permit or deny BGP routes.

10

For router management. You can use an ACL to control which workstation or network manages your router with an ACL and an access-class statement to your VTY lines.

For encryption. You can use ACLs to determine how to encrypt traffic. When encrypting traffic between two routers or a router and a firewall, you must tell the router what traffic to encrypt, what traffic to send unencrypted, and what traffic to drop.




10 things you should know about managing IT projects

Get professional IT projects historically have a negative reputation for being over budget, late, and poorly implemented. Having a professional individual in charge of the project can add great organization and credibility to your efforts. If your project is of a size where a project manager role can be used, go for it.

Working with a Project Management Institute (PMP)-certified individual will greatly enhance the effectiveness of your software projects. The PMP is also a good benchmark across all project management disciplines and is a big credibility booster when a project integrates with non-IT individuals, external customers, business partners, or part of a larger project.

Identify the leadership roles Having individuals responsible for specifics metrics of the project is important. This should be done in a way that puts capable individuals in roles that are best suited for their talents but that doesn't overwhelm individual team members. IT projects often put too much emphasis on the technical contributions of a small number of individualsor even just one personand effectiveness is limited when these resources are maximized during the project cycle.

You should also ensure that individuals in charge of specific areas of the project do not hoard responsibility. For example, a person or small group may make great contributions to the progress of the project in regard to overall systems performance, not using so much time for the project (when working from a fixed-price/hours amount project), and getting finished ahead of schedule. But these efficiencies may come at the price of this individual or group not updating project documentation or ensuring revision control with authoritative instances of documents or code and possibly missing the little things in the project.

Individuals with leadership roles within the project can ensure that the project follow-through is done according to the required standards. Examples of this include roles such as Technical Lead, Project Lead, or Documentation Lead. These leadership roles can provide checks and balances in the event that a person becomes reassigned unexpectedly or leaves the organization. The continuity chain can be made stronger by tighter integration across individuals for progress points and ensuring the administrative follow-through of the project.

Focus on scope management Scope management is one of the most important aspects of IT projects, and it's the teams responsibility to make sure that any scope changes are introduced in the correct forum. The project process should include procedures for making a scope change proposal.

It's also important to ensure that the official mechanism for project documentation maintains robust revision control, because scope can change functionality requirements and thus change the documentation that accompanies a project. In the event that a scope change is backed out, proper revision control will ensure that the original functional levels are available from a documentation standpoint.

Real-world example We solicited feedback from Bill Reits, a certified PMP at Siemens Logistics and Assembly Systems for some comments on scope management. He said that one of the most common and troublesome scope problems within IT projects is Gold Plating.

Gold Plating is adding undefined features to a project that were not within the agreed scope of the project. It's common in the software industry because programmers, software engineers, and IT pros decide on their own to add cool features that they determined would be fun to code, tools, or other benefits to the implementation project or customers deliverable system. Although the intentions are often well meaning, Gold Plating can have the following costly consequences:

3

2

1




The individual can underestimate the effort, get caught up in developing or showcasing unnecessary features, and end up taking a great deal of time that was not budgeted at the expense of deliverable requirements.

Because the task was not planned, it often affects other areas of the project that were not considered. This can be negative performance impacts, unclear training materials that differ from practice, or other methods.

If the tasks introduce a nonconformance (a.k.a. software bug), a great deal of warranty effort can be expended correcting something that was never within the scope of the project.

When an individual adds a feature that was not in the scope of the project, additional work from other team members can be required. For example, the feature must be added to the master documentation, the functional specification, the operators manual, the unit test plans, the integration test plans, the acceptance test plans, the traceability matrix, etc. It should be obvious that one small easy-to-code feature can add many hours to a project.

It may be possible, that the added feature is not desired by the customer, resulting in time and effort to remove it and in customer dissatisfaction. For instance, a slick feature may be added to a banking application that is against government regulations or bank policy.

Create the project definition or charter

Having the project clearly defined can pave the way for all subsequent aspects of the project to be implemented correctly. A well-defined project definition and corresponding processes gives the project a strong foundation.

The project definition will define an agreed-upon performance baseline, costs, efforts required, expected functionality, implementation requirements, and customer requirements, and it identifies the individuals and organizations involved in the project. Project definitions that include specific technology details on how a task is to be accomplished will benefit all stakeholders of the project.

Real-world example One TechRepublic member was implementing a project whose initial project definition referenced communication between two systems as the following:

The host system automatically will send the order system the order information over the network using a standard interface.

This language spells trouble, since it could mean so many things: An EDI transaction, an FTP exchange between the two systems, two custom socket interfaces exchanging a messaging formats, an XML file, connectivity through a standard product like MQ series, SQL database replication, or any other number of ways of two systems exchanging data.

Identify the risks 5

4

IT projects can incur risk in unique ways, as IT projects make frequent use of vendors, consultants, and contractors. For example, if your organization contracts Acme IT Services to assist your IT staff in its upcoming Active Directory and Windows 2000 Professional to Windows XP Professional client migration, you may face the risk that Acme IT Services could go out of business, get a "more important" client, or do an inferior job.

Each element of riskresources, schedule, performance, cost, etc.should have assessments performed. These tasks are usually delegated to the project manager or individual most closely associated with that role. Periodic risk assessments and tracking are due diligence of the project process. Risks manifesting themselves in the project cycle should have recourses as well. For example, if Acme IT Services leaves your project for another client, ensure that there are recourses to working with this agency.




Manage relationships with external parties IT projects will almost always have some level of involvement with external parties. These parties can be:

Consultants Business partners Service providers Vendors Software publishers Equipment manufacturers

Having external parties involved in the project will add resources and ability to the appropriate deliverable of the project. However, ensure that each organizations role and need is clear. The project plan should identify an individual to be in charge of administering the relationship and availability of external parties. If your organization executes many projects at once, this individual may perform this function for all active projects.

Maintain strong documentation standards

Documentation is the key to a successful IT project, especially when changes need to be made after implementation. Ensure that your organization has clearly defined documentation expectations as well as standardized repositories for various types of documentation. Revision control mechanisms are also important if custom development is being performed.

In addition, it makes sense to have documentation that defines the documentation requirements. That may seem like overkill, but as a project scales in complexity, this becomes more valuable to the success of the project implementation and manageability.

Strong documentation standards offer the following benefits to IT projects:

New team members can assimilate more easily. Future work related to this effort are more easily started. Functionality changes are easier to stage or test.

Build effective communication channels

Project management should coordinate clear communications. E-mail seems to be the preferred mechanism for this, but it can easily become overwhelming and inefficient. One popular good practice is to identify specific individual(s) when a response is required. By using the TO: and CC: fields appropriately, you can avoid unclear messages about who needs to do what. The figure below shows a good example of an e-mail communication that outlines specific responsibilities.

This e-mail message clearly identifies that its target is William. If there are any issues with the topics presented, it is the primary responsibility of William to raise them. The other members are presented with an opportunity to raise concerns and to share them with the selected distribution.

8

7

6




Little habits can add great effectiveness to the communication patterns, especially when involving external parties. For instance, in the example above, members from each organization are grouped to give clarity to distribution. How many e-mail messages have you received where you aren't even sure whether you're being addressed, much less whom you should reply to?

Also make it a priority to communicate the schedule (and its changes), status reports, scope topics, and new issues that arise in the project process. Clear, concise, and targeted communications are all positive habits for IT projects.

Keep an eye on costs The closer you are to the technology, the less pleasant the topic of cost becomes. Nevertheless, cost is among the most important aspects of the project process. Each project member should be aware of the costs associated with his or her aspects of the project. This also becomes important if it's determined that the scope of a project should be changed. For example, consider the following technology scenarios:

A new version of a critical software component is released. A security risk for a software component is discovered. Newer or faster computer equipment is required or desired. Scope change can address these topics, but there may be dependency scope changes that go with them, which can greatly increment the costs involved. Licensing, space concerns, "lost licensing" or unused equipment and software, and rework or lost time all can add to the cost of scope change.

Fear of the price impact should not deter scope change, but it's an element the project team must keep in mind.

Dont forget the closeout 10

9

Once the deliverables of the project have been met and all appropriate signoffs have been obtained, exert the same effort to correctly close the project. Depending on your project type and scope, the projects closeout and post-mortem are important to ensure that all project members have executed their required steps and that the customer (internal or external) is satisfied with the project results.

Depending on the scope and nature of the IT project, the closeout may be a required step to take the project (or customer) to support mode. Project turnovers, closeouts, and other mechanisms to prepare the project for ongoing life are important to ensure that all the ends are in place so that when this topic arises again, there is a good reference point on the details of the project.




Additional resources TechRepublic's Downloads RSS Feed Sign up for our Downloads Weekly Update newsletter Sign up for our Network Administration NetNote Check out all of TechRepublic's free newsletters "10 things you should do to improve every new Windows PC" (TechRepublic download) "10+ things you should know about troubleshooting a slow PC" (TechRepublic download) "10 things you should do to a new PC before connecting it to the Internet" (TechRepublic download) "Novice net admins: Avoid problems by following these seven basic rules" (TechRepublic download) "Essential support tools: One tech's top picks" (TechRepublic download) Version history Version: 1.0 Published: November 7, 2005

Tell us what you think

TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible. Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback. Please take a minute to drop us a line and tell us how well this download worked for you and offer your suggestions for improvement.

Thanks!

The TechRepublic Downloads Team



10 things you should know about troubleshooting VPN connectionsUsers can't access file serversUsers can't access anything on the corporate network Users can't connect to VPN server from behind NAT devicesUsers complain of slow performance Users can connect via PPTP but

100 things net admin tasks

Documents

corporate network

things resources

server names

network id

vpn clients

internal network host

internal dns server

remote access vpn server