Building Windows 7 Enterprise x64 Image [2] – Test Deployment Base OS & Core Apps

OK, start deployment capture using MDT 2010 Update 1 capture platform. Apply Windows PE capture step fails. Capture task eventually reports 8 errors. Logs are written to C:\MININT subdirectories and %temp%\SMSTSLog folder and %temp%\smsts.log.

Try updating deployment share. Install 7Entx64 as OS in MDT. Update deployment share again to use new OS boot images. This time capture task is going OK. Can’t RDP into captured machine due to network disconnect during Sysprep. Continue with direct access. Capture completed successfully, 0 errors.

Test deployment to target platform (6550b laptop). Will try to deploy this image on MDT 2010 Update 1 instead of Gold. Received an error about networking driver not installed after starting the Deployment Wizard (The following networking device did not have a driver installed. PCI\VEN_8086&DEV_10EB&SUBSYS_1471103C&REV_05). Abort MDT2 deployment. Download Intel network drivers from HP, import drivers, update deployment share & burn new LiteTouch CD.

Retry deployment on 6550b. Wizard starts & connects OK. Wizard commences deployment @ 14:36. Windows 7 install sequence commenced. Deployment completed automated around 15:11.

Still have a few devices not installed with this image so the drivers need to be injected in a custom deployment task sequence which is some way off yet. Next step is to install Feature Apps into the deployment image, recapture, test this then create the platform specific task for the Probook 6550b.

Building Windows 7 Enterprise x64 Image / Home PC

We have started deploying new laptops (HP Probook 6550b) with 4 GB RAM so x64 Windows 7 is the preferred OS due to 3.5 GB limit of x32 Windows. Previous image covered in the series of articles starting here was 32 bit Pro generic and specific, now building 64 bit Ent generic / specific. I expect most desktops hereon in to have 64 bit OS eventually standardising on this except special cases.

Basic deployment steps:

• Deploy OS to target platform
• Deploy “core apps” (Office, SEP, SMS, Adobe, Smartboard)
• Capture generic x64 OS + core apps image
• Deploy “feature apps” (e.g. Firefox, Google Earth etc)
• Capture generic x64 OS + core apps + feature apps image
• Either one of the following:
• Deploy to specific platform for image capture & deployment
• Deploy this image to specific hardware platform (Probook 6550b for example)
• Make any specific hardware customisations
• Capture platform specific image
• Test image deployment
• Create platform specific task sequence for deployment
• Create specific task sequence
• Inject platform specific drivers (in addition to Windows driver injection)
• Install platform specific applications
• Test task sequence deployment

The above is a summary of my experience to date in the MDT system as well as some possible options for future exploration. Obviously MDT is a specialised system that I need to have some knowledge of, but I am not an expert in this system as I do not use it every day. For deployment to specific platforms to date (only one so far) I have preferred to use a customised task and this will probably be the means implemented for 64 bit deployment. Also I have two MDT environments, one used for capture and the other for deployment.

Building new home PC continues with purchase of motherboard. Next month will buy the CPU and RAM hoping to complete assembly in a few weeks. Delivery of memory for T5720 thin client expected shortly so can test capabilities soon.

LCD Form Factor Trend Hype

New laptops being shipped today have a native resolution of 1366x768. Previously it was 1280x800. Before that it was 1024x768.

Considering I can get 1280x1024 or 1440x900 on the desktop the trend to increase only the width of the screen while keeping the height roughly the same seems backward. Application and OS design favours horizontal toolbars which increase in size over time, for example the Office 2007 Ribbon etc. This then presumes that screen height will increase over time. However the emphasis of LCD manufacturers of late in base models has been geared towards increasing the width leaving the height essentially unchanged. The screen starts to look very cluttered when considering the height of these screens is essentially unchanged since the days of 17” glass, and that’s probably going back more than 10 years. Recently I was working on a HP 8510 laptop with a native resolution of 1680x1050 approx, a huge difference in resolution and one that makes the screen sizes of mid range business laptops look positively antiquated.

HP T5720 Thin Client

This is my latest acquisition from Trademe, and a very good one at that – the T5720 is almost a current model (not quite) and this particular one was made only four years ago. Although this one, which cost me $83, has 256 MB of RAM, I have ordered some more for it in order to be able to flash it with the 2008 update of XP Embedded. This will give it RDC 6.1 capabilities and therefore I should be able to take it home and connect over my broadband to the school system via our RD Gateway.

Our evaluation of lower end TCs continues and it is likely we will have more in classrooms by the end of the year (we have just one at the moment). Presently while there is a reasonably high volume being offered on Trademe, some of the prices being asked are more than I would expect to pay. However one of the major vendors (Core Technology Brokers) has told me they would discount to schools, this company also offers warranties, and I would be therefore inclined to choose them over ad hoc dealings with one off sellers and small players which sometimes are inexperienced in this line of product, also they would have the technical knowledge to be able to answer the various questions I have had up to now. Based on my experience to date I would recommend the T5300, T5510, T5520, T5700 models as being those which have sufficient capability to connect to a 2008 RDP server inside a network. So far I only have used the T5510 and T5520 models. Both of these are running Windows CE which is very suitable for RDP use because it has just enough capability and you don’t need to muck around too much to set it up. Here is a comparison table of some of the key specs of these different models of HP clients. I am preferring just to standardise with HP thin clients for now even though there are various brands.

	T5300	T5510	T5520	T5700
CPU	TM5600 533 MHz	Crusoe 800 MHz	Eden 800 MHz	TM5800 up to  1 GHz
Flash ROM	32 MB	32 MB	64 MB	up to 256 MB
RAM	64 MB	64 MB / 128 MB	128 MB	256 MB
Graphics	Rage XC 8 MB	Radeon 7000 16 MB	S3	Rage XC 8 MB
Display modes	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit 1600x1200 16 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1152x864 32 bit 1280x1024 32 bit 1600x1200 32 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit	640x480 32 bit 800x600 32 bit 1024x768 32 bit 1280x1024 32 bit 1600x1200 16 bit
Printer port	DB25	DB25	DB25	DB25
Serial port	No	DB9	DB9	DB9
Display port	HD15 VGA	HD15 VGA	HD15 VGA	HD15 VGA
USB ports	1.1 x4	1.1 x4	2.0 x4	1.1 x4
Network port	100 Mbps RJ45	100 Mbps RJ45	100 Mbps RJ45	100 Mbps RJ45
Audio	Internal speaker In/out ports	Internal speaker In/out ports	Internal speaker In/out ports	Internal speaker In/out ports
Keyboard port	USB only	PS/2 or USB *	PS/2 or USB *	USB only
Mouse port	USB only	PS/2 or USB *	PS/2 or USB *	USB only
OS	WinCE 4.22.144	WinCE 4.22.144	WinCE 5.04.595	WinXPe 5.1.212
RDP version	5.1	5.2	5.5	5.2

* Note: T5510, T5520 have only one PS/2 port, for either a keyboard or mouse but not both. Unsure if port splitter can be used.

There are many other models but I have chosen four models than can be priced somewhere around $100-130. We have screens that are either 1024x768 or 1280x1024, meaning any of these models would suit. Personally my preference from all of the above would be the T5520 which tends to be at the higher end of current pricing, being the newest model. However I would be just as happy with one of the other three models for our typical classroom situation (subject to testing). As you can see the main difference between the 5300 and 5700 is the OS. For RDP support Windows CE is perfectly satisfactory (make sure you have the latest version on your platform; I had to flash the upgrade to the 5520 I had bought to fix problems with display redrawing). Note that all of these only support 4:3 native display ratios. If you are buying new screens make sure they are specced for the above list of resolutions. 15” screens (1024x768) are just about unobtainable new now but there are still plenty of 17” 1280x1024 screens available new and both sizes will be available second hand for years yet.

Switchcraft EH Series Audio/Video/Data Connectors Now Available In New Zealand

Back about two years ago when we were fully in the swing of installing projectors in our classrooms, I had to come up with a scheme for getting wall plates in for the VGA cables that connect projectors and laptops. Up until now all that has been available or easy to find has been a PDL or HPM plastic wallplate that can have a butchered plug screwed to it (see the series of articles here: parts 1, 2, 3, 4). There are some other brands of wallplate becoming available with different combinations of VGA adaptor and other connectors, but they are still hard to find, and some of them require the cable to be connected as bare wire ends (which is very fiddly to do with a wallplate, because you need some way of securing the cable to the plate to stop from breaking the wires off).

Switchcraft is a US manufacturer well known in the professional audio industry for their high quality connectors (XLR and others) and their approach to this market has been to develop the EH Series, which is a range of different types of audio, video and data connectors. Most of the audio/video connectors are of the feedthrough type, which is designed to be connected with a plug on both sides. They are very easy to install like this because there is no need to strip and solder wires onto terminals. As we prefer to install VGA cables that already have plugs fitted, the feedthrough suits our requirements perfectly as we just need to screw the plug directly onto the feedthrough and install it into a wall plate. The EH Series are particularly notable in that they are designed to fit within the profile of a standard panel mount XLR connector, and thus the inserts will fit into a wide existing range of panels already manufactured for the professional audio industry.  Switchcraft product is now handled in New Zealand by Jansen Professional Audio, who can also supply the various panels and have recently begun to bring in small quantities of EH Series connectors; if there is not one listed on their website that you want, they may be able to order in other types. For a wall mount scenario have a look at this type of plate which is one of an extensive range they carry to handle various different situations. Jansen give substantial discounts to schools so these products are well worth looking into, particularly for control rooms and other situations where you may want to install these connectors into panels with other types.

Electrical safety standards falling

This photo is of the inside of a well known and supposedly high quality (Australian) brand of plugbox which I would have unhesitatingly recommended to anyone until recently. Observe the earth contacts on the two left hand sockets, which have a much wider gap than the two on the right. The left hand pair are in fact not making contact with the earth pin on any standard 3 pin plug and this came to notice because the plugbox failed when connected for testing in a Portable Appliance Tester. This plugbox is less than a year old and the two left sockets would have each done less than 100 insert/removal cycles.

Since I have many older plugboxes which have withstood considerably more cycles and are more robustly built (yet were not expensive in their day) I asked the authorities in this country why this design was allowed to be sold in New Zealand and pass our national electrical safety certification standards. Their only response is that “these products are not designed for this type of use”. To which I would ask “why not”? Effectively what we are told is that it is acceptable to sell a plugbox that is designed and built so cheaply that the integrity of the safety earth cannot be guaranteed. Here in words is the requirement of the safety standard: “In New Zealand (and Australia) the EPOD is a declared article, requiring formal approval by the electricity Regulator before legal sale. In order to gain approval, each model of EPOD is tested and inspected to a specific AS/NZS safety standard that a New Zealand and Australian committee of industry experts and Regulators have produced to ensure that EPODs are safe to use.” If the above is an indication of what is required to pass this standard then it is very poorly written or does not mandate durability. Probably this is in part because the standard does not mandate sufficiently a minimum standard of construction.

As the public at large would not have access to Portable Appliance Testers most people would be unaware that a plugbox which is by all appearances in good condition, could have sustained internal damage that renders the integrity of the safety electrical earth invalid. If that is the case then why are there any requirements for the design of plugs and sockets in relation to the earth pin and earthing as safety mechanisms for appliances? The failure of this plugbox was detected as part of an inspection and testing regime for New Zealand schools that is mandated by the Ministry of Education. It appears there would be a strong case to advise schools that these devices must be considered failure prone and potentially unsafe with a short working life.

Offline Files in Windows 7

Offline Files is a technology that was first introduced in Windows XP. And it was pretty much of a dog back then. We did experiment with getting some laptop users to have it running, because we hoped it was going to make automated backups of their stuff. The problem with the earlier versions of Offline Files are things like, if the server got changed around, Offline Files stopped working. Not long after we started testing, we changed from a Linux Samba DC to a Windows DC. That was the end for Offline Files because there was no obvious way to tell it how to change the location of where the files were, or to sync its existing cache to a new location, or something. There were other problems as well, but I’ve forgotten, however I think it gained a certain unenviable reputation in the industry, and my response to it was to configure a group policy for our whole domain to disable it.

In Windows Vista, Offline Files became part of the Sync Center and this has continued in Windows 7. We didn’t have enough laptops running Vista to get around to trying out OF before we started moving to 7, and then I was advised that OF has become a “mature product” in 7, worth implementing for that backup type of system again. So that is what we are doing. In order to get the best out of OF and especially with a laptop that is connecting to a server, I am setting up new Group Policy objects for folder redirection and OF settings. The user’s Documents folder will be redirected to the server and automatically cached by OF, but their Pictures, Videos, Music and Downloads folders will be redirected to the local profile so that these bulky items don’t consume sync bandwidth or server space. Folder redirection is per-user, but in order to ensure that it only applies to specific computer usage (i.e. Windows 7 laptops), it will be configured as a loopback policy. OF settings is either per-computer or per-user, and in this case it will be configured per-computer.

Login delays when processing Group Policy Printer Preferences – Vista/7

This has been a recurring situation ever since we started with Vista and Windows 7. Basically when the user logs in, if verbose login messages are disabled (a GPO setting), they just see “Please wait”. If verbose messages are enabled, they see a number of different messages about policy processing, but the one that is most relevant here is that about Group Policy Printer Preferences (I forget if that is the exact words used). It is not at all unusual to see this taking up to an hour or even more to get past this message. In this instance there is not a print services log on the terminal server (which is the computer being logged onto in one case, by a thin client).

At the moment it is most likely I will have a look at the settings of each printer in Group Policy Preferences because the GPP printer item settings now work better if the option to “run in the local user’s security context” is selected as I referred to not very long ago in another context.

UPDATE: I have spent a bit of time working on this today, and it’s still not resolved. The particular situation that is especially relevant is logging on to a terminal server using a thin client. Not only are these delays continuing to occur, but if the user has disconnected from the terminal server session and then tries to reconnect later, they get a message saying that the terminal server can’t log them on because it is currently processing a connect, reset, delete or <something> operation. This operation apparently lasts forever because they keep getting the message even days later. And the Terminal Services Manager doesn’t have their username listed in its list of disconnected sessions.

The next step will be to try changing the login to a RDSH server that is running a different edition of Windows to see if this is related to particular editions of TS, and looking to see whether this problem is specific to TS. However I have seen similar sessions of delay involving other computers lately, it is a Windows Vista/7 specific happening. Like the Windows 7 print problems we had recently, this is turning into a very complex multifaceted problem with no clear answers that will end up taking an inordinate amount of my time to solve. As operating systems get more sophisticated and have more features added, they are also getting more complex and we end up spending a lot more time solving problems on them.

The RD server is currently installing 2008 SP2 to see if this helps the situation.

Security & Networking Questions for Windows Users - [1]

Here is some useful information on the security of computers which are connected to a network. This is phrased in a Q&A format to try to give a good understanding of how computer security works, and how this changes when connected to networks. It applies to most versions of Windows but some information may be applicable to other operating systems.

First part is to look at a standalone computer, like a laptop or a home computer, that is not connected to any network (including the Internet or any wireless connection). Please note that security permissions are not supported by Windows 95, 98 or ME. Any user of these operating systems always has full access to the entire computer contents.

Q: How can I control who can log on to or access my computer?

A: You can create individual accounts and passwords for each user in the User Accounts control panel.

Q: If I have given a separate username and password to each user of my computer, can anyone who logs on using a different username and password, get access to my files?

A:

• YES if you have Windows 95, 98 or ME installed.
• YES if you have granted certain Rights (such as Administrator) to any of those other user accounts.
• YES if you have set security Permissions on any folder that will allow those other user accounts to access the folder or any files in it.
• YES if you have given the Administrator account password to another user.
• YES if you have stored files in locations other than your personal folders and have not changed the default security permissions. (By default, all users of a computer can access any folders except for personal folders. An Administrator can change the access rights however) 
• NO otherwise.

Q: If I have saved files onto a pen drive or external hard drive and I lose that, can some other person access those files?

A: YES (even if you have set security permissions on those files to prevent another user from accessing them, any Administrator of a different computer who plugs in your drive can get access to those files)

Q: If I lose my laptop, can anyone get into my laptop even if they don’t know the administrator password?

A: POSSIBLY. There are a number of techniques that can be used to crack administrator passwords on a local computer. Generally, for this reason, Microsoft recommends that you disable the administrator account.

Q: If my laptop doesn’t ask me to put a password in when Windows starts, can I set it up to require a password?

A: YES.

Q: If I log on to my computer with an Administrative account (either Administrator username, or an account that has been given Administrative rights), can software install itself on my computer or make changes to my computer without my knowledge?

A:

• YES if you have Windows XP or older
• YES if you have Windows Vista or later AND you have disabled the security feature called “User Account Control”
• NO if you have Windows Vista or later and you have not disabled the “User Account Control”. In this case this feature will cause a message to pop up asking you if you want to allow changes to be made to your computer.

Part 2 of this series will cover the situation of a computer connected to a corporate network (business or educational institution etc).

MUSAC System Files 32 Bit Installer for Unattended Install

This refers to the 32 bit system file distribution for Musac Classic Jan2010 Secondary package (2.0.2008.4).

There are two different MSIs that could be extracted from the install package to be considered for unattended installation. Since Musac appears not to want to support any unattended / automated installation (it is specifically noted as such in the documentation) I’ll have to try to break down

• Do the standard routine of starting the installer, going to your temp folder and copying the extracted MSI file to somewhere (54603 KB).
• Use the instructions supplied to do an “administrative install” which extracts a large number of files in specified folders and another smaller MSI (28356 KB).

Neither MSI will do an automated installation when pushed to a computer using the Software Installations Group Policy settings. The installation will simply freeze and not allow the computer to pass the installation stage. Every test platform has had to be “rescued” by removing the GPO in GPMC and then resetting so that it can complete the Computer Settings (system startup) stage of Group Policy without hanging.

Double clicking either MSI produces a request for more information. The smaller MSI states it will not run on 64 bit systems (a fatal error is produced for the MDAC 2.8 install, since these components are x86 only and have been superseded by WDAC, this level of the installation is not able to deal with that). Running the full executable (EXE) install is apparently functional on a 64 bit system but requires more checking to see if it is compatible (the documentation states this is a 32 bit compatible installation only). The larger MSI produces a similar experience to the full EXE and it appears that this EXE merely launches a fully interactive installation in the MSI, rather than acting as the user interface front-end to an MSI which performs only the installation steps with default responses. This appears to be the primary cause of the failure of this MSI to install unattended.

Errors from 64 bit install:

• CTL3D32.dll must be placed in the Windows directory or similar
• Error 1904: Module C:\Windows\SysWOW64\CPWCTL32.OCX failed to register. HRESULT –2147220473.
• Error 1904: Module C:\Windows\SysWOW64\Cp5ocx32.OCX failed to register. HRESULT –2147220473.

Although I have Orca available it is not practical to use it with the MSIs without knowing how to force default settings in the customisations.

My next step will be to try the 64 bit installation on Windows Server 2008 R2 which is our RD server that would be used for staff remote access, once I have a better understanding of the technical issues.

UPDATE: Report for Windows Server 2008 R2 (64 bit as R2 is now not available as x86).

Installation as above except only the error for CTL3D32.dll was received.

Print Spooler Problems [3]

With the problems still happening after all this time and the number of users affected it is looking very much like the Window 7/2008 compatible drivers won’t work with Windows Server 2003 print servers. Print queues on a 2003 print server are having serious problems but queues on a 2008 server are unaffected. Next step is to switch all the print queues to a 2008 server with any Brother queues using Winprint instead of BrPrint.

At the moment I am also trying 2008 R2’s feature of isolating the difficult Brother driver as well. I’m holding my breath to see if it works.

Unfortunately since applying some of these changes to my own accounts I am seeing an increasing trend of my computers taking a very long time to complete the application of GPP printer settings in particular, the dreaded extremely long GPO processing that is a “feature” of Windows 7 and Vista. This demands an article of its own to try to analyse what is happening (we don’t see this to the same extent, if at all, in XP). I have thought that it may be due to needing the policy settings to allow unattended printer installation but the computers concerned are in the correct group so a lot more work is needed to try to nail down what is happening. There seems to be a similar effect on other elements of system startup (e.g. System Event Notification Service) so perhaps it is just coincidental.

Sugar on Windows?

In a previous post I referred to the refocusing of the OLPC project. Part of the reorganisation was to split off the Sugar shell from the core OLPC project, at which time Sugar Labs became separate and has developed the shell in its own right for a number of platforms. Since there is so much expectation of the merits of Sugar as an educational tool, it would be reasonable to expect that one day it will be ported to Windows and be able to run upon many more PCs worldwide than is currently the case.

At the moment with the lack of a proper port, there are several options which produce only a demo view of Sugar:

• LiveCD
• LiveUSB boot
• Virtual machine
• Emulator

I have played with the last two in particular. In theory the virtual machine would be an option but it is one that would have to be physically installed on each computer in turn. This is because Oracle VirtualBox, while it contains its own RDP server which can allow connections directly to VMs, it is not a session host server like Windows Remote Desktop Services is. This means one instance of the VM cannot spawn multiple RD sessions to allow each user to have their own shell instance of a VM.

The second issue is that the virtual machine is set up with one single virtual hard disk file which is quite large, some 540 MB at the present time. I don’t know if the shell can save data to this file and thus save the user state between sessions. If it can, then the only way of backing up this session is to copy the entire large vhd which is rather inefficient. If it was expected that a user would have data that is worthwhile to be saved and the virtual machine is capable of saving it, then the first enhancement necessary is to have a second vhd to save the user data. With a bit of work this file could be specified in the VM settings to be on a network volume and therefore a user would be able to retrieve their session while in different locations.

However everything I have written herein is somewhat speculative as it is not clear whether the VM edition of Sugar is intended to be usable in a production setting or is just another demo edition.

Another option is if this system can be made to work on a Linux terminal server (LTSP), it could be functional for any clients that want to connect, the sticking point so far seems to be whether it requires to be netbooted from the server or can just start a session in the OS’s RDP client. PXE requires more work to set up and it precludes user switching between two different terminal servers if there is more than one on a network. From my POV the PXE boot would be more complex and tricky, from my POV the whole point of virtualisation (whether session host or VM) is to avoid having to change boot configurations.

Print Spooler Problems [2]

Well I am doing more work on this today to see if I can get a solution for my Windows 7 users (including myself). And it turns out that print driver isolation is exclusively a feature of Windows Server 2008 R2 only. And I have only one R2 server in the whole school, which is also our Remote Desktop and RD Gateway server. So I will have to try out some print queues on that, less than ideal so I will have to get another R2 license eventually.

The interesting thing was that after I had installed the printer on the RD server and isolated its drivers, it is using WinPrint instead of BrPrint. When I installed another HL5140 onto a standard 2008 server it is still using BrPrint. So the isolation system must force the WinPrint processor to be used.

Another possible workaround, which I am also going to test, is to change the existing print queues to use WinPrint instead of BrPrint. I guess the root problem is that Brother has not updated BrPrint to be compatible with Windows 7. The drivers provided are for Windows Vista or 2008 at the latest. It may turn out there is a compatibility issue with BrPrint on Windows 7 and this is not going to be fixed by Brother because this printer is too old. At this stage I don’t have any experience of what happens when you change print processors so we will try out both options side by side to see.

OLPC refocuses on education

It is good to see OLPC is refocusing themselves on an educational project rather than the political aspects of their previous format. At the end of the day it should be schools’ individual choice of what systems they want in their schools and having OLPCs able to run a variety of OS platforms and software, along with their Sugar interface being able to run on a variety of OSs, will be a winner for the education market. It is a simple reflection of the fact that there is very little in reality between different hardware and software platforms and open hardware platforms allowing a choice of OS and software are the way to go. Keep politics out of education always.

Sugar running on the QEMU emulator on Windows 7. Next step: VirtualBox virtualisation of Sugar. And hopefully we will see WinSugar soon enough, because isn’t that supposed to be what Open Source is all about?

Live@Edu successful after 4 months use

As referenced previously we migrated our staff from onsite Exchange Server to Live@Edu in April and haven’t looked back since then. Around 30 staff are hooked on using Outlook 2007 or 2010 to access all parts of their Exchange mailbox on Outlook Live, and using the webmail where necessary. A few staff are sharing their own calendars or contacts with other staff. Outlook 2010 adds some useful enhancements including password caching and free/used space display for the hosted mailbox.

One issue that came up was with the updating frequency of calendar events, which is important when users are sharing calendars used to book appointments etc. I found there are some group policy settings covering these which are found in User Configuration\Policies\Administrative Templates\Microsoft Office Outlook 2007/Tools | Account Settings\Exchange\Cached Exchange Mode with three entries to do with sync, upload and download times. We set all three to 60 seconds and have had no further concerns about sync time. The policy settings say there are defaults of 15-60 seconds for these settings, but it was unclear whether the remote server could override them.

Essentially because all email (except for internal between user accounts on the same domain) is always reliant on external servers such as those provided by ISPs, concerns about the reliability of hosting mail externally are not really significant and in any case the Live@Edu solution has been reliable with the most issues being local connectivity.

Install software via Group Policy

Automated software installation via GPO is a low end remote admin tool which does work sometimes provided an MSI file can be used. If the installation is internally MSI based the file can be extracted and used to perform the automated installation, this is easy to do by running the installer executable, looking in %temp% for the temporary folder that contains the MSI and copying it to a network share. Then deploy the package, this can be frustrating (choose the Advanced option since you get the most choices about how to deploy the package).

The actual scheduling of installations via GPO is rather unpredictable and it can take several days before all the target computers will have completed installation. If you have a remote events console or subscriptions to the target computers, look for events from source Application Management in the Applications event log, event ID 302 indicates a successful completion of installation. Even if this is indicated it is not always certain that a usable installation has resulted, as automating an MSI installation is not guaranteed to work out the way you want to, depending on the settings which the installation designer specified when they built the package. Package settings can be customised using the Microsoft Orca tool.

Printer Spooler Problems

A user has had numerous problems with the Print Spooler in firstly Vista and now Windows 7. The same laptop in both cases, each OS was a clean install. They were the only staff user on Vista (apart from myself) for quite a while. Vista print spooler crashed often for them with particular print drivers. We have a number of 7 users and computers none of which are having same problems.

All of our laptops are configured using Group Policy Preferences and receive the same set of printers. These are per-user printers which are Shared Printers under the GPP classification. There are 2 print servers; one running WS2003SP2 and one running WS2008SP2. The 2008 server was recently Hyper-V virtualised from a physical server. Some time before that the 2003 server was similarly virtualised. The 2008 server is a DC; the 2003 server is not.

Seen to date:

• Dialog box “Test page failed to print. Would you like to start the print troubleshooter? The Print Spooler service is not running”. Even when it is running.
• Similar message saying the print server’s print spooler service is not running. Even though it is running and no other user has had any printing problems.
• Event log events 365 with text “Windows could not load print processor BrPrint because EnumDatatypes failed. Error code 126. Module: BRPP2KA.DLL. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.”. Even though the printer the user is trying to print to does not use this print processor, and it is not listed as a print processor for any printers in the Print Management administrative tool.
• Event log events 602 with text “The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-21-1131366045-2363284717-2431634961-2688\Printers\Connections\,,DC02,C8 Photocopier 1045 PCL. This can occur if the key name or values are malformed or missing.” Logged for a number of different printers.
• In the case of this particular laptop there are 1708 print service events logged in just 48 hours of which 1703 are Errors.
• Investigation is that the BrPrint print processor is in fact used by some Brother printers, particularly the model HL5140, but not used by others.

Remedies tried to date:

• The laptop was rebuilt with Windows 7 replacing Vista. The user’s profile was copied over from Vista to 7.
• The user’s profile was dropped and a new profile created, then the user’s documents, pictures, music etc were restored, but not their AppData or other application data or system files.

Next step:

• Next step is to isolate the user account into its own test OU in ADUC and configure GPP to delete all the current printer connections and install only nominated printers excluding any Brother printers.
• After that if there is still a problem we will look at dropping the user account and creating a new account.
• We may look at changing the print processor on the server for particular printers that use BrPrint, even though it is hard to prove this is the problem.
• The registry key errors might be related to the SID of the user account and it’s possible creating a new account with its new SID might resolve this particular part of the problem. 

More Info [1], [2] – both of these suggest that a print driver problem is the cause.

UPDATE 1: I soon found another Windows 7 user at our site having the same problems. And digging into the event log on my own computer found masses of the same type of error logged. So it appears that there is just a difference on how this problem presents to the end user, not that it is happening. The events are logged in the Microsoft-Windows-PrintService/Admin log, which is one of the new extended logs that are provided in Windows 7 and which greatly expand upon the logging options in previous versions of Windows. At our site the BrPrint processor is only being used by the Brother HL5140 printer which is a fairly old model now, problem is I have two of them. So the first step to try is updating the drivers on the servers to the latest available.

UPDATE 2: In the meantime I tested the most difficult user by applying a GPP to remove all their printers, then another GPP to install just the printers that aren’t from Brother. So far this has been successful so it will be applied to all the affected users. After that I will be using a test configuration to test out Brother drivers.

UPDATE 3: In theory driver isolation should help with these problems. Driver isolation is a new technology that was introduced on Windows Server 2008 and Windows 7 which enables individual print drivers to be isolated from being able to affect other print drivers. The main issue is that most of the print queues are running on a 2003 server so the next step is to move some of them, particularly the suspect ones, to a 2008 server.

RDC 6.x on HP Thin Clients

If you want your thin client to connect through a RD Gateway then it must support RDC 6.0 or later. Even if you aren’t using RD Gateway (for example on an Intranet) it will let you use 2008 RD Services out of the box with NLA enabled. RDC 6.1 client connecting to RDS 7.0 server may support some of the new capabilities of the RDP 7 but not all of them. Still, RDP 6 would allow a thin client to be at a remote site connecting to a server over the Internet which is an attractive option for some situations where you might want to provide a remote logon for people who haven’t got a computer or where you/they don’t want to spend the money for a full PC.

HP thin clients will need to be running XP Embedded or Windows Embedded – some of the cheaper/older ones run Windows CE or various editions of Linux which only support earlier versions of RDP, typically 5.2 (or rdesktop 1.6 which is effectively the same). At the moment from the best I can tell you should look at the HP T5730 or later models such as the current T5740 – the 5730 out of the box should support RDP 6.0. XP Embedded and Windows Embedded are updated from time to time so there may be an update to the version of RDC available in a particular thin client, the latest version of XP Embedded for the T5730 is 5.1.860 but so far I haven’t got info on what is in it. This edition of XPe is also available for the older HP T5630 thin client and according to the release notes, contains “RDC version 6.0.6001, which supports RDP version 6.1”. RDP 6.1 will give you Remote Apps and some other stuff over RDP 6.0. I am looking at buying a T5630 or T5730 if I can get one at a reasonable price on Trademe, to try out at a remote site for personal interest.

FOOTNOTE: Windows CE 6.0 R2 also supports RDP 6.0. Windows CE 6.0 R2 is the operating system deployed on HP T5540 thin clients (a current model) and the older T5530. However it looks like RD Gateway is not a supported capability on the Window CE 6.0 R2 Remote Desktop client.

Also the T5720 thin client will provide “RDC version 6.0.6001, which supports RDP version 6.1” with the 5.1.710 release of XP Embedded, the device requires a minimum 512 MB RAM to run this satisfactorily but HP recommends 1 GB. However I would guess that the amount of RAM is less significant for RDP due to its low resource demands.

Fibre is coming…

A thrust borer has been here putting in a duct from the street. The fibre will come in. Then it will get connected up. Then it will get plugged in. At the moment you wouldn’t necessarily do it for the Internet because data rates look to be much the same as they are for broadband. You’d do it to get connected to the KAREN network (other schools, universities and the Ministry of Education). You could use the Ministry’s e-asTTle system without being bottlenecked over broadband. You could use an online SMS from a vendor without worrying about data charges or congestion. You could pool with other schools and get a shared server into a new datacentre that is being built in Christchurch which only charges for electricity at 61c a unit.

Hmm

http://www.stuff.co.nz/technology/digital-living/3979817/A-mobile-teacher-in-the-palm-of-your-hand

Does technological advance have all the answers? NO. Each new technology is a mixed blessing. We should not become carried away on the sea of technological development and become oblivious to its hidden impacts. For me there is nothing that technology can do that can replace the intimacy of spending personal time with family or friends. Likewise in a classroom there is a huge benefit from social interaction between the teacher and the students that isn’t possible in distance learning. Technology can’t replace the physical experience of going to church with 500 other people, either, or the special times of personal prayer with God.