Michael King

At work, we're doing a POC (proof of concept) with a web-proxy, specifically Ironport Websecurity Appliance.  Like most all proxies, you have to get the traffic from the client to the proxy.  It supports transparent traffic redirection, but we're looking at using WPAD instead.
However, when I created the WPAD DNS entry, it didn't resolve...

C:\>ping wpad

Ping request could not find host wpad. Please check the name and try again.

C:\>nslookup wpad <DNSServer1>

Server:  <DNSServer1>.domain.net

Address:  <IPofDNSServer1>

*** <DNSServer1>.domain.net can't find wpad: Non-existent domain 

This of course, is a big problem.   It took a little investigating, but I found the cause..
Windows Server 2008 introduced a new feature, called "Global Query Block list", which prevents some arbitrary machine from registering the DNS name of WPAD.  This is a good security feature, as it prevents someone from just joining your network, and setting himself up as a proxy. However, my DNS server is Windows 2003?  It doesn't have the "Global Query Block List".  Well, when the documentation was written, it didn't, but a DNS service patch Microsoft published last year DID! 
As far as I can tell, http://support.microsoft.com/kb/961063  included the "Global Query Block List", it's not supposed to be enabled by default but mine was, and I did not intentionally turn it on, But here's the best news, not all the pieces of the feature made it down to 2003.  The TechNet article:http://technet.microsoft.com/en-us/library/cc995158.aspx shows how to manipulate the "Global Query Block List", and sure enough, the command of:

dnscmd /info /enableglobalqueryblocklist

Query result:

Dword:  1 (0000000000000001)

Command completed successfully.

Shows the block list is enabled, but the command:
dnscmd /info /globalqueryblocklist Info query failed     status = 9553 (0x00002551) Command failed:  DNS_ERROR_INVALID_PROPERTY     9553  (00002551)

Which is supposed to show you what's in the block list fails.
Great..
So there are two options here:
1. Turn off the "Global Query Block List"
2. Remove WPAD from the  "Global Query Block List"
Turning off "Global Query Block List" is easy, just run the command:
dnscmd /config /enableglobalqueryblocklist 0   That's it.  It's off. No service restart required. But what if you turned it off and want to turn it back on? You can't run the opposite command of:
dnscmd /config /enableglobalqueryblocklist 0  Why not?  Cause Microsoft goofed in they're documentation.  It's actually the same command as to turn it off!  The correct command is:
dnscmd /config /enableglobalqueryblocklist 1

To remove WPAD, but leave the Blocklist enabled, is a little more difficult

The "Global Query Block List " is stored here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList

Mine had the entries of WPAD and ISATAP.  Remove the WPAD entry and restart the DNS service for it to reload the Blocklist.  Note, there is a trailing newline character after ISATAP, it's best to leave it there.  Note, there is a command line that is supposed to edit this blocklist,  but again it's broken in the 2003 implementation, hopefully a later patch, or Service pack will fix these features.  Make sure to makes changes to all your DNS services.  This is a per machine setting, not a zone setting, so if your using Active Directory Integrated zones, it won't replicate this change. 

Took me forever to find this again.  

http://support.microsoft.com/kb/906305

Orignally I had a software vendor clue me into this registry key.  It's the reason why you change your password, your old one still works for 60 minutes.

So it's inevitable that if you run Active Directory long enough, you will have "stale" accounts.   Stale accounts are accounts that no-one is using anymore, be it because the user is no-longer employed, it was a shared account that no-one uses anymore, or people just forgot the account is there.  Yes, Yes, you should have good practices in place to prevent this kind of account stagnation, but it happens.

The easiest way to find accounts is to use DSQuery:

dsquery user domainroot -name * -inactive 18

which will display the distinguished names of all users in only the current domain who have been inactive for 120 days (17+ weeks rounded to 18 weeks) or more.

But what about computer accounts?

dsquery computer -inactive 8 -limit 0

Searches for computers that have been inactive (stale) for the number of weeks that you specify (in this case 8 weeks) and displays all entries (Default is 100)

But what if you want pretty output ? 

Joeware has a nice little utility that does all of the hard part for you, and can display in a DHTML table that is easily sortable

http://www.joeware.net/freetools/tools/oldcmp/index.htm

The Clean Access users page I was hosting got hit by a bad hack.  Google very nicely sent me a message saying I was being removed from the search index's till I clean it up.

Since there wasn't alot of content there, I decided to delete the entire folder (and corresponding database) because it looks like they had pretty much rooted the entire site.  (There was link spam being injected on every page of the site)

So this is the first entry.  I'll post more of them as I manage to dig them out of the archives.   Most of the content however was talking about releases, and changes from the previous releases.  Since this information is time sensitive, I don't think I'll be posting any of the older releases.

Just setup a new family computer, and I wanted to setup a different user account for both me and Rachel.

One of the programs both of us use is Picasa, and of course we want to share the same photos (and reflect edits back to each other. 

This guy has some nifty tips on how to do that:

http://www.paraesthesia.com/archive/2008/01/04/multi-user-picasa.aspx

I was installing ASDM on a new machine at work, and was greeted with the following Error:

ASDM is unable to continue loading. Click OK to exit from ASDM.
Unconnected sockets not implemented.

Thankfully, this gentleman had already had this particular grief, and had found the resolution:

http://the-network-guy.blogspot.com/2008/10/asdm-error-unconnected-sockets-not.html

Short answer, uninstall Java6 Update 10, and roll back to Java6 Update 7.

I decided that with my daughter coming into my life, that I need to now backup all my precious pictures of her.

This is slightly easier said than done, since I'm currently clocking in around 30 GB of pictures.

Click the read more (or the article title) to read which backup solution I chose.

One of the nice things about having a scanner and a printer is that you should be able to photocopy something. Unfortunately, if you have a generic scanner (Like I do) you don't get the nice software that does that automatically.

I've been "using" Photocoper v3.03 for a few years, "using" being a relative term as it didn't work for me. It did a few times, then it just stopped. I've had to compensate by just using Photoshop, or Picasa2 to fake it.

I just found this software, iCarbon today, and it works great!

http://www.idev.ch/index.php?option=content&task=view&id=76&Itemid=54

Thanks to Steve Bass for pointing it out
http://blogs.pcworld.com/tipsandtweaks/archives/001635.html

So my family came over this weekend to get Sophia's room ready.

After many hours of hard work, the room is ready for furniture.

The picture below is of how it looks.  It's a light pink, with a ladybug border.

So we had Sophia's Ultrasound today. I'll post pictures when I get them from Rachel, but for now, you can see the video. (Ain't technology great?)

You'll have to click the video to start it (It will open up in Picasa Web Albums in a new window) If there is a big play button, you'll have to click twice.

It's a girl and her name is Sophia!

Click on the pictures to see a bigger version.

Meet the newest member of our family.

(HINT: In the black spot, the lima bean shape. It's upside down, so the head is on the bottom. What appears to be an eye is actually the heart.)