My CCNA certification experience

Posted on by
Reply

I achieved the CCNA certification in April. A number of people have asked me what I did to pass the exam, so I thought I’d write a quick post about it.

I had basic knowledge of how IP networks function, but knew very little about the nuts and bolts. I had distant experience doing basic T-1 support (is the interface up? Red or yellow alarm?), but hadn’t touched a Cisco router in over 4 years. I had never configured anything other than default VLANs and I had no experience with routing protocols.

When I decided to pursue the CCNA, I found I had 2 options – take the full CCNA exam, or take the ICND1 and ICND2 exams. ICND1 gives you the CCENT certification. Passing the ICND2 exam then gives you the CCNA. I typically prefer to take fewer exams, but in this case I thought splitting the exam content was a better choice. Cisco does a great job separating the focus of the exams. The ICND1 truly is basic networking. The OSI model, tons of subnetting, and basic Cisco configuration. The ICND2 is much more difficult for a server admin. There are plenty of exam areas that the average server admin hasn’t even heard of, let alone configured. OSPF, EIGRP, and frame relay were the main areas where I came in with no knowledge at all.

Just as I was about to start studying, my company made a corporate purchase of the entire CBTNugggets library. Jeremy Cioara’s ICND1 and ICND2 videos were the only study materials I used. The man knows his stuff and I clicked with his training style. I can honestly say that his videos are an amazing blueprint for the exams. If you can perform every task he goes over in the training, I would almost guarantee a pass on the exams. I watched the ICND1 series straight through without much difficulty. The ICND2 videos took much longer. I spent a long time watching and rewatching routing protocols to understand what was going on.

I had a client who was kind enough to lend me a pair of old switches that worked just fine for studying VTP and trunks. I wanted to follow along by building the same lab infrastructure as CBTNuggets, but I didn’t want to go buy a bunch of aftermarket routers and a frame relay switch, so I used GNS3 instead. I built a replica of the instructor’s equipment inside GNS3 so I could configure the exact same network that he was configuring. GNS3 can not emulate switches, so you either need to already know switching or you need to practice on physical switches.

I found the exams to be tough but fair. The typical Microsoft exam is memorize-and-regurgitate. The CCNA is nothing like that – you have to understand the material, then apply it. Cisco throws all kinds of questions at you – multiple choice, multiple answer, matching up columns, and live router configuration exercises. One thing that I really like about Cisco multiple answer questions is that they never give you the Microsoft style “Select all that apply”. Is it two answers? Three answers? Cisco always tells you how many answers they’re looking for.

Good luck in your certification pursuits!

VCAP5-DCA beta facts

Posted on by
Reply

This information has been pulled out of e-mails directly from the certification team as well as the VCAP5-DCA blueprint.

  • The exam is approximately 26 live lab exercises.

  • The exam is scored out of the standard 500 points, 300 is passing.

  • Partial credit is awarded.

  • Time limit of 210 minutes.

  • The beta went live on May 8th and will last until June 8th.

  • “After each exam is given, the exam is automatically scored and then the kit is ‘re-set’ for the next exam.” This is interesting in that the VCAP4-DCA was allegedly manually scored. I don’t know if this was rumor or truth, but I heard it from multiple instructors. The beta is definitely scored by script. Multiple e-mails from the beta team incdicated a significant delay in the release of the beta due to problems with the scoring script.

  • As extra incentive to encourage people to take on the beast, the beta is offered free of charge.

  • There are 2 recommended courses for preparation for the VCAP5-DCA. The VMware vSphere: Fast Track course is currently available. The vSphere: Optimize & Scale [v5] class will not be ready until Summer 2012.

  • Not surprisingly, the exam blueprint is just as comprehensive as the VCAP4. Fortunately, this time you only have ESXi to worry about.

I’m not going to have enough time to prepare, but I’m going to take a crack at it anyway.

VMware Beta Exams

Posted on by
1

Anybody who has ever taken a VMware beta exam knows the frustration of waiting an inordinate amount of time for your results. I recently had the process explained to me.

VMware sets a minimum number of people who must take the beta before they can begin the initial scoring process. For the VCAP5-DCA, this is 100 people. Since most people aren’t quick to jump in and take the beta in the first week, you’re looking at a minimum of 3+ weeks from the beta release before VMware can start pulling exam data. Once they reach their minimum, the data is sent out to the exam development vendor. A set of people called psychometricians (doctorate level psychologists and statisticians) start their analysis of the exam results. This takes at least a week. The rest of the beta exam results come in during the beta period, they are collected by VMware and analyzed by the psychometricians. VMware then meets with the psychometricians for a several day process where they set the cut score. At this point, the beta exam is now ready for general release. But the betas still need to be rescored, so another week or so goes by.

Although I still find the wait period annoying, at least I have some justification behind it.

VDI for Education

Posted on by
Reply

There are countless arguments against deploying Virtual Desktop Infrastructure (VDI). Traditional desktops are cheap. VDI means you buy both a thin client and a rack of expensive servers and storage for your server room. You need a solid network backbone. You need substantial bandwidth for your remote sites. This all adds up to a significant capital expenditure.

Even in the face of these objections, VDI can be an attractive option for education. You need to go into it with the mindset that you’re not going to save capital expenses over a traditional desktop deployment. What you can achieve are substantial savings in operational expenses, major improvements in reliability and (typically) an increase in user satisfaction.

A few reasons why educational institutions should consider a VDI deployment:

  • With Microsoft’s Enrollment for Education and Software Assurance, schools have a simple, low-cost way to acquire the required Microsoft licenses. You pay a fixed cost based on the total number of full time employees you have. You count them once annually and you are covered for the entire year, even if you add staff. You can license Windows 7, Office, Windows Server, Exchange, Sharepoint, SCCM, Lync, and Forefront through the agreement. Your students are included at no charge. You read correctly – the district doesn’t pay one penny for student licensing. Every student is fully licensed to use the entire suite of Microsoft software that your staff is entitled to use.

  • Your computer magically follows you – at least that’s what it will feel like to your users. When you sit down at a thin client in the library, your profile loads and it feels like your own computer. Your preferences are all saved, your files are all there, your browser bookmarks are all available. When you move to the teacher lounge and log in, it’s the same. Classroom? Same. How about logging on to the desktop from the Internet? Still the same. This might be the number one feature that generates genuine excitement from your staff. Once they start getting used to having their profile follow them everywhere, they’ll never want to go back. Your users who travel from building to building are typically thrilled with this – no need to lug a laptop around.

  • Thin clients have no moving parts and no hard drive to fail. They don’t fail very often. If you do have to replace one, it’s a simple 5-10 minute process. No need to push a desktop image down, no need to reconfigure a user’s local profile or recover documents from their USB sticks. You won’t be performing hardware CPR for 2 days trying to resurrect a user’s machine. All you do is yank out the old thin client, install the new, and let the user log on. They see the same desktop that they saw before the hardware failure. If the user happens to have some critical task to complete before you can pull a spare thin client off your shelf, they can sit down at any thin client in the building and see their own desktop.

  • District IT staff doesn’t have to waste countless hours updating Macs. Macintosh computers are simply not geared for enterprise management. Think about running software updates on one Mac. Now run them on a whole lab full of Macs. Now run them on 10 labs full of Macs. Suddenly an entire work week is gone. With VDI, the process of manually updating each machine is eliminated. Instead, you update once and automatically deploy the updated image to your users. This, of course, assumes that you’re using a centralized image. VMware calls it linked clones, and Citrix calls it pooled desktops.

  • Everybody has the same version of installed software. There is no need to save your files down a version because the whole district has the same version of the Office suite. The benefits of this are difficult to quantify as it’s nearly impossible to calculate how much time people used to spend district-wide sending and resending documents due to compatibility problems. Your users will still be happy to never deal with that issue again.

  • Users aren’t going to like this at first, but if you use linked clones, it makes the IT department the gatekeeper for application installation. There is no way for users to install unauthorized applications. This can be both a blessing and a curse. On the plus side, users can’t sneak a garbage app into the environment. What will typically happen is a user gets grant money for some app, they install it themselves and then IT is stuck trying to band-aid it because it’s not a fit for the environment. With a linked clone environment, users quickly learn that they have to involve IT in the process before purchasing an application.

  • Users are typically blown away by the speed and responsiveness of the VDI desktops. It’s very common to go into an environment and see boot times of 5+ minutes, and logon times of 2-5 minutes. Replace that with a thin client boot time of 10 seconds and a logon time of 15-30 seconds and your users are overjoyed. A significant improvement in response time would be seen in any hardware refresh, virtual or not. However, pooling all of your CPUs, memory, and storage in the datacenter allows you to harness the computing power that would otherwise be sitting idle.

  • Electricity savings can be substantial. You would definitely have to take specific power readings in your environment before calculating ROI, but a desktop computer draws between 65-250 watts of power. A thin client such as the Wyse P20 draws 15 watts. If you multiply the savings by hundreds or thousands of workstations, you can get into some serious money. The savings is at least partially offset by the increase in power draw at your datacenter. In many cases, the cost savings is still significant.

Virtual desktop technology is mature enough to deploy into Production without concern. With a properly designed infrastructure, you can support your entire district and provide faster response and repair times to your users. If you’re looking for more information, my employer can help. Contact us and let us know what you’re looking for.

Google Apps – Active Directory Sync

Posted on by
Reply

We do a lot of education sector consulting and questions on Google Apps invariably pop up. The pricetag (free for education) is obviously attractive. Running a mail server in-house can be an endless time sink, so it’s not a bad idea to outsource it to Google. They deal with the spammers and storage, all you have to do is provision the accounts. Choosing how to provision is a critical decision for a Google deployment. One of the biggest sources of confusion that I see is directory integration with Google Apps. Most schools already have an existing directory, typically AD or Novell eDirectory. The school admins are interested in getting Google to autoprovision accounts and how to manage user passwords.

Google has a provisioning tool called Google Apps Directory Sync (GADS) used to sync your LDAP directory with Google Apps. GADS runs as a scheduled task on a Windows server inside the client network. The program collects data from an LDAP server, then syncs the results to the Google Apps. I’ve done this with Novell too, but most of my experience is with AD, so I am writing this article from that perspective.

There are many ways to handle the sync of both users and passwords. None of the methods are perfect; as with most things in IT, you have to balance convenience with security.

  1. Sync your AD accounts and passwords directly into Google Apps

    2. You can sync your existing AD accounts and passwords into Google. However, to make that happen you have to jump through Active Directory hoops and store your user passwords in an additional attribute on the user object. There is sample code out there showing you how to intercept password changes on domain controllers, then save them in another format that GADS can read. The passwords has to be either SHA-1, MD5, or plaintext. SHA-1 and MD5 are no longer secure encryption protocols.

    I’m not a big fan of any of this. I don’t want to downgrade the security of my Windows network by using a poorly secured password attribute. Even worse, this method means all of your AD credentials, some of which will be privileged and some of which have VPN access, are floating around in the Google cloud.

  2. Sync your AD accounts with a one-time password

    3. You can sync your existing AD accounts into Google and use another directory attribute to set a one-time password. You might key on EmployeeID or StudentID or something similar. The user uses that password for first login, then changes their password on login. After the initial password is set, the AD password is not connected to the Google password at all. You use the Google password to access Google’s services whether you’re using a web browser or mobile phone. AD password changes have no effect on the Google password.

  3. Use Single Sign-on

    4. This is arguably the most secure, but also the most complex to set up. This requires setting up an IIS server with a public IP and SSL certificate, and installation of Microsoft’s ADFS 2.0 services (there are other ADFS providers, but this is free). This server is hosted on the customer’s network. The nice thing about this is that all authentication happens on your own ADFS server – Google doesn’t have a copy of your AD passwords. Your SAML server is trusted by Google via the use of certificates. The servers pass authentication tokens without actually transmitting passwords. Google offers a detailed diagram of what happens during a SAML exchange.

    The problem here is that you still have a Google password. ADFS only comes into play when checking your GMail via web browser – you still need a Google password to connect from your mobile device using the GMail app. So you still have to manage Google passwords and your users can get confused.

In the end, I think the SSO solution is the best for education. I don’t see much of a need for students to access their school GMail account with their cellphones. Some of the more tech-oriented teachers will want that feature, but you can do it on an as-requested basis. For the most part, you’re providing Google passwords to a subset of your administrative staff. This is a perfectly manageable number of mobile devices to support for the vast majority of districts that I’ve been involved with.

Restaurant Experience – Vito and Nicks II

Posted on by
Reply

I typically keep my blog posts in the technical realm, but after our lunch experience at Oswego’s Vito and Nicks II restaurant in Oswego IL, I decided to make an exception.

We went to the pizza and pasta buffet at 1:30, 90 minutes before the 3:00 cutoff. We weren’t sneaking into the tail end of the buffet or anything.

There were 2 trays of mostaccioli sitting above warmers. Both were about 20% full and had clearly been sitting out for quite some time. They had smothered the noodles with a top layer of mozzerella cheese to try to mask the age of the pasta. The sauce was bland.

The salad was frozen – you could tell because the lettuce hadn’t thawed all the way. The lone cherry tomato collapsed upon touch to reveal a frozen core.

The soups were served lukewarm, both were a sloppy mess as the server didn’t seem to be able to carry them without spilling. The broccoli cheddar was bland and thin. The other soup was some kind of beef and french onion concoction. The flavor combination was bizarre.

There were 3 pizza trays on warmers, and they’d obviously been out for a very long time. The cheese from multiple slices had melted off the side, then congealed onto the platter. Crust was a bit like cardboard. The cheese pizza was essentially tasteless. The sausage pizza was at least edible with a decent amount of spice to the sausage.

There is an Oswego-based company called Aftermath. They specialize in cleaning up after horrible disasters – car accidents, suicides, crime scenes, etc. I mention it because the server was discussing working there with the people at the table next to us. She was sitting one foot from our table; overhearing the discussion was unavoidable. She mentioned what the company did and that she was either looking in to working there or already worked there. She then proceeded to say “Bleach doesn’t kill all the bacteria in bodily fluids. It leaks into the floor. People try to clean it up themselves, but they don’t do a good job and it seeps into the walls. Then it starts to make a horrible smell.”

Not that we wanted to eat much more of that food, but the graphic descriptions pretty much put a dagger into the rest of the meal.

Find some other place to go. Seriously. Go buy a Tombstone and cook it yourself. Take your Tombstone and eat it while sitting around tombstones – you’ll have a better experience than going to this restaurant.

View 5 Personas with Forefront Endpoint Protection

Posted on by
Reply

Update 2/15/2012
I now have my very own VMware KB article documenting this issue – KB2011823

Update 1/20/2012
I have been trying to find a resolution to this for several weeks, scroll down for a full description of the performance problem that FEP causes with View 5 persona management. The issue found its way to the the View product manager. A GPO setting that specifically addresses this problem was accidentally left out of the ViewPM.adm file included with View 5.0 build 481677. The policy setting is called “Excluded Processes”. The description of the setting is: “Excluded processes are processes whose i/o is ignored by Persona.  Certain anti-virus applications might need to be added to prevent performance problems.  If an anti-virus application does not have a feature to disable offline file retrieval during its on-demand scans, this setting will prevent it from unnecessarily retrieving files.  However, changes to files/settings in the users’ profiles made by excluded processes are still replicated.” Using this setting eliminates the need to create any exclusions inside of FEP, so C:\Users will still be fully protected.

The solution for FEP is to use this GPO setting to exclude the FEP process MsMpEng.exe.  Here is the replacement ViewPM.adm file. There is also a viewPM_adm_patch that I created with WinMerge, you can apply the diff to the ViewPM.adm file that installs with View 5.0.

Here are 2 screenshots of the missing setting.

Special thanks to Kevin Goodman at VMware for providing this solution!

Update 1/12/2012
I opened a ticket with Microsoft support and they advise that there is no way to prevent the download and scanning of offline files. They have escalated the ticket internally to look for any way this could be supported, but the engineer is setting expectations that there will be no resolution. It appears that you can not use personas with FEP unless you disable scans of C:\Users. That’s not a risk that I’m going to recommend taking, so it looks like it’s roaming profiles for my View clients who use FEP.

Update 1/10/2012
The support engineer assigned to my case came back with this:

I was able to replicate the behavior you saw while working with persona management and FEP server. The reason I was able to identify is on logon FEP is downloading all data to the local machine to be scanned and thereby causing the delay.

Our expectation is that virus scanners will ignore scanning offline files, but not a case with MS FEP. I was unable to find any such option with FEP client to ignore scanning offline files. Hence this can only be worked around by excluding the folder to be scanned on individual VMs. This does not however completely compromises security as the file share where the persona eventually will be stored is being protected with FEP anyway.

Persona management works by selecting/clearing offline file attribute for the contents of entire %userprofile% folder.

I opened a ticket with Microsoft support with the above information. Setting up an exclusion on C:\Users prevents realtime scanning on that folder and I don’t think I want to let a potential virus sit out there unchallenged until the profile syncs up to the file server.

1/1/2012
I am deploying a new View 5 setup and the client has Forefront Endpoint Protection. After enabling persona management for my Windows 7 image, I found that the logon process hung at “Welcome” for 3+ minutes.

I found this VMware communities thread suggesting that MS Forefront Endpoint Protection was the culprit. I enabled debug logging and tried logging on with FEP both enabled and disabled. The debug logs are identical other than the amount of time spent between log entries. With FEP disabled, files in C:\Users are touched quickly, less than 0.1 seconds between log entries. With FEP enabled, files in C:\Users have a 3-5 second delay between touches. This leads to the 3+ minute logon delay.

The VMware community post suggested excluding C:\Users from scanning – I tested that configuration and it does resolve the logon slowness problem – logon completes within 5 seconds and profiles are synced successfully. Obviously, this comes at the expense of the security of the environment – I wouldn’t go to production excluding the entirety of C:\Users from antivirus scans.

I’ll be opening up a VMware support ticket, but given the deadline I’m working under it looks like roaming profiles are in my near future. Disappointing because I was impressed with the speed of the View persona management when FEP isn’t in the way.

Google Apps in the Enterprise – Not for the Faint of Heart

Posted on by
Reply

I helped with a massive Google Apps deployment to over 30,000 users at my last job with Fortune 250 RR Donnelley. We were moving away from Lotus Notes, which I was happy to be rid of. However, in retrospect, Notes is a relative joy to manage compared to Google Apps. Although being “in the cloud” is trendy and provides your management with a cool golf course buzzword, supporting Google Apps in the enterprise is nightmarish and should not be taken lightly.

Pluses

  • Email and calendar syncs with multiple devices –  Native apps for Android and Blackberry, and IMAP support for the iFolks.  No need for Blackberry Enterprise Server. Coming from an environment where only upper level management got Blackberries, having my calendar and e-mail on my phone was a huge plus.
  • Multiple editors – Google Docs lets you have multiple users in the same document editing simultaneously. This proved highly useful for many collaborative efforts.
  • Education – Provides a low cost, easy way to provide email accounts and collaboration tools for a constantly changing set of users.

Minuses

  • User Deletion – When you delete a user, it’s 5 days before you can put that user back in. It was an accident? Too bad. That user is without their e-mail account for 5 days.
  • Document Deletion – When a user is deleted, so are all their documents. Seriously. Every document they own is *poof* – gone.
  • Management Delegation - There are no degrees of admin rights – you’re either an admin or you’re not. Although you can do some interesting thing with delegation using Google Organizations, many corporations have a centralized helpdesk. If you want any helpdesk worker to be able to help any employee, the helpdesk worker has to be a full blown administrator over the entire Google Apps domain. This is not a particularly palatable choice when you’re talking about hundreds of outsourced workers.
  • Bandwidth – Your bandwidth costs are going up. WAY up. Using Lotus Notes, a file attachment sent within the company never left the WAN. With GMail, the sender has to upload the attachment to the Internet, and then each user who receives it has to download it over the Internet. Every time people check their email, it’s Internet bandwidth and not WAN bandwidth. That’s thousands of users generating Internet traffic that didn’t exist with Notes
  • Constant Development – Google Apps is continuously changing, and changes are pushed to Production with no warning. Things break overnight and it irritates the hell out of your users, and drives up support costs for IT.
  • No Logs – Logging is nonexistent. There’s no event viewer, no activity log, nothing. You have no idea who is doing what and no way to look it up
  • Extracting Information - You can’t even get a simple list of who your domain’s administrators within the Google GUI. If you want to extract the information, you’ll be writing a script. They have libraries in Java, JavaScript, .NET, PHP, Python, and Objective-C. If you’re a system admin, you’re probably not a programmer, so you’d better brush up on your Python. You’re not likely to make it past the learning curve to be able to use anything else.
  • Emergency support – You can’t get support without your support PIN, and you can’t get that without administrative access to your Google domain. The PIN changes periodically, so you can’t rely on having written it down.  If you’re locked out of the domain, you’re stuck with filling out a form and waiting for e-mail support to get back to you.
  • The apps – Using the apps feels a lot like using Office 1.0. They’re rough, good enough for the very basics but not really ready for primtime. Your accounting department would stage a revolt if you forced them to use Google Spreadsheets instead of Excel
  • Enterprise Integration
    • Passwords – You can use the Google Apps Directory Sync (GADS) tool to automate user provisioning up to Google Apps by syncing your existing LDAP infrastructure with Google. However, passwords are quite a challenge. If you have a way to extract the user’s password out of your LDAP directory, you can push that up to Google – but who wants Google to have a copy of the user’s corporate password? So you’re left with maintaining a separate Google password. Even if you implement Single Sign-On and authenticate users against your own LDAP server, that only applies to access via web browser.  The separate Google password is still used for mobile device access.
    • Single Sign-On – If you decide to go the SSO route, you have to have a secure way to store a user’s e-mail address within your directory structure. With SSO, no user credentials are sent to Google – instead, Google uses a certificate to ask your company’s SSO server to authenticate you. Your SSO server must send the user’s e-mail address back to Google. This directory attribute must be created and secured, otherwise anybody with access to that attribute can impersonate any user. Let me repeat that – *ANY* user in the organization with access to the “email” property in your directory system can use SSO to read *ANY* user’s e-mail. For many enterprises, this means an unacceptable number of non-privileged IT workers have the ability to read anybody’s e-mails. Google does not offer any kind of AD schema update like an Exchange installation would to create a properly secured set of properties for e-mail address, so you are forced to create the properties manually and come up with a set of ACLs to achieve the proper security. This can be extraordinarily tricky in a large enterprise.

While Google will try to sell you Google Apps as a simple solution, neither the implementation nor the ongoing maintenance are simple. The Google resources assigned to the implementation project were simply not up to the task of navigating the complex political and technical landmines of a Fortune 250 corporation. The resources weren’t necessarily at fault – it was Google’s fault for several reasons. The resources assigned were simply too junior with insufficient experience at the enterprise level. They also had no idea how to address many of the enterprise level problems we encountered because they had never had to deal with a corporation the size of RRD. We felt like we were flying by the seat of our pants with little to no direction from Google.

Google Apps a great choice for a small company and possibly for education, but it’s just not ready for the enterprise.

Free vSphere 5 ICM class giveaway

Posted on by
Reply

Just received this from Chicago VMUG leader Chris Wahl:
——
Want to get VMware certified in vSphere 5? The Chicago VMUG can help!

Have you been looking at the VMware Certified Professional (VCP) in vSphere 5 and wondering “how the heck do I save up $3000 to attend the required course”? It’s crossed a lot of minds and has been a topic I’ve heard often from colleagues and members of this group. In this day of tightened budgets and spend freezes, it can be nearly impossible to get your employer to justify sending you to Install, Configure, Manage on vSphere 5 in order to get your VCP5.

The Chicago VMUG is looking to help!

Thanks to a really solid sponsor showing at our upcoming VMUG Conference (October 31st!) we are putting aside funds to make sure one grand prize winner gets their Install, Configure, Manage on vSphere 5 class paid for, in full, on the date and location of their choosing. We only ask that you be working towards getting your VCP5 and not be eligible for the exam already (this excludes VCP4s who can take the exam without a course requirement until February 2012 and those who have already taken a qualifying vSphere 5 course).

What do you have to do to enter? Simple, register for the Chicago VMUG conference (link is attached to this post) and then stop by the VMUG booth at the day of the conference. We’ll scan your badge and pick one lucky winner to get trained! The VMUG staff will contact you to set up the details after the conference, so that you can pick the right time and place.

Already a VCP4 or VCP5? Please spread the news to a friend, co-worker, or your twitter followers! For more breaking news I also invite you all to follow the @ChicagoVMUG twitter account.

Best of luck to those who enter!

Event Registration (myvmug.org)
—–