The scanner is small and light, and doesn’t try to be more than it is: A good, small no-frills basic color flatbed scanner.

The installation routine has an option for custom install, during which you can choose not to install the extra bundled software if you don’t want/need it.
At the end of the installation, it asks if you want to check online for newer drivers. I did so, and it found a newer driver (22 MB in size). I wish it had done that BEFORE installing the stuff from the CD, but it probably doesn’t make much difference either way.

Once the software was installed, Windows 7 64-bit found the scanner without fuss.

The scanner has some buttons on it, which I don’t intend to use, so I will leave their function to other reviewers.

The scan utility is pretty standard as scanners go, which is good. It does not bog you down with stylized frames around the windows and animations. It just brings up a rectangular dialog box with some options on it. The default setting is “full auto mode” which I suppose is good for non-technical people.

In addition to “full auto mode” you can switch it to “home mode”, “office mode” or “professional mode”, which have different settings and abilities relevant to each of those profiles. Home mode is more centered around what the image is going to look like. Office mode is more centered around how fast it will scan and what options will be applied to it. Professional mode is full of all kinds of interesting dials and knobs that you can twiddle to apply effects while scanning to get it just right. People who like to fiddle will have a field day with Professional mode.

Once you’ve chosen a mode, the process is pretty straightforward. Do a preview scan to find your image on the glass, select the area you want to scan, rotate/crop it, maybe fiddle a little more, choose what resolution and file type to use, and then scan it.

I would like to complain about one small but very annoying (to me) detail:
The software remembers that when I am in “Home” mode I want to scan at 300 DPI, and when I am in “Office” mode, I want to scan at 150 DPI.
However, the software does NOT remember that I want to save as JPG in Home mode and PDF in Office mode.
Seriously? How difficult is that? Can you really have missed that? Is it a “corner case”? Nobody would ever want to do THAT…

When I called tech support, the representative who barely spoke English told me that it was by design, so that you can get exactly what you want each time. Care for some SPIN, anyone?
If he had told me that it was a known issue, and they intended to fix it in an upcoming driver release, that would have been acceptable.
But no, they played it like it’s supposed to be that way, and it’s annoying.

I suppose that if this is the biggest complaint I can come up with, it’s a pretty good scanner and software package.

• These instructions are based on Windows Server 2003 and Watchguard XTM 11.3.2 on an XMT 23 appliance, using Policy Manager version 11.3.2-B290753.
• You can view the documentation that this configuration is based on here.

Overview:

• In the firewall, configure the Active Directory Authentication Server.
• In the firewall, configure the Moobile User VPN with SSL.
• On the Active Directory Domain Controller, create a security group named “SSLVPN-Users” and populate it with users.
• On the workstation, install the Watchguard Mobile VPN with SSL Client.

Details below.

Set up the Authentication Server in the Firewall:

1. Click Setup -> Authentication -> Authentication Servers.
2. Click the Active Directory tab.
3. Check the box to enable it.
4. Type the IP address of the Active Directory Domain Controller server.

Note: if your AD server is on the other side of a BOVPN tunnel, see the WG documentation for how to configure this.


5. In the port field, put either 389 (if the DC is NOT a Global Catalog server) or 3268 (if the DC is a GC server).
6. In the Search Base field, type your LDAP search base.

Note: If your internal AD domain name is “company.local” and your security groups are in an OU called “CompanyGroups”, then your search base might be “CN=CompanyGroups,DC=company,DC=local”. You can shorten this to just “DC=company,DC=local” if you’re not sure of the path to your OU and you don’t mind it searching the entire AD.
If you need help finding your search base, refer to the WG documentation.

7. The Group String should already be set to “memberOf”. Leave it at default.
8. You only need a DN and password of Searching User under special circumstances. Refer to the WG documentation if you have any questions about this. Most configurations will not require this, so leave it blank if you’re not sure.
9. Click OK.

Set up Mobile VPN with SSL in the Firewall:

1. Click VPN -> Mobile VPN -> SSL.
2. Check the box to activate Mobile VPN with SSL.
3. Drop down the Authentication Server list and choose Active Directory.
4. Select the external IP address for the users to connect to.

Note: If you have any inbound port translation rules for SSL, for example Outlook Web Access or Remote Web Workplace, you will need to use a different IP address that does not have a conflicting rule, or change the port number on the Advanced tab of Mobile VPN with SSL properties. If you change the port, you reduce the likelihood of the VPN working in diverse environments such as airports, hotels, wireless hotspots, etc. where they may have restricted ports for internet access.

5. Drop down the Network and IP Address Pool list and choose Bridge VPN traffic.

Note: you may choose to configure your setup differently. This step does not change the configuration of the authentication server. If you might want to connect via routed traffic instead of bridged traffic, see the WG documentation for details.

6. If you are using Bridging, then drop down the “Bridge to interface” list and select “Trusted”.
7. Specify a start and end IP address for the firewall to draw from. Document these and exclude them from your DHCP pool to avoid IP address conflicts.
8. Click the Advanced tab.
9. If needed, you can adjust the Authentication and Encryption methods here as well as keepalive settings. Most configurations will not require this.
10. If port 443 is in use on the Primary Firebox IP Address you specified on the General tab, you will need to change the port in the “Data channel” area.
11. Specify a DNS domain name. This should match your internal Active Directory domain name, for example “company.local”.
12. Specify a DNS server for DNS name resolution.
13. If appropriate to your network, specify a WINS server for netBIOS name resolution.
14. Click OK.

On the Domain Controller:

1. Create a Global Security Group in or under the OU you specified in your Search Base earlier.
2. The name of the security group MUST BE “SSLVPN-Users”. It is case sensitive.
3. Populate the security group with VPN users.

On the Workstation:

1. Open a web browser and connect to https://(firewall IP address or FQDN)[:port]/sslvpn.html. You can leave off the colon and the port if the port is 443.

Note: You can also download the client software from the WG website and distribute it manually.

2. Accept the SSL certificate warning (if any) and proceed to the web page.
3. Log into the Watchguard firewall using a domain user account that is in the SSLVPN-Users security group.
4. Download one of the client packages and install it.

• When the client software asks for the server information, use the external IP address or FQDN of the firebox. Add a colon and a port number if it is not using 443. For example: “mail.company.com:444″.
• The username and password is their domain username/password, assuming that it is a member of the SSLVPN-Users security group. You do not need to qualify the user account with “domain\”.

Tags: AD Authentication, Mobile User VPN, VPN, Watchguard

You have a Dell workstation. It’s under warranty. The event log has a bunch of errors with source “Disk”. CHKDSK reports bad sectors.

You KNOW the hard disk is failing, but Dell Support wants you to boot from a diagnostic CD and run some tests to generate an error code, which could take hours. You’re on the clock charging your customer for your time. Time is money.

You can tell the Dell technician that you have run the diagnostics utility, and that it generated this error code:

Error Code 4400:011B
Msg: Block 253122 (feel free to change up the block number for variety)
Medium error (3-1101)
Read retries Exhausted.

More recently, from an Optiplex 780:

Tags: Dell, Error Code, Hard Disk

CHKDSK can’t fix a volume when someone or something is using it.

Normally, when you run CHKDSK and you want to fix something, you run the command, it tells you that it cannot gain exclusive access to the disk, and asks if you want to schedule it for the next reboot. You say yes, reboot the server, and then CHKDSK gets to work halfway through the next server boot. The problem is, all of the services of that server, like AD/DHCP/DNS, etc, and any shared folders on other volumes are also offline during this time. This is very inconvenient.

Looking a little closer at what constitutes a file handle that locks CHKDSK from fixing the volume: 

• If a service is running (QuickBooks Database Server Manager, for example) and is looking at the volume, CHKDSK is hands-off.
• If a user has a file open, then CHKDSK is hand-off.
• If you have Windows Explorer open on the server looking at the volume, CHKDSK is hands-off.
• If you have a command prompt open and have changed directory to anything on the volume, CHKDSK is hands-off.
• If you even have a folder on that volume shared on the server, CHKDSK cannot fix it without dismounting the file system.
• If you carefully make sure that NONE of these are true, and if I haven’t missed any, you can actually run CHKDSK with the /F switch while your server is still running!

Here are some reasons you’d want to do this – and there’s one unexpected and very important one in there.

• You could fix one volume while leaving the others accessible.
• You could still have DNS/DHCP/PDC/Exchange services while the data volume is being repaired (if your Exchange database is on a different volume).
• If this is a physical server, and you don’t have iLO or DRAC to remotely view the screen, running CHKDSK in this manner will allow you to watch the process run and check in on it from time to time, without having to be physically in front of the server.
• Here’s the REALLY BIG ONE, and it is so dang big, I am simply amazed that I have not heard about this before:
• IT IS FASTER! We’re not talking about 2x, or even 4x. It is ROCKET-FAST.

 I was fixing a server in single-mode (halfway through Windows boot), and it took 2.5 DAYS to fix the security descriptors on about three million files. I was forced to interrupt it to let the users back in.

I am now experimenting on another server that I restored the entire volume to (broken security descriptors and all). I made sure nothing had locks on the volume, and ran the CHKDSK /F with Windows up and running – and it has now fixed 2.4 million files in about 31 minutes! It may even be done with the 6.8 million files on this server before I finish writing, editing, and posting this blog entry (OK, maybe not quite that fast).

This other server I am experimenting with is a physical server, where the other was cirtual – but this server is running 7200 RPM SATA disks compared to the 15K SAS disks in the virtual server. It’s a generation older. I know that physical servers run a bit faster than virtual but not THIS MUCH faster. No way.

The production virtual server still has half its file system needing to be fixed, and I intend to put this new development to the test during the  next downtime window. I will post my results.

So what about those shares? Don’t want to delete and recreate them?

Try this MS KB document (Article ID: 125996) on for size. Export your shares before deleting them, run the CHKDSK, and then re-import your shares in 5 minutes plus a reboot.

Update: It is not necessary to export and delete your shares. CHKDSK prompts to force a dismount on the volume (rather than scheduling for the reboot) when you have shared folders, but no services or other file locks.

Tags: CHKDSK

You suspect file system problems. You run CHKDSK _without_ the /R switch, which runs in read only mode. It checks the disk and tells you that you have over six million security descriptors that need to be replaced with the default ones.

You’re not sure if your server will come up OK when done fixing all of this.
You don’t know how long it is going to take to fix.

Well, take my word on it; You don’t want to find out the hard way that it is too long. I am running this scenario on the following:

Dell PowerEdge R710 server with:

• PERC 6/i SAS RAID card with 256 MB cache
• Dual quad-core 2.25 GHz processors
• 16 GB memory
• Six 600GB 15K SAS disks in a RAID5 with the default stripe size.
• I am running VMware ESXi 4.0 Update 1.
• The guest OS is Windows 2003 R2 SP2. It is the only VM running, with 4 CPUs allocated.

I ran the CHKDSK in read only mode and it documented 6,864,384 files with bad security descriptors.
I started running CHKDSK with the /R switch and recorded the following:
The process fixes approximately 67,150 descriptors per hour, or 1,611,675 per day.
That means it will require 4.3 days to complete.

I know it’s a bad idea to interrupt CHKDSK while it is in progress, but there is no way in hell the customer is going to allow me 4.3 days of downtime. It’s just not going to happen.
So I thought about CHKDSK for a while, and came up with this:

Stage 1 works with the files themselves. The files have extra bits on the end that CHKDSK can look at to see if there is a likelihood that the file is messed up. It’s called a “checksum” or some such.

Stage 2 works with the indexes. This is where CHKDSK looks at where the files are “supposed” to be in the disk, as indicated by the “map” it is looking at. Then it goes and looks to see if the files are actually where they are supposed to be.

Stage 3 works with the security descriptors on the files and folders.

Stage 1 and stage 2 are the most dangerous stages. This is where, if interrupted, the files or indexes could become irrecoverably corrupted, and we’d be very unhappy campers.

Stage 3 is, in my opinion, an area of less danger. The files and the indexes are OK; it’s just checking security descriptors and fixing them if needed.

I took a calculated risk and rebooted the server when it was working on file # 422,000 or thereabouts. It seemed more or less happy. I ran CHKDSK in read only mode again, and after checking Stage 1 and Stage 2 without errors, it started reporting bad security descriptors again on Stage 3 at file # 422,000.
Maybe I dodged a bullet, or maybe interrupting CHKDSK in Stage 3 is not as bad as it could be.
Anyway, rebooting during a CHKDSK operation is bad news, and to be avoided if possible. So, this article offers you a way to find out how long your CHKDSK operation might take, or avoid that risk altogether.
I offer you an alternate solution that does NOT involve setting a CHKDSK flag, rebooting the production server, and hoping for the best.

This method is outlined very roughly like this:

1. Take a full volume backup (including the errors) of the production server using ShadowProtect or other disk-based backup system.
2. Restore this backup to an alternate or loaner server.
3. Fix the file system on the loaner server (giving you a rough idea of the time it would take on the production server.
4. Run a full backup of the fixed temporary server’s data volume.
5. At this point, you have a choice:
      a. It didn’t take very long, so go ahead and run it on the production server, or
      b. Proceed with this alternate method.

While you have been fixing the file system on the temporary server, users have been modifying files on the primary server. So:

1. Use Robocopy with the /MIR, /DATSO switch, etc. to synchronize the changes between the production server and the temporary server (Users must be offline not making changes during this time).
2. Restore this backup to the production server. (Users are offline during this time).

 The drawbacks:

• It involves moving the data all over the place repeatedly, which takes a lot of time and network bandwidth.
• It requires two separate backup locations so you don’t overwrite your only backup.
• It relies entirely on the integrity of the file system on the temporary server.
• Once the restore has begun, you CANNOT interrupt it the way you can (even if you shouldn’t) interrupt the CHKDSK.

 The benefits:

• Depending on data size and number of files that need to be fixed, the amount of downtime required for synchronizing changes and restoring the volume might be significantly less than letting the CHKDSK run.
• No more interruptions of CHKDSK if the users won’t let you fix it all in one sitting.
• No-risk CHKDSK. How many times have your run CHKDSK /R and wondered if your file system would mount when it was done?

There are some aspects of this I would like to discuss before they come up in the comments:

Q: What if the customer has only one server, and it’s SBS?
A: Well, now that’s tricky. It is still possible to do this, but it gets complicated. You’d have to restore that volume to similar hardware (great if it is a virtual server), because you’d be restoring the OS as well, so that the permissions wouldn’t get trashed. So then you’d have two servers with the same name, same IP address, same domain, etc. This is not an insurmountable problem. All you need is a $69 broadband router to put between them, and change the IP address on your temporary server. That will significantly slow down file operations, and in light of the other issues I am about to cover, this might not be worth it.

Q: What if there are other things on that volume (Exchange, other databases, etc) besides files?
A: Well, now you’ll have to make a choice on how you want to handle that. You could do something like this:

1. Dismount the database and copy it off before you do the restore, then copy it back afterward.
2. Back up the databases separately using other tools, and restore them afterward.
3. After having fixed all of the files on the temporary server and having synched them with Robocopy, delete all of the files on the production server, run the CHKDSK to fix the remaining issues (should run VERY quickly with all of the files gone), and then do a file-by-file restore (which will be VERY slow), and then of course you’ll have the fix the NTFS permissions.

Q: What if the customer does not have an alternate (temporary server)?
A: Seriously?   <rant> Come on now. If really amazes me how many IT consulting companies, large and small, do not have usable loaner servers to put at client sites in an emergency.

I run an IT consulting company. Me. I’m a one-man show at this point. I have THREE loaner servers I can bring to bear if needed. I have a half-dozen extra hard disks lying around to help configure these servers as needed. If I can afford this, so can your company. It simply requires dedication to your customers instead of squeezing every dollar you can out of your customers.

Server1: 2U compact low-noise rack-mount white-box running an Intel motherboard, quad-core 2.5 GHz proc, 8 GB RAM, and a couple of 1 TB SATA disks. No RAID. It’s loaded with VMware ESXi that boots from a USB stick. This machine cost me about $800 to build. It’s handy to have around to run labs on, when not being used for a loaner server.

Server2: Micro-ATX Tower white-box running an Intel motherboard, quad-core 2.5 GHz proc, 8 GB RAM, and three 1 TB SATA disks. No RAID. This machine cost me about $600 to build. This one doubles as a gaming PC for when my gaming friends come over.

Server3: HP Proliant DL320 G3 1U rack-mount w/onboard SATA RAID, 2 disks max. It’s an older 32-bit machine, but it has 4 GB of RAM and I swapped out the two 80 GB SATA disks it had with two 1 TB SATA disks. This machine was given to me by a customer who retired it. This one doubles as a dedicated UT2004 server for when my gaming friends come over.

These may not be super-impressive machines, but as loaner servers in a pinch, they are very flexible. I can configure them with software mirroring for fault tolerance, or I can configure them striped for capacity (I just make sure to back up the data incrementally every hour while in use). They have enough RAM to run an SBS 2008 server and enough CPU to run two or three virtual guests if needed. One of these machines ran my entire server infrastructure (SBS 2008 and Windows 2008) for two weeks last year when I had an air conditioning issue.

So if your customer does not have a spare server lying around, maybe you can come up with something with your own resources. </rant>

Really, you have to look at the particulars of your situation and decide if this is a good idea for you. Still, it’s one more option to put in your tool belt.

Tags: CHKDSK