Samba, AD & The Replication Tango

One of the problems with trying to do things at low or no cost is that they don’t always work out as you want them to. This is especially true of IT. I have fallen victim to this once or twice in my working lifetime, especially of late. I’m a trustee and systems admin for a small charity and we, in common with other small charities, have a very limited budget, especially when it comes to IT. To save money on operating systems I opted to install a Linux box running Samba 4.5 to provide Active Directory services but, as always, requirements change. Having set up a Samba-based Active Directory service and successfully joined a set of Windows 10 Pro clients to it, there is now a requirement to interface the directory with Azure and Office 365, (as well as the GPO’s and login scripts not working). If this was a Windows based AD, there wouldn’t be a problem but, this is Samba and, so, to satisfy the requirements, a Windows 2012 or 2016 server has to be joined to the AD. Unfortunately, neither of these can join a Samba domain directly so this has to take place via a 2008 server. This isn’t as easy as it seems. It isn’t that hard but it is involved and can break the AD replication and make the directory unstable, if not unusable. So, this is how you do it…..

Please Note: Throughout this document, replace sambaDC, winDC, win_IP and domain.name with the names of your own Samba DC, Windows DC, Windows server IP address and domain name.

The Server & Active Directory

First off, due to the way Windows 2012 server interfaces with the domain (using MSRPC), it isn’t possible to join the Win2012 server directly. Samba AD operates at the 2008R2 domain level so anything lower than this will not work either so, we have to first add a Win2008R2 server, integrate the DNS and transfer the FSMO roles from the Samba server and then demote the Samba server.

Note: In a Windows only environment we would normally only be concerned with the standard 
five FSMO roles: Schema, RID, PDC Emulator, Infrastructure & Domain Naming. With Samba, 
there are two further roles that have to be transferred: DomainDnsZone and ForestDnsZone.
The following are basic steps that all Systems Administrators should be familiar with. If you’ve installed Windows server before then you’ll know what to do and can skip to the section “The Replication Tango”.

Provisioning The Server:

All that is required to start is a standard Windows 2008 R2 server installation. This can be on bare metal hardware or a virtual machine running on a hypervisor (I’m doing this on a Linux box with Xen Hypervisor 4.9).

Once the server has been installed, the first thing to do is add a static IP address, gateway, subnet mask and point the primary DNS entry to the Samba server and the secondary to the server itself. For example, I have a server with a static IP of 192.168.1.7 and the Samba server is 192.168.1.2, as shown here:

S2008R2_Networking

Server 2008R2 network settings

Next, the Active Directory Role binaries need to be installed. This is handled by the Add Roles wizard. In the Initial Tasks list, click on Add Roles. Once the Add Roles wizard starts, click Next to go past the “Before You Begin” screen and ensure that the “Active Directory Domain Services” check box is ticked and click Next. Click Add Required Features to allow .NET to be installed and then click Install to begin installing the binaries. Once this is complete, we can then join the server to the domain.


Joining The Domain:

The next step is to join the domain. To do this, we need to use a command line application called “dcpromo.exe“. This provides an interface to set up the server and join it to the domain.

  1. Press WinKey+R to open the Run dialog box, type in “cmd” and press enter. This should open a command prompt with admin rights by default.
  2. Type “dcpromo” and press . The wizard should start. (Once each page is complete, then click Next).
  3. On the first page of the wizard, check the “Use Advanced Mode Installation” box and click Next and then Next again.
  4. As we are adding a DC to the domain, select “Existing Forest” and then “Add domain controller to an existing domain“.
  5. Enter the domain name then click “Set” to add an account in the target domain that has domain admin rights.
  6. Select the domain that you want to add the DC to.
  7. Select a site. In a small domain this will default to “Default-First-Site-Name“.
  8. Ensure that “DNS Server” and “Global Catalog” check boxes are ticked. If “RODC” is ticked, then untick it as we want this DC to be writeable.
  9. You will receive a warning that a delegation for this DNS server cannot be created. Click “Yes” to clear this warning. You can ignore it.
  10. Ensure that “Replicate data over the network” is selected.
  11. Select “Use this specific domain controller” and select the Samba server from the list.
  12. Leave the Database, Log and SYSVOL folders at their defaults.
  13. Enter a DSRM password of your choice.
  14. Check that the settings are correct. If you want, you can save these settings just in case the process fails and you want to follow them again.
  15. The Active Directory installation will now begin. Click “Finish” when it completes.

You will now need to restart the server to complete the installation of the Active Directory.


The Replication Tango

SYSVOL & NETLOGON Replication:

Once the server is a AD DC, replication needs to be added. Normally, with two or more Windows servers, this is automatic. Unfortunately, as mentioned previously, Samba cannot act as an MSRPC (Microsoft Remote Procedure Call) server so, consequently, no replication takes place other than the basic directory contents which are replicated during the boot process. This means that, when the Windows DC has finished booting, there are no Netlogon or SYSVOL shares so these have to be activated manually and replication also has to be handled manually. In this case, we shall use Robocopy from Microsoft to handle SYSVOL replication.

First we need to enable the SYSVOL share. To do this, open a run dialog and run Regedit. Navigate to:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

Set Sysvolready to 0 and save. Reopen Sysvolready and set to 1 and save again. Open the Run dialog and enter \\winDC_IP and press enter. This will bring up the server shares. You should now see the “SYSVOL” share.

To enable SYSVOL and Netlogon replication we need to use a file copy application such as Robocopy. This can be performed once, or it can be scheduled by using the Windows Scheduler. For now, because we will be demoting the Samba server, we will only need to replicate once.

  1. Download the Windows 2003 Resource Kit Tools from Microsoft and install them on a workstation, not the server. Once installed, copy “C:\Program Files (x86)\Windows Resource Kits\Tools\Robocopy.exe” to a location on the server, eg the Documents directory.
  2. On the server, open an admin level command prompt and navigate to the location where you saved robocopy.exe.
  3. Enter the following command and press enter:
robocopy \\sambaDC\SYSVOL\domain.name\ C:\Windows\SYSVOL\domain\ /mir /sec

You should see a list of files and directories being copied followed by a summary of what was copied…

SysvolRepEnd

Successful Robocopy SYSVOL replication summary

Go to Run and open \\winDC_IP again and check that Netlogon and SYSVOL are there. If Netlogon is missing then reopen Regedit and set Sysvolready to 0 and save. Reopen Sysvolready and set to 1 and save again. Reopen \\winDC_IP and Netlogon should be visible. SYSVOL & Netlogon replication is now complete.


DNS & Zone Transfers:

Normally, DNS zone transfers are part of the replication process between Windows servers. Again, because Samba cannot act as an RPC server, DNS replication cannot take place in the normal way. Neither can the Windows server add itself to the Samba DNS server. This, too, has to be done manually.

To add the DC’s A Record:

To add the A record you will need to be logged into the Samba server and have a CLI open.

Check whether or not the A record exists by running the following command:

host -t A winDC.domain.name

If the A record doesn’t exist then you will see the following error:

host winDC.domain.name not found: 3(NXDOMAIN)

To add the record, execute the following:

sudo samba-tool dns add sambaDC domain.name winDC A winDC_ip -Uadministrator

Next, we need to add the objectGUID CNAME record. (This allows a client to locate any domain controller in the forest by looking up an A record). First of all, we need to find the objectGUID of the server. We can do this by running the following:

sudo ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid

This should produce a result similar to this:

record 1
dn: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
objectGUID: df4bdd8c-abc7-4779-b01e-4dd4553ca3e9

record 2
dn: CN=NTDS Settings,CN=sambaDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
objectGUID: 4a6bd92a-6612-4b15-aa8c-9ec371e8994f

returned 2 records
2 entries
0 referrals

So, we now know that df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 is the GUID of the Windows domain controller, winDC. Now we can check to see if the CNAME record exists in the _msdcs.domain.name DNS zone by executing the command:

host -t CNAME df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.domain.name.

If the CNAME record does not exist then an error will be returned:

Host df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.domain.name. not found: 3(NXDOMAIN)

The record then needs to be created. The following command will create the record:

sudo samba-tool dns add sambaDC _msdcs.domain.name df4bdd8c-abc7-4779-b01e-4dd4553ca3e9 CNAME winDC.domain.name -Uadministrator
Password for [DOMAIN\administrator]: 
Record added successfully

Once the DNS is confirmed and set up, we can then transfer the FSMO roles over to the Windows DC.


Role Playing

The Seven FSMO Roles:

In an Active Directory domain, there are five standard FSMO (Flexible Single Master Operation) roles. These roles are:

  • Schema Master
  • Domain Name Master
  • RID Master
  • PDC Emulator Master
  • Infrastructure Master

There are two further roles that need to be transferred from the Samba server. These are:

  • DomainDnsZone
  • ForestDnsZone

Transferring the standard five roles is well documented and is no different in our scenario so, rather than repeat it all here, the relevant method can be found here.

The DomainDnsZone and ForestDnsZone roles require a slightly different transfer method. The normal way would be to use ADSIEdit on the Windows server but, because of the lack of replication, this won’t remove the roles from the Samba server and will cause the directory to become unstable.

To remove the last two roles you need to have a domain-joined Windows client with RSAT (Remote Server Administration Tools) installed. This machine needs to be connected to the Samba server, not the Windows server. In the RSAT tools, select ADSIEdit.

Right-Click on ADSI Edit in the top of the left-most pane and click Connect in the context menu. In the “Computer” section of the dialog box enter the FQDN of the Samba server into the drop-down box. Then in the “Connection Point” section, type the following:

DC=ForestDnsZones,DC=outline,DC=local

and then click OK. In the leftmost pane you will see

ADSIEdit

Click on DC=ForestDnsZones and then, in the centre pane, double-click the entry “CN=Infrastructure”. Another dialog box will appear. Towards the bottom you should see an entry “fSMORoleOwner”. Double-click this and then edit “CN=sambaDC” and change the server name to that of the winDC. Click OK and then Apply and OK.

Follow the same procedure but change the connection point to:

DC=DomainDnsZones,DC=outline,DC=local

Once completed, go to the Samba server’s CLI and type

sudo samba-tool fsmo show

You should now see all seven roles displayed with CN=winDC

SchemaMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
InfrastructureMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
RidAllocationMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
DomainNamingMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=winDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=name

Now that the FSMO roles are all transferred over, the Samba server can be demoted. To do this, run the following command:

samba-tool domain demote --server=winDC -Uadministrator
Using winDC as partner server for the demotion
Password for [DOMAIN\administrator]:
Deactivating inbound replication
Asking partner server winDC to synchronize from us
Changing userControl and container
Demote successful

The Samba server should now be demoted to a member server and can be rebooted. Once the server is back up, edit the dhcpd.conf file (if the Samba server is your DHCP server) so that the dns-nameserver option points to the IP address of the winDC. If you’re using a different DHCP server, ensure that it serves the clients with the DNS IP address of the winDC.

On the Windows DC, change the DNS options in the IPv4 settings to point to the server itself and it’s loopback (127.0.0.1). You can then manually remove the objectGUID CNAME record of the Samba server from the _msdcs.domain.name DNS zone. This will stop any attempt by further added servers from contacting the Samba server as a DC.

The final step is to run”dcdiag.exe” in an elevated command prompt. This will highlight any errors in the active directory which can then be attended to.

If all has been successful, then Windows clients can be rebooted and should log into the Windows 2008 Server. You can check this by logging onto a client and opening a command shell and typing the following command:

c:\> echo %LOGONSERVER%
\\winDC

If the result is the Samba server then check the DNS settings of the DHCP server. It may still be pointing to the Samba server.

Now for the next step….


Coming up: Windows 2012: The Joining

 


Sources:

The following sources were all used to perform the domain transfer. Some were direct instructions and some (such as the bugzilla’s) were used to determine workarounds for particular problems (of which there have been many).


Samba Wiki:

https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

https://wiki.samba.org/index.php/DNS_Administration#Known.2Fissues_missing_features

https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_Roles

https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles

https://wiki.samba.org/index.php/LDB#LDB_Tools

https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC


Samba Bugzilla:

https://bugzilla.samba.org/show_bug.cgi?id=12204

https://bugzilla.samba.org/show_bug.cgi?id=9951


Univention Bugzilla:

https://forge.univention.org/bugzilla/show_bug.cgi?id=42079


Microsoft:

https://support.microsoft.com/en-us/help/324801/how-to-view-and-transfer-fsmo-roles-in-windows-server-2003

https://support.microsoft.com/en-us/help/255504/using-ntdsutil-exe-to-transfer-or-seize-fsmo-roles-to-a-domain-control

https://social.technet.microsoft.com/Forums/windows/en-US/b77a7e5c-590e-4d23-a9cb-8c4c0f403baf/forestdnszones-and-domaindnszones-have-wrong-infrastructure-role-record?forum=winserverDS

https://support.microsoft.com/en-us/help/949257/error-message-when-you-run-the-adprep-rodcprep-command-in-windows-serv

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772726(v=ws.10)

https://support.microsoft.com/en-us/help/312862/recovering-missing-frs-objects-and-frs-attributes-in-active-directory

 

Advertisements

Hidden Triggers

I’ve decided to scrub this blog a bit and start again. All the original posts are still there, just hidden. Mainly because they really had no relevance to what this blog was about, apart from the ones about Ripley. Those I will put back up on their own page at some point but, for now, they’ll remain hidden until I have some updates on Ripley (which shouldn’t be too long).

I originally started this blog when I was working at TechStart but, as of the 17th September 2016, TechStart closed and is no more, unfortunately. Since then, I’ve been trying to keep busy starting my own company,  studying IT security & malware, trying to work on Ripley and now, I’ve joined an LGBT charity called Outline, based in Woking, as a trustee primarily responsible for IT and as SysAdmin.

I’ve also been writing music under the name ‘TransSonix‘. Thanks to my friend Ruth, I am now the proud owner of a 1985 vintage Sequential Circuits Prophet 2000 synth, an awesome sampling synth which, thanks to it’s MIDI interface, also doubles as a DAW controller enabling me to play a vast array of other synths. I’m loving it.

So, things aren’t too bad at the mo. Going slow but at least there’s room for improvement.

 

Hey, I Can Actually Hear The Radio….

To say that things have been quiet at work would be the understatement of the year. For some reason Friday and Saturday have been extremely quiet. I suspect it has to do with the confluence of end of the month and Halloween combined with school half-term. Still, it meant that we managed to get some work done. One of our biggest  attractions is our repair service. Unfortunately, our success at getting people back into work has also meant that we are short-staffed, meaning the repairs have been backlogging. The volunteers we do have are wonderful and they are helping  to get the repairs done. This is also on top of running the shop floor and helping users of the IT Suite. So this quiet time has been, in a way, fortuitious.

One of the biggest types of repair that we contend with is viral and malware infection. Unfortunately malware is prevalent out there on the ‘net, just waiting for the unwary surfer. I am still in the process of developing a set of basic security lessons I will be teaching at TechStart, and a list of safe-surfing tips which we will be handing out with every machine we sell. The following is part of an article I posted in Passing the Speed of Light but I thought it would be useful to post it here as well.

I’ve tried to create a simple list of precautions and it is quite long but, hopefully, easily understood and may help reduce the amount of times I have to run through the above process.

EMAIL:

  •  – If an email looks too good to be true, it nearly always is.
  •   – Your email address is precious. Before you give it out, think about who you are giving it to.
  •   – Don’t open attachments sent with unsolicited emails. Even if you know who the email is from, exercise a modicum of caution and save and scan the attachment with AV software before opening it.
  •  –  If an attachment has a .pdf.exe or .zip.exe extension then it is almost certainly malware.
  •  – Do not follow links in unsolicited emails, especially if they appear to be from your bank.
  •  – If you get an email purporting to be from your bank, don’t follow embedded links, use your normal method of accessing your account. This way you won’t accidentally give away your details.
  •  – Never, ever respond to Spam emails. This confirms to the spammer that the email account is active, and so you will suddenly be inundated with spam and potentially malware and/or adware.
  •  – Turn off preview in your email client. Many emails contain viral code that can be executed simply by viewing the email in a preview. It can also be used to send a confirmation back to the spammer that the account is active.
  •  – Be careful where you use your email online. Web-bots can be used to ‘harvest’ email addresses from public info and forums.
  •  – Keep a second email account. This can be used to register at sites from which you don’t want to receive further info or spam. It can also be used to recover password/username information in the event that your primary email account is compromised.

WEB BROWSING:

  • – When going to a website from an email, type the website address into the browser rather than clicking the link, (unless the email is from a known, trusted source), as links can be falsified. (What you see is not what you get).
  • – Ensure that privacy settings on your browser are on. This helps prevent too much info being passed to the website.
  • – Ensure your pop-up blocker is on. Some websites drop malware onto your machine using a “background pop-up”.
  • – Empty your webcache on a regular basis. Applications such as CCleaner are handy for this.
  • – When browsing a site that claims to be secure, check that the web address starts with “HTTPS://”. There should also be a padlock symbol on the browser’s toolbar at the bottom or to the left of the address bar (if using Firefox or Chrome). If there isn’t then there is a good chance that it is a ‘phishing’ site, designed to harvest your details.
  • – Try to avoid “Download Managers”. These frequently include malware in the downloads and some don’t even download the file you want, giving excuses such as “payment required”, “file unavailable”, “not enough disk space”, all the while downloading malware to your machine.
  • – Avoid using banking or other private websites over public access wifi. Its too easy for an attacker to acquire your information, (known as a “Man-In-The-Middle” attack), as there is rarely any encryption or other security.
  • – If using public machines do not allow the browser to store your passwords.
 I hope these precautions are helpful. As usual, I welcome any comments.

 

Sometimes It Just Has To Be Done

Ahhh, Sunday. The day of rest. Usually spent lounging around, reading Twitter & Facebook, listening to music and basically doing nothing. A blissful, albeit sometimes boring, time for me.

Today, however, I’ve decided to go into work. The reason? We have a stack of repairs that have come in and, having been short-staffed in the past week, we haven’t been able to complete many of them. So I thought a couple of hours getting some of them out of the way would be a good idea. Its just nice to be able to spend some of Tuesday phoning customers to tell them that their machines are ready ahead of schedule. Plus I get to listen to loud music while I’m doing it. Which is always a bonus.

I might even fire up the new cluster and run a speed test on it. I’ve been meaning to do that for ages.

They Came, They Saw, They Did A Little Shopping….

Yeah, I know. Christine’s at it again. Shamelessly ripping off taglines from old films for her titles. Kudos to anyone who remembers where this tagline comes from.

Today was one of those slightly manic days where it felt, at times, a lot busier than it was. I think it was due to having few volunteers. We had four to start off with but one had to leave at lunchtime and one other only works in the workshop, leaving myself and two others to run repairs, sales and the IT suite. Unfortunately Mark was out and about on other business to do with Techstart. Also unfortunately, one of the volunteers only started in the past week and isn’t till-trained and the other, now having a full-time job, had only worked in the workshop previously and also isn’t till-trained. This meant that whenever a customer wanted to buy a machine, or book in a repair, they had to call on me. Fortunately we had long periods of quiet, enabling us to start catching up on repairs. It meant that the day went fairly quick and we were able to get lots done.

Something we try to instil in our volunteers is a sense of customer service. This includes ensuring the customer has everything they asked for, that they haven’t had to wait too long, (unless its unavoidable, then apologise when they are served), talking to the customer – letting the conversation flow in which ever direction the customer wants. There are two things I always say you should never do while serving a customer:

One is show anger or, even worse, get angry at the customer, no matter how angry they get at you. It belittles you and and can make a bad situation worse. The other is to try to sell the customer something they do not want. To me, this is just plain wrong, (and probably is another reason why I’m still not driving that Audi R8). It can also mean the difference between a customer returning or not.

So, customer service can be summarised in the following:

  1. Serve the customer promptly, making sure they have everything they need.
  2. Apologise if there have been any problems (waiting times, problems with equipment etc)
  3. Talk to the customer, letting them set the pace of any conversation.
  4. Never, ever get angry with, or in front of a customer.
  5. Do not sell a customer something they do not need.

There may be others but these are the most important.

If You Think This Belongs Elsewhere, then I Don’t Want To Know You…

There’s something to be said for talking to people who share certain traits. I am a trans woman. I make no bones about it and don’t hide it. Not do I go around shouting about it. I inform the people who need to know and then leave others to form their own opinions. Maybe its wrong, maybe its different but, either way, its just the way I am. This is the only time I am going to shout about it. TechStart is a trans friendly space. Its the only way I can put it.

If you are a trans woman in the Aldershot/Farnborough/Farnham area, (or any other area for that matter and can travel), and need a safe space to volunteer for your RLE or any other reason, then come to TechStart and ask for Christine.

If you’re unsure then email me and we can talk. christine.anderson@techstart.org.uk

We really are here to help.

By Way of an Explanation….

I think its a good idea for me to quickly explain the title of my previous entry before anyone thinks I am a pretentious idiot who thinks she’s clever. It’s a Latin translation of “I do not have time to bleed” which, in turn, is a posh version of Jessie Ventura’s line in Predator:

Poncho: You’re bleeding, man. You’re hit.
Blain: I ain’t got time to bleed.
Poncho: [Confused] Oh… Okay…
Poncho: [Poncho shoots a bunch of grenades up to the top of the cliff] You got time to duck?

Its geek humour and a comment on how busy we get.

Sanguinem Non Habere Tempus

Sorry for appearing pretentious with the title, but I’m in one of those whimsical moods, characteristic of the end of a busy day, (so, more to come in future).

Its been a very busy day for all. To start with, Mark, unfortunately, was unavoidably out this morning which left me with the unenviable tasks of running the shop, effecting customer repairs and attending a Techstart board meeting at the same time. Couple this with being short-staffed and you can see where I’m coming from (and, if you’ve worked it out, the blog title). Fortunately, both Mark and I are used to this, (and particularly proud of the fact that we have never had to close due to staff shortage).

Apart from Mark, myself and Susie (our training manager), Techstart is wholly staffed by volunteers. This means that between the three of us, we have to create a working atmosphere and environment such that people want to come to us to work and then want to stay when they do. I think we have achieved that with some measure of success. Unfortunately there’s only so much one can do against illness and circumstance, which is what happened today. So, to start off the day, there was only myself and two volunteers to run the shop. Consequently, thanks to Susie and the very understanding members of the board, I was able to flit between the meeting and the shop floor when needed. Eventually, the meeting ended and this, closely followed by Mark’s arrival, eased things somewhat.

One of the increasingly more popular services that Techstart offers is our repair service. This is one of my primary area’s of responsibility. Having spent a large part of my career in IT customer service (most of it, actually), I tend to be a bit draconian when it comes to customer machines. I have a set of rules I’ve built up over the years that I try to stick to when it comes to customers and their machines:

  1. Never, ever lie to a customer about a fault. If it’s a simple fault that will take five minutes to fix then tell them.
  2. Along with No1, do not, under any circumstances, invent a fault to increase charges.
  3. Always treat customer machines with care and respect.They’re not your property.
  4. There is no such thing as “that will do”. Repairs must be complete and whole and the machine fully tested.
  5. If you damage a machine during repair, own up. Don’t try to hide it. Sometimes you’ve just got to take the hit.
  6. Never try to hide not knowing something in jargon. If you don’t know, admit it and say you can find out.
  7. Never belittle a customer by trying to sound superior. Even if you do know more than them, its just plain rude.

Following these rules is probably why I’m not driving an Audi R8 and holidaying in Tahiti but then, I get more pleasure out of seeing customer’s faces when they discover that their precious family photo’s, music and writings are safe within a working machine, or that the something they’ve been working on for years has not been lost. (I wouldn’t mind the R8 though).

To be fair, most of the repairs that come through our doors are the result of viral or malware infection and are easy fixes, albeit time-consuming ones. Sometimes, though, we do get hard ones, such as one where the customer was told by various parties that the hard drive had failed and all her data had been lost and she would have to replace it. None had offered to attempt recovery. It took me less than 24 hours to recover nearly all the data and, after replacing the drive and OS, the machine was back to almost new. I have to admit, we take tenacity to new heights but, so far, we haven’t had a customer machine that we’ve been unable to repair.

We just don’t give up.

Nothing Important Happened Today…

Great. Start my new blog by ripping off the X-Files. Its true though. A very quiet day. It usually is on a Tuesday, since we’re closed to the public. We use Tuesdays to sort stuff out, like the network, servers and general maintenance. Oh, and building Linux suites. Something that Mark and I were doing tonight.

Mark decided he didn’t really like the seating area at the front of the store and wanted to do something with it. I remarked that with the continued rise of the Linux desktop distro’s it might be a good idea to have an area where our customers can try out Linux. He agreed so we started pulling everything apart and rebuilding. Both of us have a bit of an ‘over the top’ view of how things should look so, dual screens on everything, big network switch, everything in black. I had to leave before we’d finished so I left Mark to it. My job for the morning is to install the OS’s. We’re thinking Elementry OS, Mint 17 and Zorin, three of the easiest distro’s to use for non-Linux users. I also need to put in a new router to isolate this small network from the rest but still give it internet access. Should be fun.

So, if you’ve never used Linux, come down to TechStart and give it a try. You never know, you may like it.

 

Day off, Get Bored, Start Blog…

The title says it all I suppose. Having been woken by the dog at 7am and not needing to get ready for work, I was immediately on the computer. After absorbing the news sites, Twitter and Facebook, (yes, to my never ending shame, I do like to read a bit of gossip), I sat back and wondered what to do. After coming up blank on my other blogs, staring at the screen, unable to think of a thing to write, I thought about my current position, and so The Diary was born.

I’m the Assistant Manager for a community interest project called TechStart, based in my home town of Aldershot. I’m also the network designer and systems admin. My boss Mark and I also fulfil the roles of customer service engineers, IT trainers and sales engineers. This means I am many things within TechStart, as is Mark. I am also a woman (as if the header page isn’t a dead giveaway), which means that, in the great, seemingly male-dominated world of IT, there can be extra obstacles to overcome. This blog is the result of wanting to see, and share, those obstacles, if and when encountered, and share them, in the hope that it may help, in some small way, to reduce or even eliminate them.

I am also trans, (another dead giveaway in the header), giving rise to a completely separate set of problems that only trans people will encounter, so I will write about these as well, for much the same reasons.

To be perfectly honest, I haven’t gone into this with any great deal of planning. Its not going to be filled with long-winded analyses of situations, (although I will talk about them), nor is it a platform for insults, slanging matches, take-downs or other bad behaviour (not that I do such things). There may be days that I miss, days that I am so tired I cannot post , but generally I will try to keep up.

Christine x