John Howard, IT Pro Evangelist, Microsoft UK

Scripting Clinic - what would you like to know?

• Fundamentals - concentrating on the language constructs in VBScript and an introduction to the Windows Scripting Host (WSH). No prior experience necessary.
• Scripting best practices - ways to make your scripts more robust including error handling, logging and debugging techniques
• ADSI and WMI - using ADSI for Active Directory administrative tasks and taking advantage of Windows Management Instrumentation
• Other handy object models - Use CDO to send emails, ADO to access databases, WScript built-in objects for parsing command line arguments, running scripts on remote machines and creating desktop icons (for example)
• Clinic - Share your experiences and bring your real world problems to a panel discussion.

Stretching Directory Boundaries, Cross Platform Identity Management, Authentication and Security

These are all critical pain topics among enterprises the world over. Fear not though (at least if you're UK based). You are guaranteed a fantastic learning opportunity by attending one of two all-day events presented by John Craddock and Sally Storey. These days are crammed full with detail, demos and real world how-tos. The sessions are billed at "400" level - you won't be disappointed.

If you are a system architect, a system integrator or senior administration, you should not miss this rare opportunity to spend a whole day interacting with industry experts and peers. You will find out about how to support multiple directories in your organisation, provisioning using MIIS, ADAM, Windows/Unix interoperability and identity federation.

These are no-cost events to attend. The events are on 7th April 2005 in Reading and 17th May 2005 in London (click date to go to the registration site).
 

Killing winlogon.exe remotely

WMIC Samples

As promised, here are the sample WMIC commands I demonstrated in the Automating Windows Server 2003 session yesterday evening in Reading. Hope they are useful to you.

Update static IP address
wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")

Change network gateway
wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)

Enable DHCP
wmic nicconfig where index=9 call enabledhcp

Service Management
wmic service where caption="DHCP Client" call changestartmode "Disabled"

Start an application
wmic process call create "calc.exe"

Terminate an application
wmic process where name="calc.exe" call terminate

Change process priority
wmic process where name="explorer.exe" call setpriority 64

Get list of process identifiers
wmic process where (Name='svchost.exe') get name,processid

Information about harddrives
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about os
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:\osinfo.htm

Information about files
wmic path cim_datafile where "Path='\\windows\\system32\\wbem\\' and FileSize>1784088" > c:\wbemfiles.txt

Process list
wmic process get /format:htable > c:\process.htm

Retrieve list of warning and error events not from system or security logs
WMIC NTEVENT WHERE "EventType<3 AND LogFile != 'System' AND LogFile != 'Security'" GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:"htable.xsl":" datatype = number":" sortby = EventType" > c:\appevent.htm
 

Access Based Directory Enumeration - markshareforABDE.exe utility download

Following the myriad of emails I received, here's a link to markshareforABDE.exe as used in my blogcast about Access Based Directory Enumeration a few days ago. Many thanks to DuWayne Harrison at Microsoft in the US, the author of this tool for giving his permission to make this available. Please be aware that there is absolutely no support from PSS and all standard disclaimers apply as per resource kit tools. In other words, any use you make of this utility is entirely at your own risk.

Usage is straightforward: markshareforABDE <sharename> 0|1 [servername] where 0=off and 1=on

Expanding disk partitions when deploying using ADS and VSMT

At last nights Virtual Server 2005 Technet evening in Edinburgh, I was asked whether it was possible when migrating a system using VSMT if the hard disk could be expanded when deploying the image. Since arriving back home, I've now had a chance to try this out and can confirm the answer is yes. As an aside, I also discovered why the deploy step too quite so long, it was because I hadn't updated the virtual machine additions on the ADS controller - the whole deploy step takes no more than 3 minutes when I updated it. Oops. For the disk size change, here's what you do....

Two files which vmscript generated need updating. First, you need to update the <servername>_createvm.cmd script to ensure that a larger hard disk is created when the blank virtual machine is created on the Virtual Server host. I wanted to add another 100MB to my disk. Look for the lines similar to below with the "-VirtualDiskSize" parameter. Originally, it was 544 (both in the comment and in the actual executing line), and I've updated them to 644.

echo Create disk:0 with size:644MB
%VSMT_SRV_APP% -remoteVs:%VS_NAME% -CreateVirtualDisk -VirtualDiskPath:%VM_DISK_PATH%\JJHNT4SVR_disk_1.vhd -VirtualDiskSize:644 %VSMT_DEBUG_FLAGS% -nologo
 

You also need to change the <server>_internalstate.xml file in a couple of locations which I've highlighted below. Again, adding 100MB changed in this case from 544 to 644 for the first instance, and 512 to 612 for the second instance.

<diskDrives>
<targetUsed>true</targetUsed>
<sourceDriveIndex>0</sourceDriveIndex>
<sourceDeviceID>\\.\PHYSICALDRIVE0</sourceDeviceID>
<sourceDevicePath>\device\harddisk0</sourceDevicePath>
<sourceBusType>ide</sourceBusType>
<sourceBusNum>1</sourceBusNum>
<sourceDeviceNum>1</sourceDeviceNum>
<sourceSize>512</sourceSize>
<targetSize>644</targetSize>
<targetBusType>ide</targetBusType>
<targetBusNum>1</targetBusNum>
<targetDeviceNum>1</targetDeviceNum>
<targetDevicePath>\device\harddisk0</targetDevicePath>
<targetVHDName>JJHNT4SVR_disk_1.vhd</targetVHDName>
<hostsBootPartition>true</hostsBootPartition>
<targetDeviceIndex>0</targetDeviceIndex>
<targetPartitions>
<capturePartition>true</capturePartition>
<targetPartitionIndex>0</targetPartitionIndex>
<logicalDrive>C:</logicalDrive>
<size>612</size>
<bootable>true</bootable>
<bootini>[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server Version 4.00"
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server Version 4.00 [VGA mode]" /basevideo /sos
</bootini>
<description>Image from device:JJHNT4SVR source hard drive[0] ide[1:0] partition:1 for logical drive:C:</description>
<sourcePartitionIndex>0</sourcePartitionIndex>
<adsImageName>img_JJHNT4SVR_1_1</adsImageName>
<hostsWindowsPartition>true</hostsWindowsPartition>
<sourcePartitionType>7</sourcePartitionType>
<isExpandedLogicalDrivePartition>false</isExpandedLogicalDrivePartition>
<isExtended>false</isExtended>
<fileSystem>NTFS</fileSystem>
</targetPartitions>
</diskDrives>

If all goes well, once you boot up and run disk administrator (if this is NT4), you will see a bigger disk for which the OS partition can be expanded into using whatever your normal choice of tool would be.

What I haven't had a chance to try is whether if you change these files before the image capture, the partition will be expanded for you once you boot up the new server. That'll have to be for another day to find out though.

Shared Networking (NAT) workaround in Virtual Server 2005

Following the Virtual Server technical overview event I presented in Manchester yesterday evening, I was asked about Shared Networking (NAT) which is present in Virtual PC 2004, but not in Virtual Server 2005 and whether there was a way to provide this through an alternate mechanism. Here's the answer:

Add a loopback adapter to the host (KB article link) and create a new virtual network under Virtual Server administration bound to the new adapter. You then enable Internet Connection Sharing (ICS) on the host NIC connected to the physical network.

Blogcast on Security Configuration Wizard (SCW) in Windows Server 2003 SP1

MSN Messenger 5.1 Tab Functions

Windows Server 2003 as a client, MSN Toolbar Suite and Orca

I'm going to have eat a few of my own words now...  I blogged in December about the "IT Pro" way of getting an unsupported program to install on a Windows Server box without a hint of an SDK in site. I relent, the Orca tool is the best tool for the job, not appcompat. Here's why.

If like me, you almost exclusively run Windows Server 2003 as a client, you can lose out on too many things. Yes, SP1 introduces Media Player 10 and some other cool stuff from XP SP2 (yippee), but at the brass tacks level, you all want things like the MSN Toolbar suite, powertoys and all the other goodies.... The method I'm going to show you is pretty well bullet-proof, and will cater for a lot more than just the toolbar suite, especially if the product group removes the highly known-about TBSDEVCODE workaround from their installer, which they almost certainly will before it goes gold.

When I wrote my previous blog, I was running the SP1 first release candidate of Windows Server 2003 on my laptop. As many of you discovered, the appcompat method was a bit troublesome on the RTM, and certainly didn't work for many programs. I tend to play around far too much, and ended up breaking that OS installation. If you know me, I do this far more regularly than is healthy. On the bright side, I rarely actually need to activate the OS :-) For now though, I'm now back at RTM build and with demo's next week in the pipeline, can't afford to break it quite yet. I wanted to get a chance to play with the MSN Toolbar Suite, which is particularly relevant as it had another beta refresh very recently.

What you'll need is the GUI tool, Orca, from the Platform SDK. Note that you'll have to use the XP SP2 Platform SDK installer, and select just the Windows Installer SDK Tools. You won't need anything else. When the installer opens, set the options to match the screenshot below.

Download the MSN Toolbar Suite and save it somewhere on your hard disk. Note that this is an EXE which introduces one slight complication - you'll need to unpack it. If you just run the .exe from the command line, all the parameters are given to you on a plate.

Assuming you saved the .exe on the C root directory, run "c:\MSNToolbarSuiteSetup_en-us /T:c:\temp /C". This will extract a setup.exe and an MSI file into the temp directory. Note that if the directory doesn't already exist, it will be created for you. Next you need to fire up Orca which will be under your start menu. You just knew they'd use a dolphin for the icon. Once Orca is running, select File/Open and navigate to the MSI file in your temp directory. On the tree on the left, click on LaunchCondition to see a number of options displayed on the right. Now you can see why the TBSDEVCODE workaround works in the Beta.

Change the following setting from "(REMOVE="ALL") OR ((VersionNT>=500) AND ((WindowsBuild<>3790) OR (TBSDEVCODE=1)))" to "(REMOVE="ALL") OR ((VersionNT>=501) AND ((WindowsBuild<>3790) OR (TBSDEVCODE=1)))" - ie change 500 to 501. Finally select file/save and quit Orca.

That's all there is to it - just run the updated MSI to install. MSN Toolbar Suite is just so fantastic - I know there's a lot of talk on the Internet about it, but I'm finding that just after a few days of use, it's invaluable. That's for another blog, but I hope you found this walkthrough useful. [Disclaimer....] Just remember that you'll obviously be doing something absolutely unsupported, and there may be licensing issues relating to the Platform SDK which you should check up on before doing this.

Blogcast: Access Based Directory Enumeration (A Windows Server 2003 SP1 New Feature)

Currently there is no capability from the GUI to turn this feature on - unfortunately you'll need to use Win32 APIs. Maybe this will change at a future date, but for now you'll probably need a developer buddy to help you... :-)  They will need to know the following: The specific API is NetShareSetInfo, and specifically setting a flag to enable ABDE that points to a SHARE_INFO_1005 structure. The flag value for Access Based Directory Enumeration is #define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS 0x0800.

Update 30th March 2005 - Here's the link to be able to download the tool. I'm reliable informed that a whitepaper and the tool will be on microsoft.com soon. http://blogs.technet.com/jhoward/archive/2005/02/22/378033.aspx

So far, I haven't had any success trying to set this property through the ADSI IADsFileShare object, or even sure that it is possible. If you get there before me, please let me know! Unfortunately, you can't hide shares using this mechanism - there's still just the old "$ suffix" trick. Remember, if this is important to you, you can use the windows server feedback site.

Edited by John: 3rd Nov 2005 - Rehosted WMV file

Windows Server 2003 SP1 RC2 (Build 3790, v1433) released

x32 download link: http://www.microsoft.com/downloads/details.aspx?familyid=02734CEA-7A4B-4D95-B220-8E1708C3ED46&displaylang=en

IA64/Itanium download link: http://www.microsoft.com/downloads/details.aspx?familyid=9514DA0A-44C9-4FCB-83CA-473741D2613D&displaylang=en

The home page for the Technical Preview Program is here where you can find links for a technical overview, features and functionality changes, networking features and release notes.

Microsoft Virtual Server 2005 Technical Overview

I'll be presenting a Technet evening session on 15th Febuary at the Regus, Manchester and also on 17th Febuary in the Spey Room, Microsoft Edinburgh for a technical overview of Microsoft Virtual Server 2005. If you have already registered for either of these events and have any specific questions either before or after, please add a comment to this blog entry. Otherwise, I look forward to meeting you. Both sessions are level 200, so prior experience although useful is not essential.

If you're not yet registered and would like to attend please use the appropriate link above. If you're borderline as to whether to go or not, I could possible persuade you - free pizza is on offer :-). I'm hoping though that the beer in Manchester and Edinburgh isn't quite as fizzy as it was in Reading (you had to be there last week in to understand).

Scriptomatic (revisited)

Here's the download link.

This is a test post only - trying out customised style sheets.

This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets.  This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets. This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.

Please ignore.

This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.This is a test post only - trying out customised style sheets.

How-To install a certificate for SSL Encryption under IIS

Following on from my post a couple of days ago  about using MakeCert to generate a self-signed certificate, this is one way in which you can test that the generated certificate is working correctly for SSL authentication within IIS. It was almost worthy of a blogcast (BTW, congratulations Mike for joining in the fun), but given I've all but lost my voice at the moment, here's the old fashioned way.

• Create a new folder such as c:\test, and within it, create a new default.htm file using notepad. The content doesn't matter, but here's a very simple example
  <BODY>
  This is my SSL protected site
  </BODY>
   
• Start Internet Information Services (IIS) Manager from the Administrative Tools folder
   
• (I'm going to lead you through creating a new web-site, although I could assign the certificate to the default web-site)
  Right-click on Web-sites and select New Web-Site
   
• Follow through the wizard. When you get to "Description", enter the name "Test"
  
   
• Keep going through the wizard, and enter c:\test on the path step
  
   
• On the newly created site, right-click and select properties and select the Directory Security tab
  
   
• Click Server Certificate and work your way through the wizard
   
• Select Assign an existing certificate
  
   
• Select your newly created certificate
  
   
• Choose port 443 (default SSL port)
  
   
• Click Next/OK to finish the wizard and exit the site properties.
   
• Currently the web-site is stopped. Right click the Test web-site and choose start
   
• Open a browser and go to https://jhoward-5160/test, replacing jhoward-5160 with your machines DNS name. Note the MSN Toolbar :-)
  
   
• Double-click the padlock icon in the bottom right to view the certificate for your site
  
   

Congratulations! If everything works this far, you have managed to create and protect a test web-site using SSL encryption and a self-signed certificate generated using MakeCert.exe

Photo-album on MSN Spaces

How-to boost Microsoft Virtual Server 2005 Guest Performance

One very easy win to gain fairly significant extra performance from your Virtual Server 2005 guest Virtual Machines is to use virtual SCSI disks instead of virtual IDE disks. Of course, a physical fast I/O subsystem on the host is going to make a far bigger difference, but you're probably not likely to be able to do that "on the cheap" (especially in a test/dev situation).

Lets assume you started with a Windows Server 2003 virtual machine, for example, and built it originally using Virtual PC 2004 for example. Virtual PC 2004 does not support virtual SCSI disks or virtual SCSI adapters, so the virtual disk in your machine will be IDE connected. This equally as well applies if you built a VM using default settings under Virtual Server.

• Go into the Virtual Server administration Console and add the existing virtual machine.
   
• Select "Edit Configuration" from the Master Status
   
• Click SCSI Adapters
  
   
• Click Add SCSI Adapter and OK to the default settings
  
   
• Start your virtual machine and logon. You need to ensure the Virtual SCSI adapter (emulating an Adaptec AIC-7870 PCI SCSI Card) is recognised in your virtual machine. The process will vary from operating system to operating system. (To make this work for me in a Windows 2003 Server SP1 Release Candidate VM, I had to uninstall and reinstall the VM additions). There is further guidance on how to do this in the administrators help file installed locally.
  
   
• Edit the boot.ini
      Start/Run/cmd
      c:
      cd \
      attrib -s -h -r boot.ini
      notepad boot.ini
  
  Look for the line under the [operating systems] section with an IDE ARC Path starting something like multi(0)disk(0), and create a copy of it. On the newly copied line, change the "multi" to "scsi" and update the comment to identify the SCSI boot option clearly.
  
  Warning! In case something goes wrong, I very strongly recommend you do not change the default boot option or the existing boot options. Just add an additional line. This will allow you to revert back if something does go wrong.
  
  Here's an example of my new boot.ini for the Windows Server 2003 (SP1 RC) guest, with the line highlighted in blue being the one I added.
  
  [boot loader]
  timeout=30
  default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
  [operating systems]
  multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /noexecute=optout /fastdetect
  scsi(0)disk(0)rdisk(0)partition(1)\WINDOWS="SCSI Windows Server 2003, Enterprise" /noexecute=optout /fastdetect
  
  Don't forget to reapply the correct attributes to the boot.ini file using "attrib +s +h +r boot.ini"
   
• Shutdown the guest virtual machine.
   
• In the Virtual Server Administration, edit the configuration for the guest and edit the hard disks settings
  
   
• From the Attachment drop-down, use SCSI 0 ID 0 rather than Primary channel (0)
  
   
• Restart your Virtual Machine, and from the boot menu, select the new "SCSI" option.
  

If everything goes OK, your VM will boot as normal with no impact, except that you'll have better disk I/O performance. If you're happy with the changes, you can re-update boot.ini to remove the old IDE boot option, and change the default option in this file to match. Bear in mind that you will no longer be able to revert this virtual machine to Virtual PC 2004 without backing out these changes.

I know someone will ask how much performance gain you get. There aren't any currently any official statistics I know of, although the Virtual Machine Program Manager, Ben Armstrong has previously stated that the main advantage of using SCSI virtual disks over IDE is that it runs the optimised SCSI driver as part of the VM additions. This in turn avoids a lot of the emulation overhead.

Photo-album on MSN Spaces

PKI and Certificate Management Information in Windows Server 2003

While on the subject of Certificates/Encryption/IPSec/PKI in general yesterday, I was looking around for some good information on how PKI works to post up. One white paper which stuck-out from the pile was published in December last year (so it's reasonably up to date) by David B. Cross and Avi Ben-Menahem entitled "Key Archival and Management in Windows Server 2003". Now this isn't exactly going to be a best seller, but I found it very easy to read and understand, so all kudos to David & Ali. Joking aside, it is crucial to pay consideration to this subject if you are planning to implement or already have implemented a certificate authority within your organisation.

For further info on PKI in general, this link is a good starting point. The home page for Cryptography on Technet is here and information on EFS (Encrypting File System) in XP and Windows Server 2003 can be found here. Otherwise my colleague Steve Lamb will be able fill in the gaps.
 

How-to use MakeCert for trusted root certification authority and SSL certificate issuance

One thing Mat wanted to demonstrate was the use of a certificate for encrypting traffic between a SQL Reporting Server and a back-end database. Why not install a certificate server, he said. My retort was that he was probably barking if this was just for a simple demonstration.... :-) (You're not, really Mat. Honest!) Hence, one topic along our way was how to use MakeCert.exe to demonstrate SSL encryption. Rather than me show him and get it written down, what better way than to blog it. Makes sense, right? Spookily just last week I was reminding myself about how to use the makecert.exe utility (download link at the bottom) to generate a self-signed certificate for a completely different purpose. However, definitely a subject for another day and besides, I never did succeed in that particular goal :-(

MakeCert.exe allows you to (for test/dev purposes) generate both a trusted root certificate and a certificate signed by that trusted root certificate for encryption purposes (also for signature purposes, but that wasn't relevant in this context). In this way, you can create a test/dev web-site, for example, with SSL encryption enabled. Follow these simple steps if this is something you need to do. I'll follow up later with an example of how you would use these generated certificates to SSL-enable a very simple web-site under IIS 6.

From the command prompt, in the directory where you downloaded makecert.exe, enter all the green bits below on a single line (ie exclude my comments in the right-most column).

You will now have a "Test And Dev Root Authority.cer" certificate on disk and a new certificate will also be installed in the LocalMachine Certificate store. If you run up a Certificates MMC at this point, you will be able to see this. However, by default, the Certificates snap-in isn't available as a short cut. Hence, use the following steps:

• Start/Run/MMC
• File/Add-Remove Snap-In
• Click Add
• Select Certificates and click Add
• Select Computer Account and hit Next
• Select Local Computer
• Click Close
• Click OK

If you expand the console out to Personal/Certificates, you will see your newly created certificate as in the screen shot below.

Now that you have a root certificate, you need to use this certificate (at least the .cer file which is still present on your hard-disk) to sign another certificate you are going to use for encryption purposes. From the command prompt, enter the following

Go back to the certificates snap-in, right-click the "Test and Dev Root Authority" certificate and copy it to the "Trusted Root Certification Authorities" node. Once done, if you expand this node, and then select certificates your newly created root cert should be present.

If you whizz back to the personal certificates in this snap-in, you also note that your new certificate suitable for encryption purposes is installed, as highlighted in the screen-shot below.

If you double-click the certificate, verify that you have a private key that corresponds to this certificate, and that the intended purpose is to ensure the identity of a remote computer.

At this point, you can safely delete the "Test And Dev Root Authority" certificate from the personal certificate store in the MMC snap-in. Remember also that you can save the two .cer files on disk safely away to save you remembering all the above parameters for makecert.exe. You can simply use the "All Tasks/Import" wizard in the MMC snap-in instead (assuming that the DNS name of the target machine matches).

Download makecert.exe from microsoft.com here

Oh the fun of after-work conversations.... Hope this is useful for you

 Photo-album on MSN Spaces

IIS 7.0 - a first look

MSN Search Launched

Kind of hard to miss the launch party. Well, as it happens I did :-)

Even though I'd consciously seen Bill Gates plastered over the home page of both www.msn.com and www.msn.co.uk on-and-off all morning, it never dawned on me to read what the story might be about.

You can find out more from Christopher Payne, Corporate VP for MSN Search on the msnsearch blog, who cunningly blogged it just before midnight last night.

Links:
MSN Search: http://search.msn.com or http://search.msn.co.uk for the UK audience.
MSN Search Toolbar: http://toolbar.msn.com or http://toolbar.msn.co.uk/ for the UK Audience

The future of the Windows-centric IT Pro?

Even though I'm probably now leading myself down a path where I'm going to be flamed from all sides...... where as I see Monad as a huge benefit in the long term, my concern has to be that it is going to scare the wits out of most Windows-centric IT Pro's in the community at large - this is drawing a very thin line between developers and IT Pros. Although somewhat generalising, it is (in my humble opinion) reasonably well accepted that many *nix administrators are comfortable understanding or authoring complex shell scripts, and further, most have a reasonable understanding of writing at least simple programs in C/Perl/PHP etc. My experience tells me that most Windows IT Pros try very hard to shy away from these types of skills.

So, a few thoughts/questions for to throw out for comment...

• Where do you see the skill sets of IT Pros heading in the future. Windows has gone a long way with GUIs making point and click management tasks easier, but are we all going to have to get to grips with the developer 'dark'-side as well?
• How many Windows IT Pros have at least one command prompt permanently open on their desktop today?
• How comfortable would you feel if you were told you have to understand the .Net framework and all that goes with it to perform your job in the future?