I'm studying for 70-646, the 2008 Server Admin test. Read about Storage Area Networks (which offer fast iSCSI access behind file servers) and Network Attached Storage (which basically is a file server and offers access directly to workstations).
A free SAN OS, OpenFiler, looks really cool. I want to try it out. Started reading a discussion about it here. OpenFiler is said to be fast and comprehensive - it's also the only free SAN platform that I'm aware of.
A free NAS OS, FreeNAS, looks quite slick and very current/active. It does offer iSCSI. It also supports the ZFS filesystem, which is targeted at very, very large storage arrays where silent errors have a statistically higher probability of occurring. ZFS offers online disk repair (unlike CHKDSK), checksums for all disk writes, a certain amount of roll-back via copy-on-write, and tremendous volume sizes. I decided this is not relevant to my life right now, but FreeNAS and OpenFiler both are. Sometime it would be worth coming back and reading this short overview of building a small SAN.
12/30/11
9/18/11
2011: Week 37
A few notes from this past week:
1. On 9/17 I ordered a Lenovo T520 to replace the Latitude D800 that I've had for 4+ years.
2. Had a Windows Server (2003) this past week that freaked out after I modified some permissions in the registry. Fortunately their Backup Exec had been faithfully saving the System State, so I restored the registry files to an alternate location, booted up off of an Ultimate Boot Disc CD, and restored clean registry files.
3. An Elastix phone server was going offline repeatedly. I could not ping its gateway, although I could ping LAN devices...and Windows workstations could ping the same gateway just fine. The problem was an IP conflict, and that was determined by running arp -a 192.168.1.1 to see that a working PC was using the real gateway's MAC address and the phone server was using a Linksys Access Point's MAC address.
4. When trying to uninstall Sophos Antivirus on an XP Home box, it told me to become a member of the SophosAdministrator group...but XP Home doesn't have groups, right? Wrong. Running net localgroup lists all the groups, and running net localgroup SophosAdministrator /add
1. On 9/17 I ordered a Lenovo T520 to replace the Latitude D800 that I've had for 4+ years.
2. Had a Windows Server (2003) this past week that freaked out after I modified some permissions in the registry. Fortunately their Backup Exec had been faithfully saving the System State, so I restored the registry files to an alternate location, booted up off of an Ultimate Boot Disc CD, and restored clean registry files.
3. An Elastix phone server was going offline repeatedly. I could not ping its gateway, although I could ping LAN devices...and Windows workstations could ping the same gateway just fine. The problem was an IP conflict, and that was determined by running arp -a 192.168.1.1 to see that a working PC was using the real gateway's MAC address and the phone server was using a Linksys Access Point's MAC address.
4. When trying to uninstall Sophos Antivirus on an XP Home box, it told me to become a member of the SophosAdministrator group...but XP Home doesn't have groups, right? Wrong. Running net localgroup lists all the groups, and running net localgroup SophosAdministrator /add
1/22/10
VoIP training
Good news! A fabulous consulting company offered me a job on Wednesday. Part of why it's so fabulous is because it embraces a variety of technologies. One of which is Asterisk + Exchange installations. This sounds very learn-able. The concepts and keywords associated with telecommunications & VoIP are generally new to me...Teracom offers a full-sweep training package for $1,700. It looks good.
I'm now getting up early in the morning for the first time in quit a while and feeling good for it. As you may recall, I just purchased a big training package for MCITP / CCNA training. My current thought is that I'm going to finish the MCITP training, then purchase the Teracom suite, then dive into VoIP.
I'm now getting up early in the morning for the first time in quit a while and feeling good for it. As you may recall, I just purchased a big training package for MCITP / CCNA training. My current thought is that I'm going to finish the MCITP training, then purchase the Teracom suite, then dive into VoIP.
1/20/10
Windows Mail: Outbox
If you're using Windows Mail and have a corrupt message stuck in the Outbox, try this hotfix from Microsoft.
1/12/10
DNS review
I'm sure you've noticed that some website URLs require the presence or absence of "www" in front of them in order to work. This is a DNS thing! If a site doesn't have a "www" DNS entry...then the URL won't work in your browser.
I remember the first time I ever saw a tech use NSLOOKUP - I asked him "How do you learn about tools like this?" One answer is to use a study package that teaches you through video and hands-on activities. :-)
Server 2008 introduces some new DNS features:
-> Background zone loading. I’ve never seen a heavily loaded DNS server, but presumably this helps a busy server start answering client requests right away, rather than waiting for the whole entire zone to be loaded first.
-> GlobalNames zone – this is cool, because you can now tell DNS about simple NetBIOS names (i.e. machines that are not in a domain), just like in WINS. Sweet!
-> Conditional forwarding can now be replicated in Active Directory (presumably in the past it was staying put on the individual DNS server).
-> Global Query Block List – this helps you keep hackers from registering an unwelcome computer name (e.g. a fake web proxy) on your DNS servers.
-> ...and RODC, LLMNR, DNSSEC, domain controller search, and IPv6/AAAA record support. I did not look into these.
I remember the first time I ever saw a tech use NSLOOKUP - I asked him "How do you learn about tools like this?" One answer is to use a study package that teaches you through video and hands-on activities. :-)
Server 2008 introduces some new DNS features:
-> Background zone loading. I’ve never seen a heavily loaded DNS server, but presumably this helps a busy server start answering client requests right away, rather than waiting for the whole entire zone to be loaded first.
-> GlobalNames zone – this is cool, because you can now tell DNS about simple NetBIOS names (i.e. machines that are not in a domain), just like in WINS. Sweet!
-> Conditional forwarding can now be replicated in Active Directory (presumably in the past it was staying put on the individual DNS server).
-> Global Query Block List – this helps you keep hackers from registering an unwelcome computer name (e.g. a fake web proxy) on your DNS servers.
-> ...and RODC, LLMNR, DNSSEC, domain controller search, and IPv6/AAAA record support. I did not look into these.
1/7/10
VoIP Intro
I've been learning about VoIP lately. I'd like better sound quality for my calls than what my cell phone offers...however, that remains an elusive goal. I could try an IP Phone or a VoIP ATA (analog telephone adapter) for high audio quality.
Here's what I've learned so far:
You can test your Internet connection (or here) to see if you have enough bandwidth. Skype calls from my PC to their testing service sound great, but calls to my own voicemail or my parents' landline were terribly muffled. At first I thought this might be caused by my ISP maliciously tampering with VoIP packets, but poor audio quality remained even after signing up for and installing HotSpotVPN (an OpenVPN implementation). You do have to tell the VPN to use UDP instead of TCP.
I also tried VoxOx, but couldn't sign-in to my account with the program. Considered signing up with RingCentral.com, but $28/month would be overkill in this case. VirtualPBX.com looks very reputable, but is way too pricey for me at $50/month. Next, I looked at Google Talk, but for now it only does PC to PC calls (not landlines). Supposedly you can combine it with a free DID (Direct Inward Dial) number from GroovyTel to receiving incoming calls.
So, I signed up with IP Communications and purchased one SIP line (with one DID) for $10/month. This allowed me to receive calls on my new Bellevue, WA number, but not make outbound calls - for that, you have to sign in here and purchase a minimum of $10 credit. I think they debit your credit at the rate of 2 cents per minute or less. I'm using Counterpath's free X-Lite softphone. The audio quality isn't too bad, but isn't as good as I want it to be. I test it by calling my own voicemail.
IP Communications isn't the only SIP provider...VoicePulse.com and CallCentric.com both look interesting. VoicePulse may be less expensive than my current host.
This all-in-one $225 ooma Core VoIP Phone System (with no monthly fee) is big on Amazon.com - 717 reviews so far, with the vast majority being totally positive.
Reading up on "codecs" this evening...according to X-Lite's user manual, PC-only VoIP traffic can use "wideband" codecs that sample at 16 KHz, wheras calls into the PSTN require "narrowband" codecs (G711 only, in fact) that have a lower sampling rate. That explains why my test call into Skype sounded so much vastly better than to a landline. Maybe a Cisco IP phone would sound better...but that's a $100, so...not right now. :-)
Here's what I've learned so far:
You can test your Internet connection (or here) to see if you have enough bandwidth. Skype calls from my PC to their testing service sound great, but calls to my own voicemail or my parents' landline were terribly muffled. At first I thought this might be caused by my ISP maliciously tampering with VoIP packets, but poor audio quality remained even after signing up for and installing HotSpotVPN (an OpenVPN implementation). You do have to tell the VPN to use UDP instead of TCP.
I also tried VoxOx, but couldn't sign-in to my account with the program. Considered signing up with RingCentral.com, but $28/month would be overkill in this case. VirtualPBX.com looks very reputable, but is way too pricey for me at $50/month. Next, I looked at Google Talk, but for now it only does PC to PC calls (not landlines). Supposedly you can combine it with a free DID (Direct Inward Dial) number from GroovyTel to receiving incoming calls.
So, I signed up with IP Communications and purchased one SIP line (with one DID) for $10/month. This allowed me to receive calls on my new Bellevue, WA number, but not make outbound calls - for that, you have to sign in here and purchase a minimum of $10 credit. I think they debit your credit at the rate of 2 cents per minute or less. I'm using Counterpath's free X-Lite softphone. The audio quality isn't too bad, but isn't as good as I want it to be. I test it by calling my own voicemail.
IP Communications isn't the only SIP provider...VoicePulse.com and CallCentric.com both look interesting. VoicePulse may be less expensive than my current host.
This all-in-one $225 ooma Core VoIP Phone System (with no monthly fee) is big on Amazon.com - 717 reviews so far, with the vast majority being totally positive.
Reading up on "codecs" this evening...according to X-Lite's user manual, PC-only VoIP traffic can use "wideband" codecs that sample at 16 KHz, wheras calls into the PSTN require "narrowband" codecs (G711 only, in fact) that have a lower sampling rate. That explains why my test call into Skype sounded so much vastly better than to a landline. Maybe a Cisco IP phone would sound better...but that's a $100, so...not right now. :-)
1/6/10
Server 2008 Deployment
I've been learning about deploying Server 2008...editions, roles, features, etc.
::> The roles are: AD, DNS, DHCP, File (big upgrade from 2K3), Print, WSS (SharePoint), NAP (Network Access Protection), TS, IIS, and WDS (Deployment).
::> "Server Manager" in 2K8 replaces "Computer Management" in 2K3.
::> Editions: Web, Standard, Enterprise, Datacenter.
:: ::> The Web edition is identical to Standard except it only runs IIS. Standard doesn't offer ADFS (a type of single-sign-on), nor does it have as many features for handling certificates (such as an online responder or network device enrollment (for hardware which (naturally) doesn't have a domain account)). I'm not clear on what the "online responder" is all about. Standard is also "limited" to 32GB of RAM and 4 CPUs in a 64-bit configuration (4GB in 32-bit mode).
:: ::> Enterprise is the sweet-spot with up to 32GB/2TB of RAM (depending on 32/64-bit mode) and up to 8 CPUs. Enterprise also seems to allow you to legally run up to 4 additional installations in a virtual Hyper-V environment!
:: ::> The Datacenter edition can be scaled up to more CPUs - 32/64 for 32/64-bit respectively (you pay per CPU and user) and lets you legally run as many virtual installations of Windows Server as you dare!
:: ::> Pricing at the moment (from CDW.com) is $400 for Web, $740 for Standard (with 5 CALs), $2,900 for Enterprise (with 25 CALs), and $8,200 for Datacenter (4 CPUs). Info on licensing.
Server Core:
Let's say you have a limited-purpose perimeter server with some Internet exposure. You can reduce its attack surface by installing just "Server Core" which is the same as what you'd have normally, except all administration is done via Shell rather than GUI. It also doesn't support managed code in the form of .Net or ASP.net. Core also doesn't support ADFS, failover clustering, WDS, and probably other stuff too. It doesn't have an explorer.exe process. It's especially recommended as a foundation for Hyper-V guests (maximum performance).
About Windows PE and the Windows AIK..."PE" stands for Pre-execution Environment.
For upgrading from Server 2003, you have to boot into Windows and then insert your DVD - booting off the DVD only permits a clean install. AIK answer files for 2K8 are in XML (vs *.inf text files in the past)
Regarding WDS (Windows Deployment Services) and its images (*.wim file - "windows image"). WDS is a role. You can configure it to communicate with all PCs, no PCs, or only PCs in Active Directory. Well, you may ask, what if you want to use it with a brand-new PC? You "pre-stage" that PC by adding its MAC or GUID to a new "managed" computer account in AD.
Quite interestingly, you can use WDS to "capture" an existing server/PC image and save it for future reference. If you plan to roll that image out to additional boxes, be sure to use sysprep first. ImageX can be used to apply updates to an image.
::> The roles are: AD, DNS, DHCP, File (big upgrade from 2K3), Print, WSS (SharePoint), NAP (Network Access Protection), TS, IIS, and WDS (Deployment).
::> "Server Manager" in 2K8 replaces "Computer Management" in 2K3.
::> Editions: Web, Standard, Enterprise, Datacenter.
:: ::> The Web edition is identical to Standard except it only runs IIS. Standard doesn't offer ADFS (a type of single-sign-on), nor does it have as many features for handling certificates (such as an online responder or network device enrollment (for hardware which (naturally) doesn't have a domain account)). I'm not clear on what the "online responder" is all about. Standard is also "limited" to 32GB of RAM and 4 CPUs in a 64-bit configuration (4GB in 32-bit mode).
:: ::> Enterprise is the sweet-spot with up to 32GB/2TB of RAM (depending on 32/64-bit mode) and up to 8 CPUs. Enterprise also seems to allow you to legally run up to 4 additional installations in a virtual Hyper-V environment!
:: ::> The Datacenter edition can be scaled up to more CPUs - 32/64 for 32/64-bit respectively (you pay per CPU and user) and lets you legally run as many virtual installations of Windows Server as you dare!
:: ::> Pricing at the moment (from CDW.com) is $400 for Web, $740 for Standard (with 5 CALs), $2,900 for Enterprise (with 25 CALs), and $8,200 for Datacenter (4 CPUs). Info on licensing.
Server Core:
Let's say you have a limited-purpose perimeter server with some Internet exposure. You can reduce its attack surface by installing just "Server Core" which is the same as what you'd have normally, except all administration is done via Shell rather than GUI. It also doesn't support managed code in the form of .Net or ASP.net. Core also doesn't support ADFS, failover clustering, WDS, and probably other stuff too. It doesn't have an explorer.exe process. It's especially recommended as a foundation for Hyper-V guests (maximum performance).
About Windows PE and the Windows AIK..."PE" stands for Pre-execution Environment.
For upgrading from Server 2003, you have to boot into Windows and then insert your DVD - booting off the DVD only permits a clean install. AIK answer files for 2K8 are in XML (vs *.inf text files in the past)
Regarding WDS (Windows Deployment Services) and its images (*.wim file - "windows image"). WDS is a role. You can configure it to communicate with all PCs, no PCs, or only PCs in Active Directory. Well, you may ask, what if you want to use it with a brand-new PC? You "pre-stage" that PC by adding its MAC or GUID to a new "managed" computer account in AD.
Quite interestingly, you can use WDS to "capture" an existing server/PC image and save it for future reference. If you plan to roll that image out to additional boxes, be sure to use sysprep first. ImageX can be used to apply updates to an image.
NovaBackup
I suddenly remembered why my former employer originially standardized on "NovaBackup" for tape backup/restore. It's because (at least, at the time) it was the only program that would directly read the contents of a backup tape. Other programs demanded that you put in a specific tape to accomplish a restore...NovaBackup was willing to work with whatever you had available.
12/31/09
Jumping back in
It's time to resume studying. :-) So, I'll be keeping notes for myself on this blog (starting today) & perhaps they'll be of use to other people as well.
My laptop's HD crashed a while back (bad sectors - most data was recovered OK) and I lost my Parallels installation. So today I logged into my account on their site, purchased a link to re-download version 2.2 (the Intel Processor Identification Utility says my Pentium M @ 1.8GHz doesn't support hardware virtualization for Parallels 4.0), and am now ready for virtual servers.
I've been reviewing the different ways to prepare for tests. Two test-only providers are SelfTestSoftware.com (which is running a 35% off sale today) and Transcender.com.
To prep for 70-649 (exam #1 of 3 to upgrade an MCSE to MCITP), I've ordered a book with practice questions and a trial of Server 2008. To prep for the other two MCITP exams - and the CCNA - I just spent over $500 for access to training material by TestOut. They did an excellent job of teaching what I needed for the MCSE, so Lord-willing it it'll be another success story with the MCITP.
I just typed in "SQL" on dice.com - 429 results! "MCSE" yields 29 results, "CCNA" yields 16, "A+" yields 6. Pearson Vue handles CCNA testing, Prometric handles all Microsoft exams.
My laptop's HD crashed a while back (bad sectors - most data was recovered OK) and I lost my Parallels installation. So today I logged into my account on their site, purchased a link to re-download version 2.2 (the Intel Processor Identification Utility says my Pentium M @ 1.8GHz doesn't support hardware virtualization for Parallels 4.0), and am now ready for virtual servers.
I've been reviewing the different ways to prepare for tests. Two test-only providers are SelfTestSoftware.com (which is running a 35% off sale today) and Transcender.com.
To prep for 70-649 (exam #1 of 3 to upgrade an MCSE to MCITP), I've ordered a book with practice questions and a trial of Server 2008. To prep for the other two MCITP exams - and the CCNA - I just spent over $500 for access to training material by TestOut. They did an excellent job of teaching what I needed for the MCSE, so Lord-willing it it'll be another success story with the MCITP.
I just typed in "SQL" on dice.com - 429 results! "MCSE" yields 29 results, "CCNA" yields 16, "A+" yields 6. Pearson Vue handles CCNA testing, Prometric handles all Microsoft exams.
6/17/08
Edit registry offline
A Windows XP box came into our shop, infected with malware last Friday. It would boot part way into Windows and then crash with a BSOD stating something like "Unable to load basebow32.dll – unable to load the application, reinstalling might fix this". To fix, I placed the infected HD in a clean Windows XP box (as a secondary drive), launched regedit, clicked on HKEY_Local_Machine, went to the File menu, Load Hive, and selected the Infected_Drive\Windows\System32\config\SYSTEM file. Searched it for references to "basebow32" and removed them. Problem solved!
Symantec AV removal
How do you uninstall the corporate version of Symantec antivirus if it's password protected & you don't know the password?
First, try the word "symantec". If that doesn't work, open regedit and navigate to HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security. Change the useVPuninstallpassword from 1 to 0. Close the registry editor and retry the uninstall.
Bad ECC RAM
Windows 2003 wouldn't boot on a client's server, claiming that it's SYSTEM registry hive was corrupt. Strangely, not only was I unable to boot from the HD, I couldn't get any of my bootable CDs to work either! I even tried a different CD drive. The culprit? A bad RAM module. The registry and my bootable CDs were just fine.
Internet health
On May 21, several customers called in to complain about slow Internet access. They all had one thing in common: their ISP was TDS. A major fiber line in the Chicago area had been cut by construction. A co-worker then introduced me to InternetHealthReport.com
Missing Icons
A month ago, I copied all the files from a repaired HD onto a new, blank HD for a laptop running Windows Vista. After repairing the boot sector on the new drive, I was able to boot into Vista just fine. The puzzling thing was that none of the programs installed by the Windows Installer had an icon! This was because my file copy program had skipped C:\Windows\Installer.
For more reading, about icon issues, see these links:
5/17/08
PhotoSmart via RDP
How do you print to a local HP Photosmart printer in an RDP session? It's simple, right? No. HP doesn't make Server 2003 drivers for their Photosmarts. To work around this, you can install HP Deskjet 990Cse drivers on both the client and the server. On the client PC, be sure to select the same port used by your Photosmart driver.
4/2/08
3/29/08
DHCP
Today's topic is DHCP! There are three ways to get a DHCP assigned address to a client:
1) Place a DHCP server on every subnet
2) Enable BOOTP in the router(s)
3) Place a DHCP relay agent on every subnet. The relay agent picks up a client's multicast request for an IP address and then unicasts that to the DHCP server...which unicasts a response to the relay agent and then the relay agent broadcasts that IP address to the client.
If you have a DHCP server and a relay agent on the same subnet, how do you know that the server will respond first? DHCP relay agent settings can be found in RRAS, and there's a setting called "Boot threshold" which lets you tell the agent to wait several seconds to see if a DHCP server will respond.
A "split scope" is a way to create fault-tolerance for DHCP. On subnets "A" and "B", you use both a DHCP server and a DHCP relay agent. Each DHCP server can assign up to 80% of its IP addresses and the server in the other subnet holds the other 20% (the percentage is flexible). This way, if one DHCP server dies, the associated relay agent can forward requests to the other server and receive a valid address for the original subnet.
To paraphrase, a DHCPDiscover broadcast says "Hi, my MAC address is blah-blah-blah and I used to have IP address blah-blah-blah. Are there any DHCP servers available to re-assign this address to me?". It receives an IP and subnet. Then it says "Thanks, I'm also looking for a default gateway and a DNS server - do you have that info?". Here's a really good article on this topic.
Two other methods of fault-tolerance for DHCP are to cluster your DHCP servers or to use the "alternate configuration" in Windows XP.
Random note:
In a big organization, it makes sense to keep the "root domain" of your forest empty (w/ only the Administrator account active - and assigned a good password) to protect the Enterprise Admins and Schema Admins group from misuse.
1) Place a DHCP server on every subnet
2) Enable BOOTP in the router(s)
3) Place a DHCP relay agent on every subnet. The relay agent picks up a client's multicast request for an IP address and then unicasts that to the DHCP server...which unicasts a response to the relay agent and then the relay agent broadcasts that IP address to the client.
If you have a DHCP server and a relay agent on the same subnet, how do you know that the server will respond first? DHCP relay agent settings can be found in RRAS, and there's a setting called "Boot threshold" which lets you tell the agent to wait several seconds to see if a DHCP server will respond.
A "split scope" is a way to create fault-tolerance for DHCP. On subnets "A" and "B", you use both a DHCP server and a DHCP relay agent. Each DHCP server can assign up to 80% of its IP addresses and the server in the other subnet holds the other 20% (the percentage is flexible). This way, if one DHCP server dies, the associated relay agent can forward requests to the other server and receive a valid address for the original subnet.
To paraphrase, a DHCPDiscover broadcast says "Hi, my MAC address is blah-blah-blah and I used to have IP address blah-blah-blah. Are there any DHCP servers available to re-assign this address to me?". It receives an IP and subnet. Then it says "Thanks, I'm also looking for a default gateway and a DNS server - do you have that info?". Here's a really good article on this topic.
Two other methods of fault-tolerance for DHCP are to cluster your DHCP servers or to use the "alternate configuration" in Windows XP.
Random note:
In a big organization, it makes sense to keep the "root domain" of your forest empty (w/ only the Administrator account active - and assigned a good password) to protect the Enterprise Admins and Schema Admins group from misuse.
3/27/08
Delegating DNS
Why would you delegate a DNS zone? If a DNS server is being overwhelmed by traffic, it would make sense to delegate a portion of its namespace to another server; if a DNS server is separated from important "clients" (e.g. Exchange servers, or many workstations) over a slow WAN link (as a way of moving the most important (popular) DNS server closer to its base); or if you just need to shift some of the administrative work to somebody else. Hopefully I'll be able to grasp the the concepts being tested on in 70-297, but in real life, I think I still feel very fuzzy on why/how the whole DNS delegation thing exists/works.
When I created a new zone on my test DNS server, I found that unqualified hostnames failed in nslookup. Using group policy (Computer\Admin\Network\DNS) I added an entry to the DNS suffix search order for the zone that had previously failed the nslookup. After fixing a subnet mask on my test workstation (oops) and rebooting (to apply the machine-level group policy), it worked!
When I created a new zone on my test DNS server, I found that unqualified hostnames failed in nslookup. Using group policy (Computer\Admin\Network\DNS) I added an entry to the DNS suffix search order for the zone that had previously failed the nslookup. After fixing a subnet mask on my test workstation (oops) and rebooting (to apply the machine-level group policy), it worked!
3/26/08
More research 2
Reviewed WINS concepts. On a single subnet, you don't need a WINS server. If you have multiple subnets (broadcast domains) and you have a program that requires WINS lookups, then you need a WINS server.
DNS...I'm comfortable with primary zones, ADI, forwarding, and recursion. Secondary zones are read-only copies of a primary server. In Server 2003 they don't seem to have any value. They can not be integrated into Active Directory. If you have a DNS server that needs to know about DNS servers in other forests, you can use a stub zone to avoid zone transfer traffic. It seems that secondary zones used to be handy for fault tolerance and load balancing, however that's a non-issue with ADI zones. According to informit.com, a BIND server can receive a secondary copy of an ADI zone.
It just occurred to me this evening that the default "ClientApps" share on Server 2003 is probably intended for applications published to clients via group policy in their Add/Remove Programs applet.
DNS...I'm comfortable with primary zones, ADI, forwarding, and recursion. Secondary zones are read-only copies of a primary server. In Server 2003 they don't seem to have any value. They can not be integrated into Active Directory. If you have a DNS server that needs to know about DNS servers in other forests, you can use a stub zone to avoid zone transfer traffic. It seems that secondary zones used to be handy for fault tolerance and load balancing, however that's a non-issue with ADI zones. According to informit.com, a BIND server can receive a secondary copy of an ADI zone.
It just occurred to me this evening that the default "ClientApps" share on Server 2003 is probably intended for applications published to clients via group policy in their Add/Remove Programs applet.
3/22/08
More research
I tried 70-297 on the 15th & flopped again! Today, I'm doing some study on related topics.
Server 2003 (Standard) minimum system requirements are a 133MHz x86 CPU, 128MB of RAM, and 2.0 GB of available HD space. Server 2003 supports three processor architectures: x86 32-bit, x86 64-bit, and Itanium. This means that Server 2003 does NOT run on RISC processors.
To bone up on RADIUS, I followed instructions to install IAS and configure RRAS to use it. It worked! I ran IAS and RRAS on the same server.
Operations masters - it seems I'm weak on these. They used to be called FSMO (fiz-mo) for Flexible Single Master Operation. The concept of Active Directory is a "multi-master" one overall, but there are some roles that only a single DC handles. Two of these are at the forest level: schema master and domain naming master. Three others are at the per-domain level: RID master (sort of the "master domain controller" - it allocates domain RIDs to the DCs for use in SIDs); Infrastructure Master (only important in multidomain environments - in which case it shouldn't be on a GC server); and the PDC Emulator, which handles password changes and account lock-outs. It's also the authoritative time source in a domain.
I think if I bandwidth isn't an issue, every DC in a small domain should be a GC.
For a short-term disaster recovery simulation, you only need a PDCe available. However, if you restore a DC from backup, it will invalidate its RID pool and need access to a RID master to replenish it for new object creation. See here and here.
When you install a Server 2003 box in a Windows 2000 forest, you have to update the 2000 AD schema for the new features in 2003's version of Active Directory. You do this by running adprep /forestprep on your forest's schema master & adprep /domainprep on each domain's infrastructure master.
In other news, SP1 for Vista was released on the 18th.
Server 2003 (Standard) minimum system requirements are a 133MHz x86 CPU, 128MB of RAM, and 2.0 GB of available HD space. Server 2003 supports three processor architectures: x86 32-bit, x86 64-bit, and Itanium. This means that Server 2003 does NOT run on RISC processors.
To bone up on RADIUS, I followed instructions to install IAS and configure RRAS to use it. It worked! I ran IAS and RRAS on the same server.
Operations masters - it seems I'm weak on these. They used to be called FSMO (fiz-mo) for Flexible Single Master Operation. The concept of Active Directory is a "multi-master" one overall, but there are some roles that only a single DC handles. Two of these are at the forest level: schema master and domain naming master. Three others are at the per-domain level: RID master (sort of the "master domain controller" - it allocates domain RIDs to the DCs for use in SIDs); Infrastructure Master (only important in multidomain environments - in which case it shouldn't be on a GC server); and the PDC Emulator, which handles password changes and account lock-outs. It's also the authoritative time source in a domain.
I think if I bandwidth isn't an issue, every DC in a small domain should be a GC.
For a short-term disaster recovery simulation, you only need a PDCe available. However, if you restore a DC from backup, it will invalidate its RID pool and need access to a RID master to replenish it for new object creation. See here and here.
When you install a Server 2003 box in a Windows 2000 forest, you have to update the 2000 AD schema for the new features in 2003's version of Active Directory. You do this by running adprep /forestprep on your forest's schema master & adprep /domainprep on each domain's infrastructure master.
In other news, SP1 for Vista was released on the 18th.
Unable to disjoin domain
Several weeks ago a workstation was experiencing really slow logon/off times. When I tried to disjoin it from the domain I was told "The following error occurred attempting to unjoin the domain: the specified module could not be found". Now what? It turned out that w32time.dll was missing from the c:\windows\system32 directory. Because it was missing, the Net Logon service couldn't run. The Net Logon service is essential for interacting with a domain.
3/20/08
Google Apps
I tried out free email hosting via Google Apps recently. The steps to do so are:
Create a Google Apps account.
Follow instructions to change MX records for your domain (via CPanel).
Follow instructions to change custom webmail URL (via support ticket with web host - CPanel doesn't support this).
Log into each webmail account and enable POP or IMAP access.
Follow instructions to configure your mail client (e.g. Outlook Express)
- You login to pop.gmail.com:995 as username@yourdomain.com
I think this will provide good spam filtering for free - and might therefore be useful for nonprofits and small businesses who don't want to purchase Outlook 2003 for their users. Outlook 2003 has an excellent built-in spam filter, updated monthly by Microsoft via Microsoft Update.
Create a Google Apps account.
Follow instructions to change MX records for your domain (via CPanel).
Follow instructions to change custom webmail URL (via support ticket with web host - CPanel doesn't support this).
Log into each webmail account and enable POP or IMAP access.
Follow instructions to configure your mail client (e.g. Outlook Express)
- You login to pop.gmail.com:995 as username@yourdomain.com
I think this will provide good spam filtering for free - and might therefore be useful for nonprofits and small businesses who don't want to purchase Outlook 2003 for their users. Outlook 2003 has an excellent built-in spam filter, updated monthly by Microsoft via Microsoft Update.
3/8/08
Defragment Exchange
Here's a short batch file to defragment Exchange 2000/2003 information stores:
@echo off
echo Verify that you've backed up and dismounted the Exchange Store!
echo.
echo Press Ctrl + C to cancel...
echo.
pause
pause
cd "C:\Program Files\Exchsrvr\BIN"
eseutil /d ..\mdbdata\priv1.edb
@echo off
echo Verify that you've backed up and dismounted the Exchange Store!
echo.
echo Press Ctrl + C to cancel...
echo.
pause
pause
cd "C:\Program Files\Exchsrvr\BIN"
eseutil /d ..\mdbdata\priv1.edb
Local user profiles
Last week, a client requested that their stand-alone workstations be joined to their domain for better password management. To minimize disruption to the users, I used ForensiT's User Profile Wizard to join systems to the domain and re-assign their local profile to the new domain SID. It works beautifully! The only thing it doesn't do is transfer the contents of Protected Storage. I used NirSoft's Protected Storage PassView to copy saved passwords into an Excel spreadsheet for printing.
3/6/08
Local Admin
To add a domain group to the local admins group on all your workstations, fire up a group policy and edit the computer startup scripts. Here are two scripts I've tested:
1) Batch file:
NET LOCALGROUP Administrators /ADD "YourDomain\YourDomainGroup"
2) VBScript:
On Error Resume Next
MyDomainName = "InsertYourDomainName"
MyDomainGroup = "InsertYourDomainGroup"
Set x = WScript.CreateObject("WScript.Shell")
ComputerName=x.ExpandEnvironmentStrings("%COMPUTERNAME%")
Set Local_Admins=getobject("WinNT://" & ComputerName & "/Administrators,group")
Local_Admins.add ("WinNT://" & MyDomainName & "/" & MyDomainGroup & ",group")
Computer startup scripts run with practically unlimited local permission; logon scripts rely on the current user's permission.
1) Batch file:
NET LOCALGROUP Administrators /ADD "YourDomain\YourDomainGroup"
2) VBScript:
On Error Resume Next
MyDomainName = "InsertYourDomainName
MyDomainGroup = "InsertYourDomainGroup
Set x = WScript.CreateObject("WScript.Shell")
ComputerName=x.ExpandEnvironmentStrings("%COMPUTERNAME%")
Set Local_Admins=getobject("WinNT://" & ComputerName & "/Administrators,group")
Local_Admins.add ("WinNT://" & MyDomainName & "/" & MyDomainGroup & ",group")
Computer startup scripts run with practically unlimited local permission; logon scripts rely on the current user's permission.
3/4/08
ADMT
This evening I tried out the Active Directory Migration Tool 3.0, migrating a WinXP workstation from the “silver” domain (the source) to the “gold” domain (the target).
After installation, you open the ADMT as an MMC snap-in on the target domain controller. Your target domain must be in domain native mode. User and computer accounts get migrated in separate steps; then you remotely run an “agent” on the workstations that you’re migrating to join them to the new domain and reset all the necessary file/registry permissions.
In order for this agent to run, your user account in the target domain must have local admin rights on the workstations. Automating the process may be the topic of another post. I did it manually by adding \\gold\Domain Admins to \\silver\Trusted-Admins
I couldn’t add \\gold\Domain Admins to \\silver\Domain Admins because both groups are global. Remember that global groups are great travelers, but poor hosts. Also found that I couldn’t place an individual user account from one domain in another domain’s group.
If you don’t have local admin rights to the workstations, the ADMT agent will report “access is denied” to the ADMIN$ share. The workstations also need need to have the same primary DNS server as the target domain controller(s).
By the way, during the course of this exercise I raised my forest functional level and learned that the Enterprise Admins group only exists on domain controllers in the “root domain” of a forest. You have to be in that group to make any schema changes (e.g. modifying the forest).
By default, the ADMT does not migrate user passwords; instead is sets the migrated user accounts to “change password at next login”.
After the ADMT agent runs, it reboots the workstation & viola! You’re finished! This is so cool.
After installation, you open the ADMT as an MMC snap-in on the target domain controller. Your target domain must be in domain native mode. User and computer accounts get migrated in separate steps; then you remotely run an “agent” on the workstations that you’re migrating to join them to the new domain and reset all the necessary file/registry permissions.
In order for this agent to run, your user account in the target domain must have local admin rights on the workstations. Automating the process may be the topic of another post. I did it manually by adding \\gold\Domain Admins to \\silver\Trusted-Admins
I couldn’t add \\gold\Domain Admins to \\silver\Domain Admins because both groups are global. Remember that global groups are great travelers, but poor hosts. Also found that I couldn’t place an individual user account from one domain in another domain’s group.
If you don’t have local admin rights to the workstations, the ADMT agent will report “access is denied” to the ADMIN$ share. The workstations also need need to have the same primary DNS server as the target domain controller(s).
By the way, during the course of this exercise I raised my forest functional level and learned that the Enterprise Admins group only exists on domain controllers in the “root domain” of a forest. You have to be in that group to make any schema changes (e.g. modifying the forest).
By default, the ADMT does not migrate user passwords; instead is sets the migrated user accounts to “change password at next login”.
After the ADMT agent runs, it reboots the workstation & viola! You’re finished! This is so cool.
3/1/08
Domain tinkering
Powered on SERVER2 and ran dcpromo, but couldn't demote it to a stand-alone server because Active Directory "knew" that there was still another DC out there. So I tried demoting it to a member server, but Active Directory insisted that it must be able to contact another DC in that case...so I powered on SERVER1. After demoting SERVER2 to a member server and rebooting, I ran dcpromo again to install Active Directory as a new domain in the existing forest. This didn't work at first because DNS lookups (for the new domain) on SERVER1 timed out. To fix, I created a primary zone on SERVER1 for the new domain and that allowed me to proceed with installing Active Directory on SERVER2 w/ SERVER1 as its DNS server.
Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.
Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...
After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).
Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.
Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.
Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...
After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).
Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.
2/28/08
Rapid replication
Installed Server 2003 in two virtual machines ("server1" and "server2") this evening. Made them domain controllers for the same domain. Learned how to force replication via ADSS. Disabled the default domain GP password settings & tried to create a user w/ no password; this failed with "Windows cannot create the object because: Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain." Running gpupdate by itself didn't help, but running gpupdate /force did.
Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.
A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".
Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.
In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.
Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.
A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".
Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.
In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.
2/18/08
Choppy DVD playback
My sister called a couple evenings ago and said "I think my DVD-ROM is going bad! Videos are so choppy and jerky, they're no fun to watch". This was caused by her secondary IDE channel reverting back to PIO mode, an older method for accessing drives - and too slow for DVDs. To fix, we uninstalled the channel, redetected it, enabled DMA mode, and then rebooted. See this article on DMA reverts to PIO.
Fixing RRAS and FPS
A client called our office this morning and said "My users can't access the Internet or browse shared folders!". The client runs Windows SBS 2003. RRAS w/ NAT distributes Internet access on the WAN interface to all the workstations.
What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.
It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.
What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.
It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.
2/13/08
ActiveX error
To access a security camera system for one of our clients, you have to change Internet Explorer's security zone settings. IE will tell you "Your current security settings prohibit running ActiveX controls on this page". To fix, go to Tools -> Internet Options -> Security tab -> Custom Level -> ActiveX controls and plug-ins -> Download unsigned ActiveX controls -> Prompt (instead of disabled).
2/12/08
Malware infections
One of your users has a malware infection. Your antivirus program quarantined part of it, but it’s still hanging on, just beyond the reach of your two or three favorite antivirus/antispyware tools. Now what?
1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.
2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.
Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.
Lastly, run HijackThis to cleanup any remaining traces of infection.
I've used this method to remove malware missed by NOD32 and Spyware Doctor.
1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.
2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.
Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.
Lastly, run HijackThis to cleanup any remaining traces of infection.
I've used this method to remove malware missed by NOD32 and Spyware Doctor.
2/7/08
Theory, part 1
Active directory sites serve two purposes:
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login
As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.
There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login
As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.
There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources
2/6/08
Flowcharting
Began studying for 70-297 this evening. I need to try out Visio 2007 and Smart Draw 2008 to see if either program is really easy to use. Academic prices are $80 and $120 respectively.
2/4/08
Powershell and VBScript
Microsoft has a new scripting language called PowerShell, which works on Windows XP and everything newer. Someday I would like to take a course on PowerShell or VBScript. Microsoft has some videos about PowerShell.
Fixing a BSOD
A tech in our office recently imaged a hard drive onto a new computer. He did a repair installation of Windows XP on the drive, but after restarting, WinXP setup always crashed with error STOP 0x0000007E. This was resolved with Microsoft's Diagnostics and Recovery Toolset. This oh-so-handy bootable CD lets you disable unwanted device drivers!
Never relay a message
You recall my Exchange 6 post on January 21st? I allowed Exchange to relay messages to the site's own domain, through their web host's SMTP server, because this is a "shared namespace" (not all user accounts are on the Exchange server). The following Monday the web host admin informed us that 40,000 spams had been sent to users at this domain from their own IP address!!! I think the culprit was a compromised workstation on the LAN. To fix the problem, I disabled relaying and used a setting in the SMTP virtual server that says "Forward messages with unresolved recipients to: {insert mail server name or IP}". Problem solved. Note that no SMTP authentication is required in this case.
At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.
At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.
SQL error 15401
A couple of weeks ago a customer couldn't create an SQL login account because it had a duplicate SID with an existing account (I have no idea how that happened). I followed Microsoft's directions to identify and delete the offending account.
Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.
Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.
2/2/08
70-284 - Passed!
Passed 70-284 this afternoon. There were 30 questions, with an emphasis on name resolution and firewall interaction.
1/22/08
Message size limit
A user on an Exchange 2003 server tried to send a 22MB email attachment and received an error. This was because in Global Settings -> Message Delivery a 20MB maximum size was configured.
When assigning logon/off scripts via group policy, you must use a UNC path.
When assigning logon/off scripts via group policy, you must use a UNC path.
1/21/08
Restricting RDP users
One of our clients has several inexperienced users connecting to a 2003 terminal server. To help protect the server, the following group policies have been enabled:
- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)
This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):
- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings
- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)
This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):
- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings
Exchange 6
Summary of latest Exchange topics covered in my study:
- How to mail enable a public folder (I haven't tested this)
- Free/Busy data is kept in a systm Public Folder
- RPC over HTTPS can replace a VPN for checking email with Outlook 2003
- You can configure real-time block lists (RBLs) to reduce spam
Recently had a client ask us to simplify their email setup. Every user's Outlook was configured w/ a POP3 account which saved mail into an Exchange mailbox (rather than a PST file). Starting with one user as my "guinea pig", I removed his POP3 account in Outlook (retaining only the Exchange account), and created an entry for him in the Exchange server's POP3 connector. Also reconfigured the server's SMTP connector with current information.
The first time I tried to send a message to my own email address it bounced back w/ error 550, so I enabled SMTP authentication in the connector.
Next, I tried emailing two people who share the organization's domain name but who don't use the Exchange server. That test bounced back w/ error 5.1.1 (recipient doesn't exist). I checked the recipient policy in System Manager and found that the check box for "This Exchange Organization is responsble for all mail delivery..." was grayed out. So...I created a new policy (leaving that check box blank) and created an additional SMTP connector just for this organization's domain - with relaying enabled. Many, many thanks to msexchange.org for their article on SMTP Namespace Sharing.
- How to mail enable a public folder (I haven't tested this)
- Free/Busy data is kept in a systm Public Folder
- RPC over HTTPS can replace a VPN for checking email with Outlook 2003
- You can configure real-time block lists (RBLs) to reduce spam
Recently had a client ask us to simplify their email setup. Every user's Outlook was configured w/ a POP3 account which saved mail into an Exchange mailbox (rather than a PST file). Starting with one user as my "guinea pig", I removed his POP3 account in Outlook (retaining only the Exchange account), and created an entry for him in the Exchange server's POP3 connector. Also reconfigured the server's SMTP connector with current information.
The first time I tried to send a message to my own email address it bounced back w/ error 550, so I enabled SMTP authentication in the connector.
Next, I tried emailing two people who share the organization's domain name but who don't use the Exchange server. That test bounced back w/ error 5.1.1 (recipient doesn't exist). I checked the recipient policy in System Manager and found that the check box for "This Exchange Organization is responsble for all mail delivery..." was grayed out. So...I created a new policy (leaving that check box blank) and created an additional SMTP connector just for this organization's domain - with relaying enabled. Many, many thanks to msexchange.org for their article on SMTP Namespace Sharing.
1/14/08
Negative ping times
A W2K3 terminal server (and domain controller) failed to apply my group policies when users logged into their RDP sessions recently. Today I set about to fix this. Checked the application event log and found that event 1054 had been logged every 5 minutes for the last five months (almost since the server was installed!). Filtering the log for event 6009 showed that the server had been restarted a handful of times during that period. Running gpresult in a user's RDP session returned an error “The user does not have RSoP data”. I checked DNS, restarted the netlogon service, ran ipconfig /registerdns, and checked file system permissions.
Eventually, I found a site that noted a correlation between group policy errors and AMD's multi-core CPUs. The server has an AMD processor, so I pinged the localhost and got some wild numbers in response. Installing a patch from AMD (their "Dual-Core Optimizer") resolved the incorrect ping times, the application log errors, and my issues with group policy!
Eventually, I found a site that noted a correlation between group policy errors and AMD's multi-core CPUs. The server has an AMD processor, so I pinged the localhost and got some wild numbers in response. Installing a patch from AMD (their "Dual-Core Optimizer") resolved the incorrect ping times, the application log errors, and my issues with group policy!
Exchange 5
Learned about public folders and front-end Exchange servers this evening. The latter are helpful when you have lots of people using OWA or RPC over HTTPS. All Exchange servers are "back-end", until you specifically designate them as "front-end" and move any mailboxes off of them. Here's an article about using NLB on front-end servers.
1/8/08
Exchange 4
This evening I learned about:
- Address lists (e.g. creating lists other than the GAL; replacing the default OAB).
- Mailbox stores. It seems that a single mailbox store consists of two files, the .edb file and .stm file (MDBEF and MIME formats, respectively)...and one or more log files.
- Moving mailbox stores to different disks, and mailboxes into different stores.
In Exchange 2003 Standard w/ SP2, you can have a single mailbox store of up to 75GB. In the Enterprise version you can have up to 20 stores which, I think, can each be up to 8TB in size. Wow.
There's also something called circular logging which prevents Exchange from saving zillions of log files and thereby chewing up your disk space. The downside of enabling this is that it somehow reduces your disaster recovery options and requires that you regularly run a full backup of your stores. Of course, you can also keep logging enabled and do frequent backups & the backups will automatically delete the log files. So, there's little value in using circular logging.
The two database files, the .edb and .stm files have something to do with MAPI (i.e. "Outlook") and non-MAPI clients (i.e. everything else), but I'm not quite sure what.
Haven't figured out what an X400 address is, but one site says that you can't disable it.
Deleted items retention - it's a great feature. I've used it on two occasions to make people very happy. In one case, a user accidentally deleted her items. On the other occasion, an employee was terminated (but her user account was left enabled) and she logged in from home to delete emails via OWA. We recovered those emails, but what if the employee had known about DIRT (deleted items retention time) and what if the employee had purged those messages via OWA? We would've had to do a restore from backup...and that would've been very time-consuming ('cause so far, I've never restored an Exchange backup!). Microsoft tells how to hide the relevant command in Outlook via GP, but that won't help w/ OWA. There's a helpful post about this general topic at Experts-Exchange.
- Address lists (e.g. creating lists other than the GAL; replacing the default OAB).
- Mailbox stores. It seems that a single mailbox store consists of two files, the .edb file and .stm file (MDBEF and MIME formats, respectively)...and one or more log files.
- Moving mailbox stores to different disks, and mailboxes into different stores.
In Exchange 2003 Standard w/ SP2, you can have a single mailbox store of up to 75GB. In the Enterprise version you can have up to 20 stores which, I think, can each be up to 8TB in size. Wow.
There's also something called circular logging which prevents Exchange from saving zillions of log files and thereby chewing up your disk space. The downside of enabling this is that it somehow reduces your disaster recovery options and requires that you regularly run a full backup of your stores. Of course, you can also keep logging enabled and do frequent backups & the backups will automatically delete the log files. So, there's little value in using circular logging.
The two database files, the .edb and .stm files have something to do with MAPI (i.e. "Outlook") and non-MAPI clients (i.e. everything else), but I'm not quite sure what.
Haven't figured out what an X400 address is, but one site says that you can't disable it.
Deleted items retention - it's a great feature. I've used it on two occasions to make people very happy. In one case, a user accidentally deleted her items. On the other occasion, an employee was terminated (but her user account was left enabled) and she logged in from home to delete emails via OWA. We recovered those emails, but what if the employee had known about DIRT (deleted items retention time) and what if the employee had purged those messages via OWA? We would've had to do a restore from backup...and that would've been very time-consuming ('cause so far, I've never restored an Exchange backup!). Microsoft tells how to hide the relevant command in Outlook via GP, but that won't help w/ OWA. There's a helpful post about this general topic at Experts-Exchange.
1/7/08
Exchange 3
Learned about recipient policies this evening. You can set the format (e.g. first.last) and suffix of email addresses for all (or just a subset) of your users.
Dynamically updated groups let people email everyone in Active Directory who is in a specific department or who has a middle initial of "J". This is for distribution groups who's membership changes frequently.
Dynamically updated groups let people email everyone in Active Directory who is in a specific department or who has a middle initial of "J". This is for distribution groups who's membership changes frequently.
1/5/08
12/27/07
Exchange 2
Notes from this evening's Exchange 2003 study:
- If possible, install Exchange on a server that does not also run Active Directory.
- You can set permissions on groups of servers by using Administrative groups.
- You can prevent individual accounts from using Outlook Web Access.
- Mailboxes are not created until they are logged into or receive a message.
- You can limit the message size that users are allowed to send and/or receive. I can think of two organizations where I need to implement this setting!
- If possible, install Exchange on a server that does not also run Active Directory.
- You can set permissions on groups of servers by using Administrative groups.
- You can prevent individual accounts from using Outlook Web Access.
- Mailboxes are not created until they are logged into or receive a message.
- You can limit the message size that users are allowed to send and/or receive. I can think of two organizations where I need to implement this setting!
12/26/07
Exchange 1
I've finished studying for 70-620 and plan to take the exam within two weeks. I've started studying for 70-284 (Exchange). This evening's study covered the installation. Exchange 2003 can use up to 3GB of RAM.
12/13/07
Prevent users from clearing IE history
What do you do when you suspect that a user is going to bad sites on a company laptop, but they've cleared their history in Internet Explorer and deny any wrongdoing? You use group policy to prevent them from clearing their history! The setting is in User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Disable Changing History Settings" or "Disable Configuring History". Of course, there are other considerations as well (anonymous web proxies or alternate browsers), but this is a neat setting to enable.
Vista 1
Well into studying for 70-620 "Configuring Windows Vista". It's informative and easy. I've enjoyed learning how to use the breadcrumbs while browsing the file structure; finding out what the Windows Defender does (spyware/malware scanner); and basically just becoming a lot more comfortable w/ the OS overall.
12/7/07
Domain trusts
Wow. I set out to establish a domain trust between ServerB and ServerA. The computer name and domain name of ServerA have both been renamed in the past. I ran into problems: the trust wizard thought I was trying to establish a trust w/ the same domain that it was running on (ServerB's domain name matched ServerA's former domain name). When renaming the domain earlier, I had forgotten to run netdom /clean and netdom /end. Before discovering this oversight, I used netdom to update ServerA's FQDN, did a search-and-replace on my DNS files to remove all references to the old domain name, tried tinkering w/ NTDSUtil and ADSIEdit, and felt very frustrated!
After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.
After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".
Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.
After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.
After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".
Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.
12/5/07
Rename a domain
This evening I renamed the domain in a single domain, single DC environment. Thanks to msexchange.org for their article.
- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute
This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).
Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.
I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.
Lastly, restarted an XP workstation and verified that it was automatically updated.
Hurray!
- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute
This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).
Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.
I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.
Lastly, restarted an XP workstation and verified that it was automatically updated.
Hurray!
12/1/07
70-294 - Passed!
I passed 70-294 (42 questions) at Davenport University in Grand Rapids this afternoon. Group policy and AD sites were the primary focus.
11/29/07
Global Catalog servers
What's a global catalog server? It's a domain controller w/ searchable information about Active Directory objects stored in other domains throughout a forest. I think that the first domain controller in a forest is automatically selected to be a GC. In a single-domain environment, you only need that first GC. In multi-site, multi-domain environments, you may need to appoint other DCs as GCs.
Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.
Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.
11/28/07
Replication
Learned more about replication between sites - site cost, inter/intra site scheduling, and manually triggering a replication. Not very exciting.
11/26/07
Alternate UPN suffixs
Tonight's study included folder redirection (which I've implemented at a school) and password policies.
Learned how to set a different UPN (User Principle Name) suffix so that people can sign into their computers or OWA using their email address! After adding the alternate UPN, you can select multiple user accounts in ADUC & set their UPN all at once. For future AD installations I think I'll always use email addresses as sign-ons. This is really nice.
11/20/07
Group policy, part 3
Watched the 200.1 video on gpoguy.com and have started skimming the FAQ on his site as well. Very helpful stuff. Here's what I learned from the video:
- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User
- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.
- You can have the group policy editor display ONLY configured policies.
I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.
- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User
- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.
- You can have the group policy editor display ONLY configured policies.
I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.
11/19/07
Group policy, part 2
Notes:
RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.
Software distribution via GPO:
You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.
To learn more...
http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts
RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.
Software distribution via GPO:
You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.
To learn more...
http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts
11/16/07
Group policy, part 1
Learned more about group policy tonight:
-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.
Many third parties offer extensions to group policy.
If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.
An impressive tool for evaluating disk usage is TreeSize.
-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.
Many third parties offer extensions to group policy.
If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.
An impressive tool for evaluating disk usage is TreeSize.
Drive letter conflicts
iTunes couldn't access a home user's iPod Shuffle. Windows assigned it the letter "E". No network drive letters were present. When I plugged in my own flash drive (also assigned the letter "E"), my files weren't shown. You know why? A batch file was running at startup & using the "subst" command to assign the letter "E" to a folder on the "C" drive!
11/15/07
VoIP
My first experience w/ troubleshooting a Vonage VoIP device! I reset the Vedders wireless router this evening & knocked out their phone in the process. This was because their Linksys PAP2's IP was x.x.0.100 and the wireless router defaulted to x.x.1.1. Correcting the wireless router's IP fixed the problem!
11/14/07
Operation Masters
Tonight's study covered...
Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)
Operation Masters:
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)
If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).
Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.
Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)
Operation Masters:
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)
If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).
Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.
11/13/07
RDP and NetDom
RDP w/ console access is really cool. You can use it from the command line "mstsc /v:<server> /console". Of course your target PC must be enabled for remote connections and you can't use an account w/ a blank password. In fact, to connect to the console, you must login w/ the same account that is logged on at the console. Once you connect, the user at the console has their screen locked for the duration of the RDP session. If the console user unlocks the screen, the RDP session is terminated.
Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).
The steps:
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- reboot
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.
Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).
The steps:
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- reboot
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.
11/12/07
Groups and trusts
Learned the AGDLP/AGUDLP concept this evening. This sets a "role based" model on top of a "resource based" model for best performance in the following areas: smaller ACLs on resources improves performance, easier management in multi-domain environments, smaller token size. HOWEVER, in a single-domain environment it's OK to assign global groups to resources and put your users directly in those GGs.
Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).
Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).
11/10/07
ASR
Practiced an ASR (automated system recovery) backup/restore today. I learned that the HD that you restore onto must be as large, or larger, than the original HD. The ASR backup file must also be stored on locally attached media (no network access is available when the file is needed). If your ASR backup set is on read-only media, you'll get an error message (hit cancel to continue).
Two free utilities that I've found useful are ISO Recorder and Folder2ISO.
I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.
Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.
What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.
For future reference, this page has a nice overview of restoring an Exchange server
Two free utilities that I've found useful are ISO Recorder and Folder2ISO.
I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.
Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.
What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.
For future reference, this page has a nice overview of restoring an Exchange server
11/9/07
LostAndFound
Started learning about Active Directory and a container called LostAndFound. If one person modifies an object(s) in an OU that has just been deleted, moved, or renamed by a second person - but not yet replicated to the first person's server - then the object gets moved to LostAndFound. Also learned a bit about tombstoning and garbage collection.
11/6/07
70-293 - Passed!
Hurray! I passed 70-293 this evening. Went to the testing center at Davenport University in Grand Rapids, MI. Very nice facility w/ comfortable chairs and LCD monitors - I plan to return there for my remaining exams.
My 70-293 had a few questions about DHCP, DNS, WINS, NLB, clustering, backup, routing, and security templates...and a lot of questions about certificates, IPSec, and RRAS.
11/3/07
NLB, DFS, 2nd Shot
Last night I was lying on the floor in my room, staring at the laptop screen, wondering why my eyes felt strained...it was because the brightness on my screen was turned way down. Protecting my eyes suddenly feels very important to me as they are starting to feel tired. From now on I will work in good lighting w/ a bright laptop screen. I'm non-commitally contemplating a 22" LCD from Amazon for $230. However, I could replace my digital camera w/ a Canon SD1000 for $60 less than that.
Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).
Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.
Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!
Helpful thoughts on NLB unicast vs. multicast.
I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.
Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).
Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.
Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!
Helpful thoughts on NLB unicast vs. multicast.
I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.
11/1/07
Smart cards
This evening I learned about smart cards. www.usasmartcard.com offers reasonably priced cards, reader/writers, and even videos to help people get started. For some related humor, check out this posting.
There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.
There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.
10/31/07
IPSEC II
Gave up on IPSec w/ Kerberos authentication. However, I can do IPSec w/ authentication via certificate or PSK. Notes:
-> If a policy isn't applied when you assign it, restart the IPSec service.
-> Normally, you can reset IPSec policies back to default settings; DCs are an exception.
-> If a policy isn't applied when you assign it, restart the IPSec service.
-> Normally, you can reset IPSec policies back to default settings; DCs are an exception.
10/30/07
Troubleshooting IPSec
Trying to get my Parallels virtual machines to talk to each other w/ IPSec. Downloaded Windows 2003 Resource Kit for the KerbTray.exe application. Discovered you don't get a Kerberos ticket if you login locally instead of to the domain (oops!). Still no go w/ IPSec...
10/25/07
Setup
Setup this blog via Google's "Blogger.com". It's neat because it integrates w/ my domain name and doesn't show any ads by default.
I passed my first MCSE exam (70-290) on March 21, and my second exam (70-291) on September 11.
I passed my first MCSE exam (70-290) on March 21, and my second exam (70-291) on September 11.
