Exchange 2

Notes from this evening's Exchange 2003 study:
- If possible, install Exchange on a server that does not also run Active Directory.
- You can set permissions on groups of servers by using Administrative groups.
- You can prevent individual accounts from using Outlook Web Access.
- Mailboxes are not created until they are logged into or receive a message.
- You can limit the message size that users are allowed to send and/or receive. I can think of two organizations where I need to implement this setting!


Exchange 1

I've finished studying for 70-620 and plan to take the exam within two weeks. I've started studying for 70-284 (Exchange). This evening's study covered the installation. Exchange 2003 can use up to 3GB of RAM.


Prevent users from clearing IE history

What do you do when you suspect that a user is going to bad sites on a company laptop, but they've cleared their history in Internet Explorer and deny any wrongdoing? You use group policy to prevent them from clearing their history! The setting is in User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Disable Changing History Settings" or "Disable Configuring History". Of course, there are other considerations as well (anonymous web proxies or alternate browsers), but this is a neat setting to enable.

Vista 1

Well into studying for 70-620 "Configuring Windows Vista". It's informative and easy. I've enjoyed learning how to use the breadcrumbs while browsing the file structure; finding out what the Windows Defender does (spyware/malware scanner); and basically just becoming a lot more comfortable w/ the OS overall.


Domain trusts

Wow. I set out to establish a domain trust between ServerB and ServerA. The computer name and domain name of ServerA have both been renamed in the past. I ran into problems: the trust wizard thought I was trying to establish a trust w/ the same domain that it was running on (ServerB's domain name matched ServerA's former domain name). When renaming the domain earlier, I had forgotten to run netdom /clean and netdom /end. Before discovering this oversight, I used netdom to update ServerA's FQDN, did a search-and-replace on my DNS files to remove all references to the old domain name, tried tinkering w/ NTDSUtil and ADSIEdit, and felt very frustrated!

After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.

After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".

Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.


Rename a domain

This evening I renamed the domain in a single domain, single DC environment. Thanks to msexchange.org for their article.

- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute

This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).

Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.

I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.

Lastly, restarted an XP workstation and verified that it was automatically updated.



70-294 - Passed!

I passed 70-294 (42 questions) at Davenport University in Grand Rapids this afternoon. Group policy and AD sites were the primary focus.


Global Catalog servers

What's a global catalog server? It's a domain controller w/ searchable information about Active Directory objects stored in other domains throughout a forest. I think that the first domain controller in a forest is automatically selected to be a GC. In a single-domain environment, you only need that first GC. In multi-site, multi-domain environments, you may need to appoint other DCs as GCs.

Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.



Learned more about replication between sites - site cost, inter/intra site scheduling, and manually triggering a replication. Not very exciting.


Alternate UPN suffixs

Tonight's study included folder redirection (which I've implemented at a school) and password policies.

Learned how to set a different UPN (User Principle Name) suffix so that people can sign into their computers or OWA using their email address! After adding the alternate UPN, you can select multiple user accounts in ADUC & set their UPN all at once. For future AD installations I think I'll always use email addresses as sign-ons. This is really nice.


Group policy, part 3

Watched the 200.1 video on gpoguy.com and have started skimming the FAQ on his site as well. Very helpful stuff. Here's what I learned from the video:

- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User

- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.

- You can have the group policy editor display ONLY configured policies.

I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.


Group policy, part 2


RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.

Software distribution via GPO:

You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.

To learn more...

http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts


Group policy, part 1

Learned more about group policy tonight:

-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.

Many third parties offer extensions to group policy.

If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.

An impressive tool for evaluating disk usage is TreeSize.

Drive letter conflicts

iTunes couldn't access a home user's iPod Shuffle. Windows assigned it the letter "E". No network drive letters were present. When I plugged in my own flash drive (also assigned the letter "E"), my files weren't shown. You know why? A batch file was running at startup & using the "subst" command to assign the letter "E" to a folder on the "C" drive!



My first experience w/ troubleshooting a Vonage VoIP device! I reset the Vedders wireless router this evening & knocked out their phone in the process. This was because their Linksys PAP2's IP was x.x.0.100 and the wireless router defaulted to x.x.1.1. Correcting the wireless router's IP fixed the problem!


Operation Masters

Tonight's study covered...

Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)

Operation Masters:
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)

If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).

Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.


RDP and NetDom

RDP w/ console access is really cool. You can use it from the command line "mstsc /v:<server> /console". Of course your target PC must be enabled for remote connections and you can't use an account w/ a blank password. In fact, to connect to the console, you must login w/ the same account that is logged on at the console. Once you connect, the user at the console has their screen locked for the duration of the RDP session. If the console user unlocks the screen, the RDP session is terminated.

Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).

The steps:
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- reboot
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.


Groups and trusts

Learned the AGDLP/AGUDLP concept this evening. This sets a "role based" model on top of a "resource based" model for best performance in the following areas: smaller ACLs on resources improves performance, easier management in multi-domain environments, smaller token size. HOWEVER, in a single-domain environment it's OK to assign global groups to resources and put your users directly in those GGs.

Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).



Practiced an ASR (automated system recovery) backup/restore today. I learned that the HD that you restore onto must be as large, or larger, than the original HD. The ASR backup file must also be stored on locally attached media (no network access is available when the file is needed). If your ASR backup set is on read-only media, you'll get an error message (hit cancel to continue).

Two free utilities that I've found useful are ISO Recorder and Folder2ISO.

I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.

Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.

What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.

For future reference, this page has a nice overview of restoring an Exchange server



Started learning about Active Directory and a container called LostAndFound. If one person modifies an object(s) in an OU that has just been deleted, moved, or renamed by a second person - but not yet replicated to the first person's server - then the object gets moved to LostAndFound. Also learned a bit about tombstoning and garbage collection.


70-293 - Passed!

Hurray! I passed 70-293 this evening. Went to the testing center at Davenport University in Grand Rapids, MI. Very nice facility w/ comfortable chairs and LCD monitors - I plan to return there for my remaining exams.

My 70-293 had a few questions about DHCP, DNS, WINS, NLB, clustering, backup, routing, and security templates...and a lot of questions about certificates, IPSec, and RRAS.


NLB, DFS, 2nd Shot

Last night I was lying on the floor in my room, staring at the laptop screen, wondering why my eyes felt strained...it was because the brightness on my screen was turned way down. Protecting my eyes suddenly feels very important to me as they are starting to feel tired. From now on I will work in good lighting w/ a bright laptop screen. I'm non-commitally contemplating a 22" LCD from Amazon for $230. However, I could replace my digital camera w/ a Canon SD1000 for $60 less than that.

Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).

Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.

Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!

Helpful thoughts on NLB unicast vs. multicast.

I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.


Microsoft is only doing exams through ProMetric now, no longer w/ Pearson VUE.


Smart cards

This evening I learned about smart cards. www.usasmartcard.com offers reasonably priced cards, reader/writers, and even videos to help people get started. For some related humor, check out this posting.

There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.



Gave up on IPSec w/ Kerberos authentication. However, I can do IPSec w/ authentication via certificate or PSK. Notes:
-> If a policy isn't applied when you assign it, restart the IPSec service.
-> Normally, you can reset IPSec policies back to default settings; DCs are an exception.


Troubleshooting IPSec

Trying to get my Parallels virtual machines to talk to each other w/ IPSec. Downloaded Windows 2003 Resource Kit for the KerbTray.exe application. Discovered you don't get a Kerberos ticket if you login locally instead of to the domain (oops!). Still no go w/ IPSec...



Setup this blog via Google's "Blogger.com". It's neat because it integrates w/ my domain name and doesn't show any ads by default.

I passed my first MCSE exam (70-290) on March 21, and my second exam (70-291) on September 11.