How do you uninstall the corporate version of Symantec antivirus if it's password protected & you don't know the password?
First, try the word "symantec". If that doesn't work, open regedit and navigate to HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security. Change the useVPuninstallpassword from 1 to 0. Close the registry editor and retry the uninstall.
A month ago, I copied all the files from a repaired HD onto a new, blank HD for a laptop running Windows Vista. After repairing the boot sector on the new drive, I was able to boot into Vista just fine. The puzzling thing was that none of the programs installed by the Windows Installer had an icon! This was because my file copy program had skipped C:\Windows\Installer.
For more reading, about icon issues, see these links:
1) Place a DHCP server on every subnet
2) Enable BOOTP in the router(s)
3) Place a DHCP relay agent on every subnet. The relay agent picks up a client's multicast request for an IP address and then unicasts that to the DHCP server...which unicasts a response to the relay agent and then the relay agent broadcasts that IP address to the client.
If you have a DHCP server and a relay agent on the same subnet, how do you know that the server will respond first? DHCP relay agent settings can be found in RRAS, and there's a setting called "Boot threshold" which lets you tell the agent to wait several seconds to see if a DHCP server will respond.
A "split scope" is a way to create fault-tolerance for DHCP. On subnets "A" and "B", you use both a DHCP server and a DHCP relay agent. Each DHCP server can assign up to 80% of its IP addresses and the server in the other subnet holds the other 20% (the percentage is flexible). This way, if one DHCP server dies, the associated relay agent can forward requests to the other server and receive a valid address for the original subnet.
To paraphrase, a DHCPDiscover broadcast says "Hi, my MAC address is blah-blah-blah and I used to have IP address blah-blah-blah. Are there any DHCP servers available to re-assign this address to me?". It receives an IP and subnet. Then it says "Thanks, I'm also looking for a default gateway and a DNS server - do you have that info?". Here's a really good article on this topic.
Two other methods of fault-tolerance for DHCP are to cluster your DHCP servers or to use the "alternate configuration" in Windows XP.
In a big organization, it makes sense to keep the "root domain" of your forest empty (w/ only the Administrator account active - and assigned a good password) to protect the Enterprise Admins and Schema Admins group from misuse.
When I created a new zone on my test DNS server, I found that unqualified hostnames failed in nslookup. Using group policy (Computer\Admin\Network\DNS) I added an entry to the DNS suffix search order for the zone that had previously failed the nslookup. After fixing a subnet mask on my test workstation (oops) and rebooting (to apply the machine-level group policy), it worked!
DNS...I'm comfortable with primary zones, ADI, forwarding, and recursion. Secondary zones are read-only copies of a primary server. In Server 2003 they don't seem to have any value. They can not be integrated into Active Directory. If you have a DNS server that needs to know about DNS servers in other forests, you can use a stub zone to avoid zone transfer traffic. It seems that secondary zones used to be handy for fault tolerance and load balancing, however that's a non-issue with ADI zones. According to informit.com, a BIND server can receive a secondary copy of an ADI zone.
It just occurred to me this evening that the default "ClientApps" share on Server 2003 is probably intended for applications published to clients via group policy in their Add/Remove Programs applet.
Server 2003 (Standard) minimum system requirements are a 133MHz x86 CPU, 128MB of RAM, and 2.0 GB of available HD space. Server 2003 supports three processor architectures: x86 32-bit, x86 64-bit, and Itanium. This means that Server 2003 does NOT run on RISC processors.
To bone up on RADIUS, I followed instructions to install IAS and configure RRAS to use it. It worked! I ran IAS and RRAS on the same server.
Operations masters - it seems I'm weak on these. They used to be called FSMO (fiz-mo) for Flexible Single Master Operation. The concept of Active Directory is a "multi-master" one overall, but there are some roles that only a single DC handles. Two of these are at the forest level: schema master and domain naming master. Three others are at the per-domain level: RID master (sort of the "master domain controller" - it allocates domain RIDs to the DCs for use in SIDs); Infrastructure Master (only important in multidomain environments - in which case it shouldn't be on a GC server); and the PDC Emulator, which handles password changes and account lock-outs. It's also the authoritative time source in a domain.
I think if I bandwidth isn't an issue, every DC in a small domain should be a GC.
For a short-term disaster recovery simulation, you only need a PDCe available. However, if you restore a DC from backup, it will invalidate its RID pool and need access to a RID master to replenish it for new object creation. See here and here.
When you install a Server 2003 box in a Windows 2000 forest, you have to update the 2000 AD schema for the new features in 2003's version of Active Directory. You do this by running adprep /forestprep on your forest's schema master & adprep /domainprep on each domain's infrastructure master.
In other news, SP1 for Vista was released on the 18th.
Create a Google Apps account.
Follow instructions to change MX records for your domain (via CPanel).
Follow instructions to change custom webmail URL (via support ticket with web host - CPanel doesn't support this).
Log into each webmail account and enable POP or IMAP access.
Follow instructions to configure your mail client (e.g. Outlook Express)
- You login to pop.gmail.com:995 as email@example.com
I think this will provide good spam filtering for free - and might therefore be useful for nonprofits and small businesses who don't want to purchase Outlook 2003 for their users. Outlook 2003 has an excellent built-in spam filter, updated monthly by Microsoft via Microsoft Update.
echo Verify that you've backed up and dismounted the Exchange Store!
echo Press Ctrl + C to cancel...
cd "C:\Program Files\Exchsrvr\BIN"
eseutil /d ..\mdbdata\priv1.edb
1) Batch file:
NET LOCALGROUP Administrators /ADD "YourDomain\YourDomainGroup"
On Error Resume Next
MyDomainName = "InsertYourDomainName
MyDomainGroup = "InsertYourDomainGroup
Set x = WScript.CreateObject("WScript.Shell")
Set Local_Admins=getobject("WinNT://" & ComputerName & "/Administrators,group")
Local_Admins.add ("WinNT://" & MyDomainName & "/" & MyDomainGroup & ",group")
Computer startup scripts run with practically unlimited local permission; logon scripts rely on the current user's permission.
After installation, you open the ADMT as an MMC snap-in on the target domain controller. Your target domain must be in domain native mode. User and computer accounts get migrated in separate steps; then you remotely run an “agent” on the workstations that you’re migrating to join them to the new domain and reset all the necessary file/registry permissions.
In order for this agent to run, your user account in the target domain must have local admin rights on the workstations. Automating the process may be the topic of another post. I did it manually by adding \\gold\Domain Admins to \\silver\Trusted-Admins
I couldn’t add \\gold\Domain Admins to \\silver\Domain Admins because both groups are global. Remember that global groups are great travelers, but poor hosts. Also found that I couldn’t place an individual user account from one domain in another domain’s group.
If you don’t have local admin rights to the workstations, the ADMT agent will report “access is denied” to the ADMIN$ share. The workstations also need need to have the same primary DNS server as the target domain controller(s).
By the way, during the course of this exercise I raised my forest functional level and learned that the Enterprise Admins group only exists on domain controllers in the “root domain” of a forest. You have to be in that group to make any schema changes (e.g. modifying the forest).
By default, the ADMT does not migrate user passwords; instead is sets the migrated user accounts to “change password at next login”.
After the ADMT agent runs, it reboots the workstation & viola! You’re finished! This is so cool.
Powered on a virtual workstation (XP1) and joined the second domain. After rebooting, XP1 saw every domain in the forest - meaning DOMAIN1, DOMAIN2, and XP1. A quick Google search determined that this list is not editable, but that you can set a default domain for a PC and then hide the domain list.
Windows workstations cache domain credentials for up to 10 offline logins. To change/disable this, edit a group policy: Computer > Windows > Security > Local > Interactive logon: Number...
After a slow initial login on XP1, I checked the event log and found complaints that the domain controller was inaccessible. Creating reverse DNS entries appeared to resolve this (though maybe it just needed more time).
Lastly, I assigned a batch file login script to XP1 via group policy, but noted that my PAUSE command was ignored.
Windows allows you turn off Global Catalog functionality completely in a domain, but if you try to create a user after that, it reports "Windows cannot verify that the user name is unique because the following error occurred while contacting the global catalog: The directory service is unavailable. Windows will create this user account, but the user can log on only after the user name is verified to be unique. Make the sure the global catalog is available." If the user that you create in this offline state is a duplicate, the global catalog server will keep the duplicate account name but assign a unique SID and append gibberish to the name in AD.
A cool tool for viewing an account's SID or last logon/off date comes with the Server 2003 Resource Kit. After you download and install the kit (it's free), run regsvr32 "C:\Program Files\Windows Resource Kits\Tools\acctinfo.dll".
Despite the fact that my two domain controllers are running in the default forest/domain modes, intrasite replication happens almost immediately! I thought you'd have to wait 15 minutes or 5 minutes or 15 seconds.
In other news, Windows Server 2008 was released yesterday (February 28) and I took 70-297 last Saturday, but failed.
What was wrong? File and Printer Sharing had been disabled on the LAN interface (and enabled on the WAN)! This generated lots of errors in the event log, including event 1058 and 1030, because Windows couldn't access the SYSVOL share via UNC path (in fact, while shares were visible via \\servername, double-clicking on any of them merely brought up a username/password prompt). After correcting this, users could once again access shared resources on the server, but they still couldn't access the Internet.
It turned out that the LAN interface had recently been replaced or renamed...so RRAS wasn't doing NAT on the renamed interface. Right-clicking in RRAS/NAT and choosing "Add interface" quickly resolved the problem.
1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.
2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.
Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.
Lastly, run HijackThis to cleanup any remaining traces of infection.
I've used this method to remove malware missed by NOD32 and Spyware Doctor.
- Control AD replication traffic
- Ensure that users logon to a local DC rather than crossing a WAN link during login
As a general rule of thumb, you should install a domain controller in a branch office if there are 50+ users, and you should install a global catalog if there are 100+ users.
There are three reasons to have an OU:
- To delegate administration
- To apply group policies
- To hide resources
At the same site, I drastically shortened the amount of time that Exchange spends on retrying message delivery so that users are quickly notified when there's a delivery problem.
Someday, I would like to take Test Out's SQL course or CBT Nuggets' SQL course.
When assigning logon/off scripts via group policy, you must use a UNC path.
- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)
This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):
- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings
- How to mail enable a public folder (I haven't tested this)
- Free/Busy data is kept in a systm Public Folder
- RPC over HTTPS can replace a VPN for checking email with Outlook 2003
- You can configure real-time block lists (RBLs) to reduce spam
Recently had a client ask us to simplify their email setup. Every user's Outlook was configured w/ a POP3 account which saved mail into an Exchange mailbox (rather than a PST file). Starting with one user as my "guinea pig", I removed his POP3 account in Outlook (retaining only the Exchange account), and created an entry for him in the Exchange server's POP3 connector. Also reconfigured the server's SMTP connector with current information.
The first time I tried to send a message to my own email address it bounced back w/ error 550, so I enabled SMTP authentication in the connector.
Next, I tried emailing two people who share the organization's domain name but who don't use the Exchange server. That test bounced back w/ error 5.1.1 (recipient doesn't exist). I checked the recipient policy in System Manager and found that the check box for "This Exchange Organization is responsble for all mail delivery..." was grayed out. So...I created a new policy (leaving that check box blank) and created an additional SMTP connector just for this organization's domain - with relaying enabled. Many, many thanks to msexchange.org for their article on SMTP Namespace Sharing.
Eventually, I found a site that noted a correlation between group policy errors and AMD's multi-core CPUs. The server has an AMD processor, so I pinged the localhost and got some wild numbers in response. Installing a patch from AMD (their "Dual-Core Optimizer") resolved the incorrect ping times, the application log errors, and my issues with group policy!
- Address lists (e.g. creating lists other than the GAL; replacing the default OAB).
- Mailbox stores. It seems that a single mailbox store consists of two files, the .edb file and .stm file (MDBEF and MIME formats, respectively)...and one or more log files.
- Moving mailbox stores to different disks, and mailboxes into different stores.
In Exchange 2003 Standard w/ SP2, you can have a single mailbox store of up to 75GB. In the Enterprise version you can have up to 20 stores which, I think, can each be up to 8TB in size. Wow.
There's also something called circular logging which prevents Exchange from saving zillions of log files and thereby chewing up your disk space. The downside of enabling this is that it somehow reduces your disaster recovery options and requires that you regularly run a full backup of your stores. Of course, you can also keep logging enabled and do frequent backups & the backups will automatically delete the log files. So, there's little value in using circular logging.
The two database files, the .edb and .stm files have something to do with MAPI (i.e. "Outlook") and non-MAPI clients (i.e. everything else), but I'm not quite sure what.
Haven't figured out what an X400 address is, but one site says that you can't disable it.
Deleted items retention - it's a great feature. I've used it on two occasions to make people very happy. In one case, a user accidentally deleted her items. On the other occasion, an employee was terminated (but her user account was left enabled) and she logged in from home to delete emails via OWA. We recovered those emails, but what if the employee had known about DIRT (deleted items retention time) and what if the employee had purged those messages via OWA? We would've had to do a restore from backup...and that would've been very time-consuming ('cause so far, I've never restored an Exchange backup!). Microsoft tells how to hide the relevant command in Outlook via GP, but that won't help w/ OWA. There's a helpful post about this general topic at Experts-Exchange.
Dynamically updated groups let people email everyone in Active Directory who is in a specific department or who has a middle initial of "J". This is for distribution groups who's membership changes frequently.