Kevin Remde's IT Pro Weblog

  • How do I find a Microsoft event coming to my area?

    I may have blogged about this before.  And I do think it’s a very useful tool.  But it still needs improving…

    The Events and Webcasts team responsible for the site have built a handy search page.  You can find out about events by:

    • who you are (IT Pro, Developer, Home PC user, Information Worker, etc),
    • what product you’re interested in (or just “All Products” 
    • What type of event (In-Person, Live Webcast, or On-Demand Webcast)
    • Location (by country and state or province), and
    • Within a time frame (anytime, within 30 days, 30–60 days, etc.)

    The result is a nice list of links to the events matching your wishes.

    “Sounds great, Kevin.  What could need improving?”

    Well, my main suggested improvement for this site would be to give it the ability to generate an RSS link that would automatically populate a list of the results based on these criteria, and then a person could just watch their feed for new events as they become available – kinda like the cool link you can generate if you visit the MSDN Events site’s “Custom RSS Feeds” page, and what we’ll have soon for our TechNet Briefing’s, also.

    Also – let me chose more than one product Give me a multi-select list where I can check-off all of the products I use the first time I hit the site.

    If both of those suggestions were implemented, it would mean that I would never have to visit that site again… unless I wanted to add or drop a product from my list of “what’s interesting to me”.  That would be cool. 

  • Windows Server 2003 Administration Webcast Series (Part 12 - Maintenance and Updates) Q-n-A

    Here, is this week’s “best of” Q&A log from the webcast.  Sincere thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  You guys rock!

    Also I want to make sure also have the link to the Session Resources I posted for Part 12, and the homework assignment also.

    Part 12 Questions and Answers:

    “Will the earlier sessions in this series be made available for download? I notice that only the last 4 or so had the option to download and watch later.”

    We will be making all of these available for download; they should be available within the next few weeks. Thx!

    “Hi! How long will the recorded web cast be available?”

    It should be available for at least a year if not two.  And of course I’ll have a copy of it forever if you want it after it’s gone from the events sites. J

    “Will WSUS work with W2003 SBS?”

    Yes. Although in general it is not recommended to install WSUS to a DC. If you have the option you would want it install it to a separate Server.

    “Can WSUS run without Active Directory? If so, how?”

    Yes. You simply install it to a server based machine. You then use Registry settings or Local Policy to allow clients to connect. The full instructions are of course a part of the setup docs included with WSUS.

    “Is WSUS the merging of SUS and WUS??”

    WSUS is the next version/evolution of SUS.  SUS was going to named SUS 2.0, then Windows Update Services (WUS), and now the final and forevermore name is Windows Server Update Services (WSUS).

    “Is BITS 2.0 installed by default on 2003 server standard, or do you have to download it?”

    It is a separate download. See the following --

    “Should the SUS server be a standalone server, or can it be run from a server performing other functions.  If so, what is the load requirements for determining which of my servers I should run it from?”

    SUS / WSUS should ideally run on a server separate from other network services. System requirements are posted here --

    “Is WSUS still in RC?  If so, when is it expected to be released?”

    Yes it is - See the following for release dates as they get posted --

    “When is the anticipated release date for WSUS?  I understand it's still a release candidate.”

    You will have to monitor the site for the information --

    “Is this the final version or is it still in BETA?”

    It is in Release Candidate Status --

    “Is WSUS available now, or is it still in beta?”

    RC Status -

    “If you already have an SUS server, do you have to make any changes to the group policy if you deploy WSUS?”

    No, however, the final product may have additional options you CAN configure.

    “I just started getting this error on my WSUS server. There was an error adding updates to the database. Please try to synchronize again, or check your database configuration. 4/27/2005 The metadata for the update was invalid and could not be processed successfully by the database.”

    You will need to check the WSUS site for support options since it is still not a released product.  There is also information on the WSUS site for posting Bug Information --

    “If you select automatic updates on a SBS2003 what happens if an update needs to reboot?”

    You should NOT set the Server itself to automatically update.  However, if you do, it will perform as any other client does.

    “Can the update files reside on a share pointed to by DFS taking advantage of site awareness of Windows XP to find the file share to pull the updates from?  Or, do the updates have to come from a WSUS server?”

    What we support is having them come from the WSUS Server at this time. This may change when the product releases.

    “Does WSUS work with remote computers connecting for a small amount of time, or do you need to be connected for extended period to ensure updates are pushed to the client?”

    1) Clients PULL the updates. 2) They have to stay connected long enough to PULL the file. How long this is depends upon the size of the files. 3) The benefit of BITS technology (Background Intelligent Transfer Services) is that an interrupted download will pick up where it left off the next time the computer starts up. 

     “When will WSUS be out for general availability?”

    Please refer to the Main WSUS site for release dates --

    “Can these WSUS updates be deployed to Windows 2000 desktops, or only Windows XP?”

    Windows 2000 is a supported Client also.

    “Can the WSUS policy be used in a W2K environment?”

    Yes.  You can import the wuau.adm policy template file into the Group Policy object in the GP Editor.

    “Can you use the SUS repository for getting the updates for WUS?”

    If you are referring to chaining, you can set up a hub and spoke distribution method for deploying multiple update servers. Only one needs access to Windows Update where other WSUS server can point to another local update server for updates.

    “Is there a way to use WSUS without policy and AD?”

    Yes. Go to the WSUS Site and review the docs there. We have a deployment guide available that explains this. --

    “Is WSUS a chargeable product?”

    No. It is a free download now as a Release Candidate and will be a free download once finished.

    “Is WSUS site aware? I.E. can updates be deployed based on what site a computer is in?”

    No..or rather, somewhat.  WSUS doesn’t natively detect or work with site boundaries.  But it is Active Directory aware in that you can use Group Policy to define what group a computer is in.  And that being the case, you could apply that group policy object at the site level. 

    “Does WSUS work with SQL Server 2005 Beta 3 Express?”

    I don’t think it has been tested, so I can’t really speculate.

    “With WSUS installed and configured what does a user see if they open IE and go to the internet update site? Can a laptop user get critical updates while traveling?”

    A user can ALWAYS go directly to the Windows Update Site on the web to get updates. if you use Group Policy to configure clients to point to a WSUS server for Automatic Updates they will also check on the schedule you define with the WSUS Server.

    “I missed it earlier... does WSUS come with its own SQL server, or do you have to supply that?  If you have to supply it, can it run as a separate instance on another SQL server?”

    It does install the MSDE for you if you want it to, or you can use your own instance of SQL on the local or another server.

    “If others use port 80 - you need to change the port for WSUS?”


    “I am referring to the fact that now we are using SUS for patching. Can I integrate WUS

    Please refer to the Deployment guide for these types of configurations --

    “How does this affect update that require re-boot?  Esp. In a Server patch.”

    It depends on your Automatic Update settings.  You can force a reboot or you can have it wait.

    “Is there or will there be a MOM knowledge pack for WSUS & auto update clients?”

    Hmmmm....good question...I am not sure.  There isn’t one currently, but that doesn’t mean that there won’t be one.

    “If I fill out will I win the drawing?? Can you make me win??.:o)” J  If I can’t make ME win, why would I be able to make YOU win?  (and why would I want to? <heh>)

    “Will WSUS work without Active Directory? If so, how?”

    Yes!  And so does SUS, actually.  You can configure the registry in SUS, but in WSUS you can set computer groups by NETBIOS name or IP

    “Any documentation that I can refer to regarding WSUS work without AD?”

    There is a deployment guide on the site now that discusses all deployment options --

    When will the full version of WSUS be available?

    VERY soon, I believe.  It’s already a release candidate.

    “LM system is still very buggy (joining, PDF) - effectively missed this webcast also and wasted my time :-( Sorry!!!”

    I hope you put that in the evaluation, too.  I’m sorry this week was difficult for you.  Heck.. even I had connection issues – but they were hotel-related.  L

    “I've been using WSUS for a few weeks, and it is a great tool. I highly recommend it.”


     “Are there any white papers on the difference between SUS and WSUS?”

    Not yet.  But in a nutshell… Reporting, Bandwidth-savings, product updates, targeting, approval options (“detect only”, “install”, etc)… oh man… the list gets longer and longer!

    “If you update office patches from an AIP installation, is it okay to use the SMS SUS until you patch the AIP?”


    “If the only server in our network is SBS2003 are there anything we need to watch out for?”

    If you decide to load WSUS to the SBS Server you need to understand it will increase the lode further on that single server. And you want to make sure to use the OTHER port option when you install it (so it’s not stomping on your Port 80 web apps).  It’s doable, but it is recommended to install WSUS to a member server if possible. 

    “Can WSUS be installed on a win2000 server and service XP clients?”

    Yes. You must have Windows 2000 SP4 to install WSUS to the server and we would still support the same clients.

    “Can it be installed on a XP Pro Workstation?

    The WSUS product must be installed on a server.  However, you can administer WSUS from your workstations.

    “When is Part 7 available?”

    Ah yes.. Part 7 is the one that they weren’t able to use the original recording on.  It should be soon, though, if not already.  I re-recorded it last Thursday, so it should be. Try re-registering for the on-demand one again.

    “Thanks for all the great info!!!”

    You are welcome!

    “Thanks, Kevin! Really enjoyed the webcasts!”

    You betcha!

    “What is Kevin's next TechNet Series?”

    Keep watching this space.  J  Seriously, I don’t have one scheduled yet, but I hope to do one again someday.  In the meantime, I’m still doing the one-off webcasts and the live events.  And you’ll find me at TechEd again this year, too!  And if I get the nod to do another series, I’ll be sure to post it here.

    Once again – thank you for making this series so enjoyable!  I hope you learned some cool stuff!




  • Webcast Series HOMEWORK - Week 12 (Maintenance and Updates)

    Windows Server Administration Webcast Series
    Homework Assignment #12


    • Go to my blog , click on the category “TechNet Webcasts”, and view the “Resource Page” for part 12 of this series.  I’ve included several links relating to this topic, so take a look through those resources.  I really want this to be the vehicle we use to share information and open up discussions.
    • I am also posting the homework here now (duh!) as well as an edited Q&A summary for each week’s webcast.

    2.  A Choice…

    Go to the Windows Server Update Services Site and download the Release Candidate.  Try it out.  Check out the online resources and FAQ document there.

      — OR —

    Virtual Lab: “Managing Security Updates with SMS”

    This virtual lab allows you to:

    • Scan computers by using SMS 2003. Manage security update distribution by using SMS 2003.

    On that Virtual Lab homepage, click on the Microsoft Systems Management Server (SMS) 2003 section

    • Then click on the “Step into the SMS 2003 Virtual Lab for Free
    • It might take a minute for this page to come up, depending on how busy the demoservers are.  (You will have better luck getting onto these in the early morning or late evening, US-time.) 
    • Follow the logon/signup instructions, and choose the “Managing Security Updates with SMS” lab.


  • In an airport...

    …no one can hear you scream.  

    Or was that “In space..”?  Oh well.  I’m tired, and sitting in the Indianapolis Airport at gate D8 for my 6:09am flight to Chicago.  I’m hoping to check-in to my hotel in Schaumburg a little early so I can set up for doing my last of the series of 12 Windows Server 2003 Administration webcasts.  (Cool topic: Windows Server Update Services.  It’s not too late to sign up!

    I’m geeking-out, a bit, because I figured out how to get my bluetooth in my laptop to use my PocketPC Phone and GPRS data services from T-Mobile to connect to the Internet.  Love bluetooth these days, with my new bluetooth headset and GPS that both use my PDA.  But why does it all have to be so complicated?  Trying to get these things connected and communicating reminds me of the early days of dialup networking.  Remember trying to get a dialup access to an ISP working on Windows 3.1 or Windows 95?  That’s how bluetooth feels right now.  So.. It can only get better. 

    Strange… the lights just flashed in the airport.  The power went out for a split second.  So now of course all of the gates are making announcements that their computers are rebooting, so they’ll have to proceed with the check-ins manually.  Just a typical day in the life of a road warrior.  <sigh>


  • Shipped! 64 bits, baby!

    “Next-generation compters can address more memory”
    The Associated Press
    Updated: 10:00 a.m. ET April 25, 2005
    (Yes, the subtitle has a type-o.  I guess the folks at AP are excited, too!)
  • Resource Page for Windows Server 2003 Administration Series Webcast (Part 12 of 12, WSUS)

    Resource Page for

    TechNet Webcast: Windows Server 2003 Administration Series (Part 12 of 12): Maintenance and Updates (Level 200)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 12 of 12): Maintenance and Updates (Level 200)

    Wednesday, April 27, 2005
    1:00 P.M.–2:00 P.M. Pacific Time

    Tune in for a look at maintenance and updates to Microsoft Windows Server 2003. This webcast will also cover Software Update Services (SUS), patching and services packs. Also, we will discuss patch management, how to use SUS and how to slipstream service packs.

    Here are some resources relating to the webcast topic presented.  I hope you find them useful.



    Released: Windows Server Update Services RC

    Windows Server Update Services Product Overview


    Windows Server Update Services Datasheet

    Windows Server Update Services Frequently Asked Questions


    Compare Microsoft Update, Update Services, and SMS


    Windows Server Update Services Operations Guide


    Windows Server Update Services Deployment Guide

    Microsoft TechNet

    Official Series Content Resource Page–04

    Free Windows Server 2003 Virtual Labs: 

    Windows Server 2003 Evaluation kit: 

    Windows Server 2003 Training and Events:

    New and improved Microsoft Events page:

    And to start again at the beginning, here is the information and link to view Part 1:

    TechNet Webcast: Windows Server 2003 System Administration (Part 1 of 2) (Level 200)
    TechNet Webcast: Windows Server 2003 System Administration (Part 1 of 2) (Level 200)

    Wednesday, May 11, 2005
    8:00 A.M.–9:30 A.M. Pacific Time

    Tune in for a discussion of the out-of-the-box server management tools such as Active Directory Command Line tools-trusts and server roles.

  • MS to support running NON-MS Software?!

    It’s true! 

    Word from the Microsoft Management Summit is that, with the improvements in coming SP1 for Microsoft Virtual Server 2005, we’re going to support running OS’s such as Linux and Solaris.

    Yes.. you read that right. 

    My counterpart in the cold country just north of here (hint: Cdnflag) Bruce Cowper was privileged to have attended Steve Ballmer’s keynote, and summarizes that, plus a couple of cool announcements made, in this blog entry.

    And if you want the full story:

    Steve Ballmer

    Read about Mr. Ballmer's keynote at the Microsoft Management Summit, where he highlights investments in virtualization and network access protection, enabling more cost-efficient and strategic IT management.

  • Windows Server 2003 Administration Webcast Series (Part 11 - Routing) Q-n-A

    Here it is!

    Here’s this week’s “best of” Q&A log from the webcast.  Sincere thanks again to my teammates for doing such a great job helping to answer questions!  I give them the credit for the information in this document.  I couldn’t do this without’cha!

    Also I want to make sure also have the link to the Session Resources I posted for Part 11, and the homework assignment also.

    And I’ve also posted a “blogcast” recording of some demos from this session that I didn’t have a chance to get to today.  Here it is.

    Part 11 Questions and Answers:


    “FYI: The last few times I have had serious problems joining these webcasts. I suspect it was because of MS AntiSpyware and/or PrevX Home. This time I powered up fresh and turned both of those app's off. And I connected successfully. You might want to pass this info on to the appropriate people.”

    Thanks for the info!  That’s worth passing along.

    “KEVIN is @wsome!”

    Th@nks!  Back @tcha!

    “Backup Status Operation: Backup Active backup destination: File Media name: "HOA-WS03-AD-01-041905.bkf created 4/19/2005 at 9:32 AM" Error returned while creating the volume shadow copy:800423f0 Reverting to non-shadow copy backup mode. Backup of "System State" Backup set #1 on media #1 Backup description: "Set created 4/19/2005 at 9:32 AM" Media name: "HOA-WS03-AD-01-041905.bkf created 4/19/2005 at 9:32 AM" Backup Type: Copy Backup started on 4/19/2005 at 9:33 AM. Warning: Unable to open "c:\windows\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory" - skipped. Reason: The process cannot access the file because it is being used by another process. Any idea?”

    Ah yes.. the old “Backup Status Operation: Backup Active backup destination: File Media name… “ Well, you get the idea. We’ve seen this one before.  And here’s a KB article that describes it, too.




    No problem.

    “Hello, we're using SBS 2003 and we have SQL, Exchange and RAS... Isn't this dagerous because if the server goes down, Everything will go with it?? What do you recommend?”

    The benefit of SBS is the cost structure for having all the applications. The downside is that they all must reside on the one server.  If you want to configure your environment so that you avoid points of failure due to one server going down, you will need to implement multiple servers. To do this, you will also need to purchase the products separately and therefore the costs do go up.

    “is the demo 2003 server has sp1? does sp1 change things in routing usage?”

    I have not yet applied SP1 to the images. (Shame on me!)  But either way, SP1 does not change the routing behavior of Server 2003.  The only differences might be how it now uses the Windows Firewall (when enabled) as opposed to the older ICF (Internet Connection Firewall).

    “Why is the broadcast address and not for this /20 network?”

    Good question.  I don’t know.  Now that I think about it, you’re right.  It should have been.  I’ll have to investigate further.

    “Any word on when is the SP1 for SBS 2003 coming out?”

    I cannot give you an exact date.  How about “Soon.  Very soon.”

    “Does SBS provide for the same routing capability as the full version?”

    Yes, absolutely the same capabilities as the "full" version of Windows Server 2003.

    “I think this should be and 172.16-31.0.0/16”

    Thanks.  I’ll make that correction.

    “Hi, is it possible for Windows 2003 router to send packets to one network (interface) with TCP ttl=1 and to others networks (interfaces) with standard ttl?”

    I do not believe this is possible. The TTL setting is "shared" for all interfaces and there is no way to specify a different TTL for different interfaces.

    “What is TechNet URL to view the Windows Server 2003 Administration Series from the beginning?”

    “I'm new... can I see who is on?”

    Welcome!  No.

    “Can a windows 2k3 server be a NAT server? If so, how to configure it, any white paper?”

    Even better – check out my blog, where I’ve posted a recording of a demo that I didn’t have time to get to today.

    “When would you choose OSPF or RIP?”


    and RIP:

    “i know that is private but what about Is the second range private or public?” The private network can be interpreted either as a block of 16 Class B network IDs or as a 20-bit assignable address space (20 host bits) that can be used for any subnetting scheme within the private organization. The private network supports the following range of valid IP addresses: through is public.

    “Just getting into ISA...would ISA handle most of this?”

    ISA 2004 enhances some of the control over the routing between interfaces, but still depends on the underlying RRAS component of Windows Server 2003.

    “Thanks Kevin!”

    You're quite welcome!

    And for those of you who liked the humor, here are the photos I used in the slides….


    Keep-right Sharpsign Cow_n_dolphin


    Have a great day!


  • My first Blogcast! (Series Part 11 - NAT and VPN Demos)

    For Part 11 of the Windows Server 2003 Administration webcast series, I am unable to do all of the demos as written.  One hour just isn’t long enough!  So what I’ve done is to record the portion of the demo where I create a NAT configuration, and a Demand-Dial VPN connection, as a “blogcast”.

    CLICK HERE to view the blogcast.

    A blogcast is just a recorded media file – in my case a Windows Media .WMV file captured and recorded using the Windows Media Encoder.  The ITEs (IT Evangelists) for Microsoft around the world have been recording these as yet another way to assist you in your learning and your work.  (Check out the “Blogcast Queen”, Eileen Brown’s blog for some great blogcasts.  As far as I know, she invented the term.)



  • Great Minds

    Yes, this is another somewhat cross-disciplinary, but this sounds like such a cool, geeky webcast series that I had to share it with you…

    Science and Engineering at Microsoft - Turning Ideas into Reality

    I saw this announced on the MSDN Webcasts blog.  The series is targeted at answering your questions about how Microsoft came up with all the brilliant ideas behind creating .NET, CLR, Security frameworks, etc.  So, to me, that says it’s all about big brains dreaming up elegant, cool tools to make your work easier and better.

  • Webcast Series HOMEWORK - Week 11 (Routing)

    Windows Server Administration Webcast Series
    Homework Assignment #11


    • Go to my blog , click on the category “TechNet Webcasts”, and view the “Resource Page” for part 11 of this series.  I’ve included several links relating to this topic, so take a look through those resources.  I really want this to be the vehicle we use to share information and open up discussions.
    • I am also posting the homework here now (duh!) as well as an edited Q&A summary for each week’s webcast.

    2.  Online Documentation Review

    Specifically, I think everyone should review the “Routing Overview” many others as posted in the Resource Page for part 11 of this series.


  • TechEd is SOLD OUT, but you could win a free pass!

    Yes.. a couple of days ago they officially closed registration on TechEd.    There’s a waiting list you can get added to, and it’s worth a shot, but as popular as TechEd has become…well, you know what I mean.

    However, our webcast production team, in cooperation with the TechEd team, are offering you a chance to win one of three FREE PASSES to TechEd – just for attending any !  And even if you don’t get to go, there are still opportunities to attend some of the sessions as they are simulcast as webcasts live from TechEd in Orlando.  Here are the official details:

    Microsoft Tech·Ed 2005 is sold out but you can still explore Microsoft technologies and solutions in this series of webcasts. Join us through the end of May for pre-Tech·Ed webcasts, then tune in for a special week of webcasts June 5-10, 2005, as we simulcast certain sessions live from Orlando, Florida. And, if you attend any live webcast in this series through April, you could win one of three available free passes to Tech·Ed 2005 in Orlando, Florida, (official rules).

    Here’s the URL for the TechEd Series:


  • We may be comin' to YOUR town!

    “Here we come…walkin’ down the streeeeet…”

    Next week I’m going to be in Muncie, Indiana, and Chicago (Shaumburg) Illinois, doing our free, live TechNet Briefings for IT Professionals at the following locations:

    April 26 – Muncie, IN

    Cornerstone Center for the Arts

    520 East Main Street

    Muncie, INDIANA 47305

    Phone: 785-281-9503


    April 28 – Chicago, IL

    Theater-Loews Streets Of Woodfield

    601 North Martingale Road

    Schaumburg, ILLINOIS 60173 

    Phone: 847 330-0720

    We’ve got some great stuff coming your way this quarter:

    Microsoft Windows Server 2003 Is Evolving
    With the recent release of Windows Server 2003 SP1, now is the best time to see the benefits of these significant updates.  Are you prepared for the changes this upgrade will have on your network system?  This is a great opportunity to see how SP1 may change your entire network infrastructure for the better.  Join our experts at this technical briefing.

    Microsoft SQL Server 2005 is coming
    It has been 5 years since a major Microsoft SQL Server release. In a technology timeline, that could be considered a lifetime!  Attending this session is your first step in preparing for a change that could give you a technical knowledge advantage over all the other IT Professionals working with corporate data.  Get prepared for the change coming soon.

    Click the links above to register, or visit the TechNet Briefings site ( for session topics and links to registration and additional resources. 

    Tell your friends!  Invite your user groups!

    And please introduce yourself and tell me you saw this on the blog. 

  • Wow.. WiMax

    The idea that someone could make a wireless access link-up over a 30 mile radius, and up to 70mbps speeds, has me (and many other people, apparently) pretty excited.  It sounds like that’s where we’re headed with WiMax.  According to this CNet Article, Intel has started shipping the chips for it now.

    Heck.. I’d be able to use the wireless at Starbucks… from my home! 


    (Too bad they don’t deliver!)

  • Resource Page for Windows Server 2003 Administration Series Webcast (Part 11 of 12, Routingk)

    Resource Page for

    TechNet Webcast: Windows Server 2003 Administration Series (Part 11 of 12): Routing (Level 200)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 11 of 12): Routing (Level 200)

    Wednesday, April 20, 2005
    1:00 P.M.–2:00 P.M. Pacific Time

    Here are some resources relating to the webcast topic presented.  I hope you find them useful.




    Routing Overview


    Choosing a Replication Topology


    Common Server Configurations for Remote Access Servers


    Choosing Hardware or Software Routing


    Routing Tables


    Understanding the IP Routing Table


    Choosing Static or Dynamic Routing


    RIP for IP

    Setting Up a RIP-for-IP Routed Internetwork

    How NAT Works


    Understanding Network Address Translation


    Setting Up Network Address Translation


    Understanding Demand-Dial Routing


    Setting Up Demand-Dial Routing

    Understanding Router-to-Router VPNs


    Deploying Router-to-Router VPNs


    Routing Tools and Utilities

    Microsoft TechNet

    Official Series Content Resource Page–04

    Free Windows Server 2003 Virtual Labs: 

    Windows Server 2003 Evaluation kit: 

    Windows Server 2003 Training and Events:

    New and improved Microsoft Events page:


    ** UPDATE **

    I've recorded a blogcast containing demos of NAT and Demand-Dial VPN from this session. 

    Click HERE for that blogcast.

    And here is the information and link to signup for or view Part 12:

    TechNet Webcast: Windows Server 2003 Administration Series (Part 12 of 12): Maintenance and Updates (Level 200)
    TechNet Webcast: Windows Server 2003 Administration Series (Part 12 of 12): Maintenance and Updates (Level 200)

    Wednesday, April 27, 2005
    1:00 P.M.–2:00 P.M. Pacific Time

    Tune in for a look at maintenance and updates to Microsoft Windows Server 2003. This webcast will also cover Software Update Services (SUS), patching and services packs. Also, we will discuss patch management, how to use SUS and how to slipstream service packs.

  • If I could only connect MBSA to Visio...

    Well… your wish is granted!  Check out this new Security Tool:

    Microsoft Office Visio 2003 Connector for the Microsoft Baseline Security Analyzer (MBSA)

    Do you know the security status of your network? Get a visual. The Visio Connector for MBSA lets you view the results of a Microsoft Baseline Security Analyzer scan in a clear, comprehensive Microsoft Office Visio 2003 network diagram. You must have both Visio 2003 and the Microsoft Baseline Security Analyzer — a free security tool from Microsoft — for this connector to function.

    And while you’re there, take a look at the Security Tools section to see other free utilities to help you secure and manage your PCs, Servers, and Network.

  • You go, Governor!

    *** Warning *** 
    The link below contains political opinion.  Do NOT click it if you’re easily offended by political opinions.  Thank you.

    I had originally intended to post this here, but decided to keep the content here at this blog more professional, and save the private or opinionated stuff on my new MSN Spaces blog.  I’ll just link to them from here instead.   So…

    CLICK HERE if you’re interested in seeing what I think of a recent WIRED article about what some idiots are accusing my Governor, Gov Tim Pawlenty, of.


  • Dinner with Jim

    I found this in Robert Scoble’s blog

    Scoble had arranged a dinner for several influential San Francisco area bloggers to meet and sup with Jim Allchin.  The results have been, naturally, documented well in several blogs.  This one by Thomas Hawk was a very interesting read with regard to the future OS Longhorn and in future Media Center ideas.

    …just more of the fun stuff that makes me thrilled to work for Microsoft…

  • Are you a developer? Really?

    Then you're reading the wrong blog! 

    …Or more correctly... you should ALSO be reading these other folk’s blogs!

    Allow me to introduce to you some great blogs for developers. These developers are members of our MSDN Events team:

    And for general interest posts and news from the entire team, check out the

    MSDN Events are national events structured much like TechNet Briefings, but for Developers. Whenever there is an TechNet Briefing in the morning, there is an MSDN Event there in the afternoon as well.

    Here are the current MSDN Event topics:

    Go ahead and register for their afternoon event.  But if you’re also doing any IT Pro work, make sure you register for our morning event as well!




  • Have you jammed at TechEd?

    Another great TechEd Memory… the Jam Sessions!

    TechEd 2001 Jam Session TechEd 2002 Jam Session TechEd 2003 Jam Session 

    NetIQ and others over the years have sponsored evening Jam Sessions, which I really enjoy.  Yeah, sure, the talent isn’t always the best, but it’s always entertaining and fun.

    Are you gonna be there this year?

  • It's time to embrace it

    RSS.  Really Simple Syndication.  “Feeds”.  “Rss” logos…

    “What does it all mean, Kevin?”

    Well.. Let me describe a very cool use of this technology as a way of introduction to you…

    You want to know when there’s some new resource available of specific importance to you.  For example, let’s say you are the SQL DBA or database server administrator for your company.  You watch the Microsoft web sites, NNTP news groups, or perhaps you subscribe to some email lists.  But you sure would like to be notified whenever there is a new KB article relating to the version of SQL you are managing.  And you don’t want to subscribe to any more email lists.  You would rather control exactly what you’re getting… only what you care about or need to know.

    Enter RSS

    What is RSS? <—Article posted on Microsoft Help and Support

    Now, using news agreggator software, you can subscribe to and receive just the information you want or need. 

    Check out this article: RSS: Really Simple Syndication, for a great description of how this works.  Also included here is a good list of links to news agreggator software available.  (I happen to like the free SharpReader.)

    “Why are you telling me this, Kevin?”

    Many groups at Microsoft, including our TechNet team, are beginning to embrace this technology to allow you to control your own connection to us.  We’ll make content and information available, and you can select and subscribe to just what you want to know about… so we aren’t invading your privacy by sending you unwanted emails, and you don’t have to keep checking the web sites manually for changes.  You are in the driver’s seat! 

    Great examples of this might be to subscribe to all of or just categories of my blog (“I want to read everything Kevin has to say”, or, “I only care about Kevin’s TechNet Briefing postings.”), or subscribing to a site that has updates and event information for just when we’re coming to your area, just the speaker you want to see, or just on the topics that you specify.  How cool is that?

    In fact… If you right click on this orange Rss picture and select “Copy Shortcut”, you can then paste the link into your news agreggator software and subscribe to all of my blog entries!

    Another real world, very cool example is what is available now for Microsoft Knowledge Base articles.  You can go HERE and select the RSS feeds to get updated lists of new KB articles for just the software you work with. 

    And another cool example is how sites can be built using agreggations of blog content shared from bloggers all over the place – as in the site.

    So.. it’s time to understand and embrace RSS. It’s going to make it really simple to stay up-to-date and informed.

    Questions or comments?  Hit the feedback link below.


  • Get Perpendicular!

    My friend and developer/MSDN presenter colleague Jacob posted about this, and I’m going to steal it from him.  <heh>

    Hitachi has a fun animation showing off the potential for new hard disk storage technology… a GREAT example of explaining something in simple terms that would otherwise cause most people’s heads to explode if simply described.  Fun stuff!

  • TechEd 05 is filling up!


    If you haven’t signed up already, you’d better get signed up soon!  I’d love to meet you there!

    Make sure you introduce yourself to me.  I’ll probably be hanging out by the cabanas and answering questions when I’m not attending the many great IT Pro-related sessions going on.

    See you there!


  • Windows Server 2003 Administration Webcast Series (Part 10 - VPN and RAS) Q-and-A

    Here, is this week’s “best of” Q&A log from the webcast.  Sincere thanks again to my teammates for doing such a great job helping to answer questions!  I give them the bulk of the credit for the information in this document.  You guys are the best!

    Also I want to make sure also have the link to the Session Resources I posted for Part 10, and the homework assignment also.

    Part 10 Questions and Answers:

    “Who's serving the popcorn?”

    Yum… I don’t know.  I can’t smell it on my end.


    “I hear a country station, is that normal?”

    Um… let’s see… how do I answer this without offending Country Music fans?  <chuckle>   I think I’ll just not say anything.


    “Kevin, out of all the presenters I’ve heard, you provide clear on-point info, and your presenting is top notch!!!! GJ”

    I know you can’t see it now, but I’m blushing.   Thanks!


    “Is the Connection Manager in SBS 2003 basically a VPN connection?”

    Connection Manager is the package that allows you to install the client side of a connection - It will help you set up a VPN among many other connectivity options.


    “Using ISA 2004 and AD can I restrict what servers a remote client can access?”

    Yes you can.


    “Can I use IAS authentication without active directory?”

    Check out this great resource on IAS:


    “Why does the VPN disconnect after about 3 minutes when connecting from a XP-SP2 machine?”

    Do you have the VPN connection setting set to disconnect after three minutes of inactivity?  If so, then after 3 minutes of doing nothing on the connection, it would disconnect.


    “Well I create an entry in DNS to redirect www to other machine inside the network which has the company website.”

    If this server on the internal side of the network is not accessible from the Internet, then users coming from the Internet will fail.


    “For the umpteenth time I had problems connecting to these webcasts. I missed the beginning and effectively missed the whole webcast. I have wasted my time again fighting the system. This is getting beyond serious - to being utterly ridiculous!!!”

    I agree wholeheartedly.  We’re very sorry for the troubles these issues have caused.  You are right, it is inexcusable.  I encourage you to please visit this link to report these issues and voice your opinions:


    “How much overhead in the protocol is estimated for the Microsoft VPN flavor?”

    There is no specific number on this but PPTP has less overhead than L2TP.  The reason there is no specific information is because hardware and connections are so varied.


    “Has MPPE-128 been cracked?”

    Not that I'm aware of.


    “Certainly software based solutions generate more overhead than hardware based solutions. I was just curious on the overhead for Microsoft's version. Thanks”

    We have always seen great performance and very little overhead.  As a previous network engineer for Microsoft, I have never seen a limit hit.


    “Is there a step-by-step guide for setup of L2TP with IPSec?  Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?”

    To use different pre-shared keys for all L2TP over IPSec router-to-router VPN connections, configure the following...see


    “The wire server room is used a lot by you guys. Don’t you have other pictures?”

    Yes we have a few, but that is by far one of all our favorites because we can relate, as we hope you can too.  I guess I’ll use it a little less often now. <sigh>


    “Can I save this event for resume later?”

    You can download and view the event later.


    “Is the following correct: VPN can accept 11 connections? If you need more create another VPN object?”

    No, VPN can accept much more than 11 connections. If you have configured it to be limited to 11, then you are more than welcome to increase the limit. 


    “Is VPN in sbs2003?”

    Yes, it is exactly the same as in a regular server.  But one drawback is managing the VPN endpoint on a DC.   That is a security risk.  I would recommend one NIC and a router that allows PPTP (GRE and 1433) or L2TP NAT traversal to the one internal address.


    “Where I can download the event?”

    You will be receiving an email tomorrow with links to download.


    “Is VPN preferable over Terminal Services for remote access?”

    Both have a high level of encryption. VPN with RDP would be the most secure.

    Why is there two VPN servers? is this another office? i though you just need one.

    I think what you were seeing there was the use of VPN for a site-to-site connection – so instead of it just being an employee connecting to the office, it’s also used for connecting one office to another, with two VPN servers on either side of the pipe.


    “Has PPTP been broken?”

    I do believe that was the case back in the Windows 95 / 98 hey days (1999).  However, updated DUN components were released for W9x to address this. Windows 2000, XP and 2003 are not susceptible to this (to the best of my knowledge).



    Thanks for coming!  Any questions are good questions!


    “Are there any webcasts coming on ms cluster services?”

    There was one done last Friday (April 8, 2005) with Clustering and SQL - Other than that one try searching on Clustering at


    “Was presenter referring 11 connections limit to something else or I have misunderstood?”

    At that point I was just talking about the demo systems and the configuration implemented.


    “I understood that UDP is not as reliable as TCP so, can you use TCP with L2TP?”

    Yes L2TP is only the tunneling protocol, whatever packets TCP or UDP are then sent over that.


    “Is there a step-by-step guide for setup of L2TP with IPSec?  Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?  RE: Step-by-step Guide for L2tP/IPSec - How about using certificates instead of pre-shared keys - can that be done? Is there a step-by-step?”

    Might start here -


    “If they (hackers, listeners) go to that extent, don’t you think they will find another way to get in (listen).  I just find it amusing that anyone would make a VPN on a dial-up connection.”

    Well.. consider this scenario: Someone only has dialup for Internet Access (Netscape, Net Zero, EarthLink, whatever) at home, but their employer has only set up Internet VPN access which this person will need to use.  So – they’re doing VPN over the Internet, but via their dialup connection.  In fact, I was doing this very thing for at least a year before I had highspeed access at home.


    “If PPTP is only set on the RRAS server is there any benefit to selecting automatic on type of VPN?”

    If you mean the client, then yes, auto is fine.  It will try both.


    “When you create a VPN connection is there a way to keep a connection to the local network?”

    Once, you've created your VPN connection you're still on the local network. You're given a new IP address for the destination network but you have two IP addresses one for the local network and one for the VPN network.  Now.. that doesn’t mean that your default gateway for Internet Access hasn’t changed.  That’s another issue.


    “For VPNs, for which firewall ports do I need to configure an allow policy?”

    PPTP is 1723 and the GRE protocol 47. Most routers will not work with L2TP.

    “What happens if both local networks have the same local IP configs. ie: both are 192.168.0.x?”

    There is no way to route between them if both networks are the same.


    “Do you need to put an ACL on your firewall to allow a VPN that you have set up on your DC and workstation?”

    You have to allow 1723 and GRE


    “Is there a good way to export and import large amount of RADIUS clients?”

    How to Add and Remove Radius Clients, see


    “What does RADIUS stand for?”

    Remote Authentication Dial-In User Service (RADIUS)


    “What's the RADIUS port(s)?”

    RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports receiving RADIUS messages destined to both sets of UDP ports. For information about changing the UDP ports that are used by IAS, see Configure IAS port information. Only one RADIUS message is included in the UDP payload of a RADIUS packet.


    “Why won't most routers work with L2TP and what can you do, if anything, to work around this? What about PPTP?”

    Until 2003 there was no way to get through NAT with IPSec or L2TP.  Most companies use NAT to allow them to address their internal network in a way that doesn’t require large numbers of valid external IP addresses to be used internally.  These are L2TP connections are UDP connections usually over port 500. You have to make sure you have a router that can perform and allow NAT traversal back to your VPN server. It is in most newer routers.


    “How many ram have machine hosting the virtual machines?”

    My laptop has a total of 2 GB of physical RAM.  The virtual machines I am running for this series are configured to use 512MB, 512MB, and 256MB (two servers and an XP Pro Client).


    “Is there information configuring radius for use with a wireless access point?”

    A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. See


    “To all you out there configuring a ISA... Unpulg your connection to the interned until your ISA is configured. I was hacked between the time i configured the NIC and the ISA server. This was a timeframe less then 10 mins”.

    Good point.  And a good indication of the state of things today.  NEVER connect a server or any PC directly to the Internet without first protecting it in some way.  In your case, with your new server that is eventually going to be a firewall, you ran into something that is all too common.  It takes now on average only 20 minutes for an unprotected machine to become infected.  That is EXACTLY why we’re including things like Post Setup Security Update (PSSU) functions in Windows Server 2003 SP1 – installing the Windows Firewall and locking down external access until the machine is configured and up-to-date with the latest security updates.


    “Thanks.  I think I’ll see the recording.  When will this be available?  It`s 23.00 in Norway.  Must get sleep :-)”

    Thanks for staying up for us!


    “I thought it was not a good practice to run RRAS or IAS on a domain controller.”

    Generally speaking, yes.  For our demos, we tend to "break" a lot of the best practices rules due to limitations on number of virtual machines we can run effectively in one session.


    “OK Thanks. You guys are great.”

    Thanks for attending.  Always a pleasure to help.


    “Can you specify a backup RADIUS server?”

    Check out -


    ”1. Install 2003 server. 2. Configure NIC 3. Get hacked 4. Install ISA Server. Between 3 and 4 you are totally exposed, right?!”


    If you are connected to the Internet during this installation process; yes, that is correct. If you were installing Windows 2003 with SP1 (slipstreamed), then the Firewall service would come active immediately to prevent step 3.  (See my PSSU comment earlier) 
    However, I would highly recommend that you install your servers without direct connectivity to the Internet until you've fully configured and secured it.


    “Will there be a webcast on wireless w/certificate services for windows 2003?”

    None currently planned that I’m aware of.


    “Can I make this work with a Cisco router?”

    As long as your router is up to date, PPTP is easy and L2TP is dependent on you having 2003 server and the ability for the router to pass L2TP.



    [bow]  Thanks!


    “Thank you ....when does this whole series repeat?”

    You will be able to view or download the webcasts from this series anytime you want.


    “My Cisco router has no firewall, but NAT is enabled. Is this a problem for L2TP?”

    You will need to find out if it has the ability to allow l2tp traffic to pass through.


    “I received an invitation to attend TechEd Europe in Amsterdam.  Is this worth the money?”

    TechEd is a very informative conference.  And I am one of the biggest fans of TechEd you’re going to meet.  One other noteworthy item is that our people in the product groups are GOALED on attending TechED and a couple of conferences. Therefore I do believe it would be worth your time.


    “netopia made it sound like I need their router for a vpn, not true?”

    Netopia offers a hardware based VPN solution.  You can buy that, or you can go with a software solution such as the RRAS that’s already included in Windows Server 2003.


    “I may be a little slow here, but what is the advantage of setting up a RADIUS server vs just VPN connections?”

    RADIUS is just another way to authenticate users.  It is a standard for both authentication and authorization, as well as accounting.  Being standard, it can be used by many different hardware and software devices requiring authentication.  And if it’s Microsoft’s IAS, it’s also able to use Active Directory accounts for that authentication.  And it can be a central authorization point RAS servers with common Remote Access policies being managed there.


    “I was thinking about choose the RAS client by IP or DNS”

    I’m not sure what you were asking, but you may be referring to the demo where I configured the VPN client to connect to the external IP address of the VPN Server.  Yes, if you want, you could also have a name defined for that address and as long as DNS is able to resolve it, you can add that in the connection parameters as well.


    “Would running remote desktop connections through a VPN be a good practice or is that just a redundant level of security?”

    Redundancy is always good - especially in Security. But if you are assured of an encrypted connection for RDP, you are safe.


    “Is this correct - A person is using a WiFi and VPN into a network. Is the Internet controlled by VPN network permissions of by the WiFi provider?”

    Completely by the VPN.  WiFi would only be a concern if it was actually a connection on your internal network, then you would not need VPN.

    “Can Kevin share those funny pictures with us?”



    Have a great day!


  • MSRC has a blog!

    The Microsoft Security Response Center has a blog address now.  Check it out!

    Subscribe to it if you’re interested in good security-related posts and updates.