Kevin Remde's IT Pro Weblog
IT Pro Resources
IT Pro Evangelist Blogs
My friend and teammate Kai Axford delievered an EXCELLENT webcast just a few minutes ago, for which I had the honor of covering the Q&A. The webcast was all about ways to secure your messaging using Exchange 2003, Outlook 2003, ISA Server 2004, S/MIME, PKI, OWA… Great stuff!
Here is the link to the webcast for On Demand Viewing.
And below I’ve listed the Q&A from the session, so you webcast viewers can take advantage of the resource links directly. I hope you find them useful!
Here’s the link to Brian Komar's PKI Security Book Kai mentioned:
How to protect SMTP using Transport Layer: Check out "How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server" http://support.microsoft.com/?id=829721
Securiing email using S/MIME and Exchange Server 2003:Read the “Exchange Server 2003 Message Security Guide” available at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx.
“Please ask Mr. Kai to not speak so loudly into the microphone. Thank you.”This just happens when he gets exctied. Hopefully he toned it down enough for you later in the webcast.
“If I install S-MIME in my organization, I will have impact with the users that have out of my company?”Not necessarily. As Kai said, it has everything to do who you trust and how those who trust you have access to a trusted root authority. The impact will be in getting the public keys out to recipients of emails that you want to sign or encrypt, so that they can take advantage of it.
“What is Certificate Services?”http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/63e3ba1c-cc23-40b1-9ca2-853869677318.mspx
“But what is the real-world impact of switching to S-MIME in an organiztion as it pertains to outside trusts, ie. hotmail, sbcgloabl, yahoo, etc.?”Their client will have to support certificate authentication. (S/MIME). It's pretty common now. AND they will have to install the public key you provide them.
“What's that desktop bkgrd called with the host ip and domain script?”He's probably run a tool to build that. I know there is one like it at SysInternals.com called "BGInfo". http://www.sysinternals.com/Utilities/BgInfo.html
“The installation of certificate services were done in the exchange servers with the mailboxes user?”Certificate Services is outside of Exchange in Exchange 2003. It is a free component that you can install on any Windows 2000 or 2003 Server. It’s included with the OS.
“Thanks, so of this way, is not necessary any configuration between exchange server and certificate server?”Other than that checkbox Kai showed earlier for supporting certificates, no.
For more PKI / S/MIME information: Read the “Exchange Server 2003 Message Security Guide” available at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx
“Where can you get the certificates services ? is this something already in windows 2000 /2003 or is this something that has to be downloaded from microsoft.com if downloaded what is the website address ?”FREE.. and you already have it. It's an installable component of the server product.
More information on using Windows Rights Management: See http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
“WRM can be deployed to all users into a organization?”|Yes.
“Does WRM protect email from being forwarded when sent to an email system other than Exchange?”Yes. It stops on your end before it goes out.
“Is Windows IRM free or cost money ?”
Windows Rights Management Servce is a product. It does cost money. See:http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
“What is the diference between sign and encrypt the message? when the message goes signed can be spyed?”Signed just means you can be sure that it came from who it says it came from, but doesn't mean the message itself is encrypted... so yes, if you're not using some other encryption, the message can be read.
For a complete list of the other ports required in the Exchange front-end and back-end server,see “Front-End and Back-End Topology for Exchange Server 2003 and Exchange 2000 Server” at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx
For more information about Exchange Server 2003 RPC over HTTP(S) deployment configurations, see “Exchange Server 2003 RPC over HTTP(S) Deployment Scenarios” at http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/ex2k3rpc.mspx
“Asked: is there other solution such as certificate services of other providers?”Yes. S/MIME and email signing and encryption doesn't have to use the Microsoft certificate services. It will work with any standard PKI you want to use.
“Does it work on a 2003 exchange cluster server?”Yes.
“What is the e-mail addres of Kai? Can he receive questions to his e-mail?”
firstname.lastname@example.org. Yes, he's happy to get emailed questions from you. But try me first. :)
Using ISA Server 2004 with Exchange Server 2003:see http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.mspx
“Can we get a hold of those scripts that change the IPs?”
Email Kai. He may be able to get them to you.
Deployment Scenarios for RPC over HTTP(S):http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/ee9b228f-db48-4860-8bfd-3195881b8980.mspx
For more information about limiting client access to Exchange Server,Refer to Article ID: 328240 at http://support.microsoft.com/kb/328240
For more information about the Outlook 98 and Outlook 2000 version of the e-mail security enhancements, refer to “Outlook 98 E-mail Security Update” at http://www.microsoft.com/technet/archive/office/office97/support/out98sec.mspx and “Outlook 2000 SR-1 Update: E-mail Security” at http://www.microsoft.com/technet/prodtechnol/office/office2000/support/o2ktool.mspx
For a list of the restricted file types, see the “Outlook E-mail Security Update— Frequently Asked Questions” at http://office.microsoft.com/assistance/2000/Out2ksecFAQ.aspxor “Attachment File Types Restricted by Outlook 2003” at http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
For more information about setting the Level1Remove registry key see “Administrator-Controlled Settings vs. User-Controlled Settings” at http://office.microsoft.com/en-us/assistance/HA011402961033.aspx
For more information about configuring Outlook security settings, see “Customizing Security Settings by Using the Outlook Security Template” at http://office.microsoft.com/en-us/assistance/HA011402931033.aspx
For more information about using ISA Server 2004 with Exchange Server 2003, see http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.mspx
For more information about installing an SSL certificate on your server, read the Knowledge Base article 298805 at http://support.microsoft.com/default.aspx?scid=kb;en-us;298805
For more information about additional security-related features, read “How to manage Outlook Web Access features in Exchange Server 2003” at http://support.microsoft.com/?kbid=830827
To download the Outlook Web Access administration tool, go to http://www.microsoft.com/downloads/details.aspx?familyid=4bbe7065-a04e-43ca-8220-859212411e10&displaylang=en
OWA Publishing through ISA Server 2004:http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx
Exchange Server 2003 SP2 is coming!http://www.microsoft.com/exchange/downloads/2003/sp2/overview.mspx
Exchange Book:Answered: http://www.amazon.com/exec/obidos/tg/detail/-/0735619905/103-8014442-7447030?v=glance
“Great Job man”
One of the last times I posted something about Windows Vista my blog got lots and lots of hits. I also used the same animated graphic in that post. So… either Windows Vista is hot, or this picture is.
Anyway… I’m working on a Windows Vista presentation. I have one hour to convince folks not only that Vista has a lot of cool new functionality and features, but that Vista is a necessity in their businesses. Tough sell? Maybe… if you don’t know exactly what it can do to help your business.
“What do you want from me, Kevin?”
My question to you is: What would you want to know more about? Is there something you’ve heard of in Vista that you think a 60 minute talk should cover or “clarify” for you?
For example, the three main bullets on the Windows Vista intro web page currently hint at some really great stuff…
“Confidence”. “Lower IT Cost”. “Get more out of…”. “ways to organize”. “seamlessly connects”. “maximize”. “and”. “to”….
Anything else jump out at you? Please enter comments!
“Where are you going to be delivering this presentation?”
I’m glad you asked! I’ll be speaking at three events being put together by Angelbeat.com:
I’d love to see you there!
PS – Their website says that the “Microsoft Keynote” (that’s me) will be about “Windows Vista, Windows Mobile 5.0, and Collaboration Technology”. Either they’ll be updating their web site soon to just say “Windows Vista”, or I’ll be learning a whole lot about Windows Mobile 5.0 in the next couple of weeks.
SQL Server 2005 Tidbit 009
Ooops.. missed a day. Well.. let’s get back into these!
I got this from my coworker and friend, Matt Hester...
Q: Can you upgrade Small Business Server SQL 2000 to SQL 2005?
A: The feedback I have gotten is that technically you can upgrade to SQL 2005 but it is not supported!. However, Windows Small Business Server 2003 R2 will add SQL Server 2005 Workgroup Edition for SBS Premium Edition customers. There are also a lot more enhancements to this moving forward. For more information on SBS and SBS R2: http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx —
Got an IT question? Give me a comment, or contact me.
SQL Server 2005 Tidbit 008
This tidbit comes as a result of a question an attendee from one one of our live TechNet Events emailed me."
“Database mirroring, or parts of it, is available in Standard Edition of Yukon. What's the difference between what you get with Enterprise Edition and Standard Edition?”
Mirroring is supported in both Standard and Enterprise Editions of SQL Server 2005. According to the feature comparison page, in Standard there is only a single REDO Thread (on the mirror instance), and the "safety setting" is always on.
And again – here is a great resource on Mirroring: http://download.microsoft.com/download/f/8/5/f8520d64-f109-4111-b0b0-51f1f6d2d220/ProSQLServer2005_Ch15_ForTechEd.pdf
Wow. I don’t get a lot of comments on my blog. Aparently nobody reads it. Or perhaps I’m not controversial enough to promote discussion often enough. I’ll have to change that…
Or should I?
WARNING: Long Blogger Chain Here…
Robert Scoble recently pointed to an article by Dave Taylor who was talking about Aaron Wall… a person being sued for comments left in his blog comments area. It wasn’t something Aaron said in his blog, but something that Aaron or his company left buried in the comments, probably unknowingly, that got him sued.
“What I find most telling about this lawsuit is that it's aimed directly at a blog and a blogger, not related to what the blogger is writing about, but about what others are adding in his comments.”
“What I find most telling about this lawsuit is that it's aimed directly at a blog and a blogger, not related to what the blogger is writing about, but about what others are adding in his comments.”
That’s just downright scary. I and many of my coworkers like to leave comments wide open, just because we want to promote good discussion, and also often are travelling and have longer periods where we might not be able to moderate all the comments.
Perhaps a new, longer, more complete disclaimer will have to be added to the margin, removing myself from any responsibility for whatever garbage, slander, or confidential information some bozo might post to my blog.
I’ll have to ask my friend Chris Avis or some other former BBS SysOp what legal disclaimer they might have used way back when “comments” were “unmoderated” in the open discussion areas…
What do you think? Comment away!...
We’ve extended support for Software Update Services 1.0.
Originally the drop-dead end of support was going to be at the end of June next year, but due to the timing and customer needs, the date has moved to December 6. In fact, as of a couple days ago, you could no longer download SUS.
“My brain hurts! What happens when support ends?!! OOo!”
It means that there will no longer be any updates that will synchronize with it. By then, it’s hoped, you’ll be able to move to WSUS (Windows Server Update Services). Here’s a KB article describing the SUS 1.0 Support Life Cycle.
“OOoooo! Will it hurt?!”
No! It’s full of great improvements (reporting, targeting, missing update detection.. loads of wonderful things!) and it’s FREE.
“How do I get it?! HOW DO I GET IIIIT?!”
Download it here.
“I have more questions!!! Oooo!”
Try this: The WSUS FAQ Page.
…<sigh> Yes… this was a silly blog post. Quite silly.
(Apologies and appreciations to Python, Monty Ltd.)
Okay all you Family Guy fans… some of you might be old enough to remember this music video on MTV.
“What? MTV played music videos?”
Anyway, credit to Michael J. “Brother” Murphy for finding this gem.
SQL Server 2005 Tidbit 007
Number 7 comin’ atcha!
This tidbit comes as a result of a question an attendee from one one of our live TechNet Events emailed me.
"Can backups, etc, generated from a maintenance plan in Yukon have the same file name instead of a unique name?”
I can't find any information on this specifically, although I know that one of the plan steps you can create is just a T-SQL step, where it launches whatever script you want to launch. That could be a BACKUP DATABASE MyDatabaseName TO DISK = '\\MyServerName\Backups\MyDatabaseName.bak' (or a disk location, or some other defined device)With options to append or overwrite, etc.
Here is the promised “Best of” Q&A from the webcast I delivered yesterday (Aug 24, 2005) on Windows Server 2003 System Administration (Part 2 of 2).
A huge THANK YOU to Harold Wong and Kelley DuBois for handling the Q&A. They get most of the credit for these awesome answers.
“The website for MBSA says that it is designed for small to medium sized business. Is there a reason it's not for large?”
It's a question of scale. If you have over 2000 nodes you want to move to a higher end management system like SMS that will scale out to support networks of that size.
“Can you scan for a list of servers in a text file?”
Not in the GUI interface. You can, however, use the command-line version that is installed with it, MBSACLI.EXE. This one can allow you to script scans of a list of machines.
“I can't find an article at this moment, but it is mbsacli.exe /listfile targets.txt - you can check it by quering mbsacli.exe with /? Parameter”
YES! Using the command line you can script it. See http://www.microsoft.com/technet/Security/tools/mbsa1/scripts.mspx
“Any areas/uses in which MBSA beats 3rd party security scanners like Retina or XSpider?”
We can not comment on the efficiency of third party scan tools. MBSA is offered as a free resource for our customers. If budget is less of a consideration for you, we would encourage you to compare third party solutions and based on cost and feature sets select the solution that does what you want it to do.
“WSUS work like GPs?”
No, the difference is that WSUS enables IT administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. Policies, on the other hand, allow for settings to be applied to all machines, and for those that are part of a domain, an administrator can use the application of Group Policy objects to set policies that apply across a given site, domain, or organizational units (OUs) in the Active Directory® directory service.
“Any timelines for when WSUS scanning technology will be able to detect and deploy to apps like Visual Studio 2003, ISA Server, PowerPoint Producer, etc? KB 895660 details where WSUS technology is lacking. . http://support.microsoft.com/?scid=kb;en-us;895660 ”
The dev team is working to expand the functionality of WSUS in new and appropriate ways. We have no public timeframe for a new release or update of the current system.
“Does MOM have the capabilities to handle Updates?”
Use MOM to monitor and report on your network Use SMS to deploy updates http://www.microsoft.com/mom/evaluation/faqs/default.mspx#ECAAA
“What build of WSUS is he using?”
Using the most recent downloadable version – WSUS 1.0
“Does a computer (standalone) have to be joined to a domain to be under a WSUS servers control?”
No, the machines are never under the control of the WSUS server, rather the clients configured to use WSUS request pull updates from the server at the scheduled interval. Configure your non-domain machines in the local security policy to point to your WSUS server.
“Can the WSUS server update itself?”
Yes. It’s a good idea, though to make sure that the server is fully updated before WSUS is loaded.
“Do the users computers have to be logged on as local admins to install updates using WSUS?”
No. See http://www.microsoft.com/downloads/details.aspx?FamilyId=3BA03939-A5A9-407B-A4B0-1290BA5182F8&displaylang=en
“Does SMS do uninstall of applications easily too? For instance weather bug! :)”
Sure can...If you choose Specify a Custom Command Line, on the Custom Command Line page that appears, type the new run command line (which should be the command that is installed on the client and executes the application from the server). Then, if you have created an uninstall script and registered the program with Add/Remove Programs, type the Uninstall key. For more information, see "Setting Up Removal for Client Applications" later in this chapter. When you click Next, the wizard displays the Migration Status page. For more information, see "Analyzing and Migrating Individual Programs" earlier in this chapter.
“Sorry If I missed this, but do all the applications need to be installed on the sms server to create the package? Or is there a package client for creating the packages on another computer?”
Check out http://www.microsoft.com/technet/prodtechnol/sms/sms2003/opsguide/ops_75tj.mspxfor details on how to create a package in SMS.
“How much does MOM 2005 cost?”
See http://www.microsoft.com/mom/howtobuy/default.mspxfor details---in the $500-$1000 range
“Where can we find those [MOM Management] packs?”
Management packs are provided by the vendor. So Microsoft provides a variety of packs for our products and many third party vendors have created packs for MOM, in those cases contact the vendor.
“For instance SQL Server 2000 and BizTalk server 2002 and 2004.”
See the catalog http://www.microsoft.com/management/mma/catalog.aspx
“Does MOM require SMS?”
No, but they go great together.
“So, a MOM+LanDesk combination would work fine?”
I am unfamiliar with that product but if it is a management system—yes.
The SBS Support team has launched their own blog, with the promise of doing a podcast in the near future, too.
And here is their first post.
Of course you might also want to subscribe to the “SBS Diva”.
SQL Server 2005 Tidbit 006
SQL Server 2005 Tidbit 6...
"Will linked servers work between different versions of SQL Server? i.e. SQL Server 2000 and Yukon and vice versa.”
…or for anyone who wants to learn more about the tools available for Security Update management, there is what looks to be a very useful webcast getting into greater detail about using MBSA 2.0, WSUS, and SMS going on tomorrow.
“Hey! Those are three of the four topics you discuss today!”
Right! My session (a part of the Windows Server 2003 Administration Webcast Series) is an introduction to these tools, showing you some of the basics. The session tomorrow (a part of the Management Webcast Series) will focus more on using these tools together specifically for the sake of Security and managing the roll-out of updates.
Here are the details:
Thursday, August 25, 200511:00 A.M.–12:30 P.M. Pacific Time
View this top-rated breakout session from Microsoft Tech·Ed 2005 in Orlando, Florida, and learn about Microsoft's strategy for update management.
SQL Server 2005 Tidbit 005
SQL Server 2005 Tidbit number FIVE..
"Can 2005 Express be part of the multiserver environment? In SQL Server 2000, target servers running MSDE cannot be enlisted.”
According to the SQL Server 2005 Express information page (http://www.microsoft.com/sql/express/default.mspx), SQL Express can participate as a Transactional and Merge Replication Subscriber, as a client for the SQL Service Broker, and will support distributed transactions. Sweet!
Greetings! Here are the promised resources for the webcast I delivered on Aug 24, 2005 on Windows Server 2003 Administration (Part 2 of 2). Official Content session number TNT1–126.
Hope you find these links useful!
Kevin’s TNT1–126 Additional Resources
Download MBSA 2.0
MBSA 2.0 Frequently Asked Questions
Step-by-Step Guide to getting started with WSUS
Deploying Microsoft Windows Server Update Services
WSUS System Requirements
WSUS Data Sheet
WSUS Frequently Asked Questions
WSUS Operations Guide
SMS Product Overview
SMS Frequently Asked Questions
Microsoft Operations Manager – Product Overview
MOM 2005 Frequently Asked Questions
MOM 2005 Overview Demo
Free Live TechNet Events
TechNet Events Bloggers
Official Series Content Resource Page
Free Windows Server 2003 Virtual Labs:http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003.mspx
Windows Server 2003 Evaluation kit:http://www.microsoft.com/windowsserver2003/evaluation/trial/evalkit.mspx
Windows Server 2003 Training and Events:http://www.microsoft.com/windowsserver2003/techinfo/training/default.mspx
Microsoft Events page:
As you know, a new CTP (Community Technology Preview… call it a Beta) of the next Service Pack (SP2) is available for Microsoft Exchange Server 2003.
My friend and colleague Keith “KingCobra” Combs has posted an excellent description of one of the key new anti-spam features, the Sender ID Framework.
Give it a read! He includes some very useful hints and links to tools for troubleshooting as well.
SQL Server 2005 Tidbit 004
Another one! Number four…
This tidbit comes as a result of a question an attendee from one of our live TechNet Events emailed me.
"We have a multiserver environment with one master server and twenty-four instances of SQL Server as target servers. Will multiserver work in a multi-versioned environment? In other words, if I upgrade the master server to Yukon, will it still be able to download instructions, etc., to the target servers if they are running SQL Server 2000? If one of the target servers is upgraded to Yukon, will the master server running SQL Server 2000 choke?”
It's important to upgrade whatever server you're using as the central distributor first. That's where the services run. Once that's done, though, it doesn't matter which of the others you upgrade next. 2000 publishers can talk to 2005 subscribers, and vice versa.
This Wednesday, August 24, 2005, I’m delivering Part 2 of the two-part webcast set on Windows Server 2003 System Administration. We’ll be covering:
Here is the link to register for Part 2.
And if you missed it, Part 1 is available for On-Demand viewing HERE.
See you there!
SQL Server 2005 Tidbit 003
Tidbit time! Number 3…
"Can SQL Server 7.0 be upgraded directly to Yukon? Or does 7.0 need to be upgraded to SQL Server 2000 first? And what are my options with MSDE 7.0?”
No, you can't upgrade SQL Server 7 directly to SQL 2005. First 7.0 needs to be upgraded to 2000. However, if you do a new installation (either on another computer or even side-by-side on your existing SQL 7 server), it will automatically upgrade the metadata of the databases by either doing a backup/restore, database copy, or even a detach / attach of your old database onto the new server. So your databases will be upgraded and usable right away. This is true of SQL 7 databases as well.And remember also that you have "backward compatibility levels" you can set for your database that will allow older T-SQL to run. (65, 70, 80, or the new 90 level). This only affects T-SQL, however. Other constructs may still need to be tweaked. (Actually, there is even a 60 compatibility level, but those databases can't be managed in the management studio.)
The same is true for an upgrade-in-place. The database metadata will be upgraded, but the data itself remains where it was.
This video is fantastic!
I am really excited for this product – especially when they get more up-to-date photos. Example: This is my neighborhood, but taken 10 years ago when it was still farmland.
Interesting survey results on blogging, readers, and RSS. Found on BloggersBlog.com…
Blogging and readership are growing. MSN Spaces is growing in a BIG way. (Hooray for our team. )
“What’s the bad news?”
50% of regular blog readers don’t know what RSS stands for (no, it’s not “Rocket Science Surgery”) let alone how to use it to pull posts they’re interested in.
The beauty of RSS is that you control the channel. That means that instead of going back to a web site over and over again to find something new, you can (or should be able to) capture a link and set up something that will automatically TELL YOU when something is new or interesting to YOU.
And here’s the kicker… I am really passionate about building and supporting the IT Pro community. (Been there, done that, and now I want to give IT Pros all the help and resources I can.) And part of my focus in doing that is in letting people know about our events (live, webcasts, whatever). Microsoft and I can’t email all of you without seriously invading your privacy. And perhaps you have unknowingly opted-out of receiving any emails from Microsoft letting you know when we’ll be coming to your area.
So what if I were to give you a way to control the channel in terms of getting notified about certain events? You could set up a news aggregator (I happen to love SharpReader.. and it’s free) and insert the feed link there… a feed that will only notify you when an event near you or that you find interesting has been scheduled.
“Sounds cool… but really, what benefits will I see from this?”
How about this:
“Sweet! Sign me up!”
No no no.. Weren’t you paying attention? You’re empowered to do that yourself! We’re still improving the ways you can do this, but right now you can actually go to www.technetevents.com, www.techneteventsbloggers.net, or www.microsoft.com/webcasts and find lots of RSS feeds – some you can even customize for events coming your area!
So.. get a reader, go to our sites, get some links, and be connected!
Who dressed this guy?
Just in time for Back to School, this demo is quite amazing.
And here’s where you can get the free Education Pack mentioned.
At first I was thinking I shouldn’t let my kids watch it – but now I think it was probably dangerous for their Father to see it, too.
(Credit to Tyme for posting about this.)
SQL Server 2005 Tidbit 002
Ready for another tidbit?
"Are online restore and online index only available in Enterprise Edition? Do you have a document that lists which features are available in each edition?”
Online Restore and Online Index are only available in Enterprise Edition. Here is a page that spells out the features and what editions they're a part of in great detail.http://www.microsoft.com/sql/2005/productinfo/sql2005features.mspx
SQL Server 2005 Tidbit 001
Hello all you DBAs!
Yes, this is the first of what promises to be over 100 tidbits of information on the new version of SQL Server (formerly codename: Yukon) coming out the first week of November, 2005. Some of these tidbits (like today’s) will point to cool resources found online. Others will be answers to good questions I’ve received. (So if you have questions, send them to me either as a comment to these blog posts, or click the contact link here or at the top of this blog page.
Today’s tidbit: Mirroring.
My friend, coworker, and fellow Karaoke singer Chris Avis emailed the team with a resource he found online. It’s chapter 15 of a book coming out next month called “Pro SQL Server 2005”. (ISBN: 1–59059–477–0).
Chapter 15 is all about Database Mirroring – a huge new functionality in SQL Server 2005 that allows for easy, fast, distance-independent failover. No special hardware required.
Check it out!
Here, as promised, are the “Best of” Q&A from the Webcast I delivered on August 17, 2005 – “Windows Server 2003 System Administration, Part 1 of 2”.
If you didn’t see this webcast and would like to view it ON DEMAND, click here.
Don’t forget to take advantage of the Additional Resources I’ve posted. Also, be sure to sign up for (or view), PART 2, being delivered on August 24, 2005.
HUGE thanks to my teammates Chris Avis, Shawn Travers, and Harold Wong, for helping out with Q&A. These answers are their marvelous contribution to the webcast experience.
Hope you find these useful!
“What are knowledge levels 100/200/300? Is there a definition?”
100 is basic feature/benefit information, 200 is configuration/settings information, 300 is registry/service level configuration, and 400 level is bits/byte level understanding, network packet analysis, etc...
“IF I WANT TO SETUPAN AD? SHOULD I HAVE DNS CONFIGURED ON THE SAME MACHINE?”
When you run through the DCPROMO process to install an AD Domain Controller, you will be asked if you have DNS installed or wish to install a new DNS. In General you will have DNS installed to the DC itself. but it is supported when DNS is installed on another physical box.
“Thanks. what OI ment is should I Have DNS with AD, does AD can work witout DNS”
No. DNS is required for Active Directory to install and to operate.
“Can we add custom roles [in the Configure Server Roles / Manager Server Roles Wizards]?”
Sure. All it requires is ability to export/import configuration settings, or you can build a template from scratch, but you'd need to know a bit of scripting to do this.
“Why is it I can add "everyone" and " system" to folder permissions, however, If I try to search for these two accounts in AD, I can not see them”
These are default local machine accounts, every machine has them regardless of their domain membership.
“the audio is ahead of the screens...”
Fascinating. I was concerned that there was a significant audio DELAY over this webcast. If it really bothers you, try closing out of LM, clear your Internet Cache, and re-enter the meeting.
“Is it true that Windows Server 2003 R2 will offer more granular control over quotas?”
That is the current thinking, yes.
“I am in the process of setting up a new forest and will have a trust to my old NT domain (not a candidate for directly upgrading) Users in the 2k3 domain will have access to the NT resources but the opposite is not true. My printers are currently in the NT domain. Can I also set them up as resources in the new domain?”
Yes. Just make sure the correct trust direction is in place and then add users to groups and the groups to shares as normal
“I have a small network and my router plays the role of DHCP as well as my Internetb access for all my machines. If I install AD with a DNS, is there or can poibt me how to configure this AD/DNS”
You'll probably need to review the Windows Server 2003 Deployment Guide. 7Pay particular attention to the AD, DNS, and DHCP sections. For your convenience, here is a link to the DNS deployment information: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/7f6df44c-06c3-4b92-ba32-63d895a7924b.mspx
“Using dsadd, can I do a copy from an existing account?”
No, I don't believe this is possible. Check out http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/8d37ecb0-ac28-4e05-aa05-da82dc36b54b.mspx for more information.
“Is there a script that allows adding further UPN's or modifying upns?”
I don't know of a specific script off hand, but you can search for scripts at the Technet Scripting Center -- http://www.microsoft.com/technet/scriptcenter/default.mspx
“I am hearing significant audio delay during this webcast. How can I fix?”
Live Meeting support recommends disconnecting and then re-enter the Live Meeting session. If that doesn't help, turn your seat color to red and I will give you the back up phone info.
“Can we do a trust with a win2003 server standalone (not included in the ad) to a domain controlled by (one way or 2 way)?”
No, trusts are configured between domains only. The standalone server would need to be configured as a DC.
“Are there significant differences between using RIS for Server 2003 and XP?”
No, not anymore. Prior to W2K3, there were restrictions on servers, but now they are identical.
“any updates for the RIS Boot disk available (with more adapters inside)?”
Hmm...not really. It is really up to the hardware vendors to build adapters that work with the boot disk.
“Is it necessary to install the DHCP services? Will a router suffice?”
You can use any DHCP service. If your router is also handing out addresses to your internal network using DHCP, then it will work.
“Is that RIS Unique Computer name customizable?”
Absolutely. 100%. You can configure the names by static list, by prestaging MAC addresses to names in AD, or by allowing randomization of computer names. It's up to you and fully configurable. This is one of the big improvements over standalone image install using sysprep and 3rd party utilities.
“What do you do from a policy standpoint to allow a user install software on their own computer but not other computers and servers?”
In general a user must be a local administrator to install software on their own machine. Ensuring you are not allowing them to be administrators on other machines in the network is the primary step.
“What’s the proper way to backup a DC?”
This is a Windows 2000 article but it applies to Windows 2003 as well -- http://support.microsoft.com/kb/240363/
“When creating a trust for migration, is it necessary to disable SID filtering on both the target and source domains or just the target?”
It's okay to disable SID filtering on both the source and target, but only target is necessary.
“Can we use GPMC to manage XP workstation policies also?”
You can install the GPMC to an XP Machine, but it only manages Group Policy, not local policy. - http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx
“How to change the default menu within the RIS-Client-Installation-Wizard ? Some years ago there was a 3Com-Tool available, but unfortunately it disappeared “
That's a good question. I'm actually not aware of any new products that allow customization of the menu.
“Is it possible to automatically deploy different images to different computers, based on which part of the network they were plugged in at, or certain group membership, or any other criteria?”
No, the administrator who logs onto the machine picks the appropriate image after booting to the network card. The list of images that the administrator sees can be limited using permissioning to the administrator account.
“Which one would have a higher priority on GPO >> User Configuration or Computer Configuration?”
Computer Configuration trumps User Configuration for conflicts only. All settings that do not directly conflict will apply.
“Are you really sure, that ANY DHCP-Service (e.g. DHCP based upon a cheap Linksys-Router) will support the BootP-Protocol and provide the RIS-Installation-Wizard-Code over TFTP ? Can´t believe that ...”
If you are booting with a RIS disk, you can use ANY DHCP server to get an IP address. If your adapter is PXE enabled then you will have to make sure the DHCP provider is compatible - see the following for PXE interaction infromation -- http://support.microsoft.com/default.aspx?scid=kb;en-us;244036
“With Folder redirection, in an environment with multiple servers in multiple locations, is there a way for people who travel to different locations to retrieve their documents in a timely manor?”
Well, sure, you could use FRS (File Replication Service) to replicate the users "My Documents" folders to multiple locations. The user would then retrieve from the nearest copy.
“Can DSAdd create the exchange account too?”
DSADD cannot create the Exchange Mailbox within the Exchange enviroment.
“Related to RIS it´s not the problem to get an IP address from a non-Windows-DHCP-Server - the problem is to get Code over TFTP from that DHCP-Server ...”
I'm not sure I understand your question exactly. TFTP runs on the RIS server and is used to transfer the images to the RIS client. A separate DHCP server can be used for obtaining IP address, but it would not be able to run TFTP for the purposes of RIS.
“Can a GPO be applied to laptops that will turn on offline folders so that after redirection of My Documents they will have their docs availiable offline?”
Yes, there are two separate settings in your GPO....one setting redirects mydocs, and the other makes mydocs available offline.
“Is there a policy for setting the password for the local computer administrator to a given value for a group of machines?”
Unfortunately, there is no GPO setting that can do this. You can take advantage of scripts to peform this task.
“Can you describe "distinguished name"?”
Here is the technical description - http://www.faqs.org/rfcs/rfc1779.html -- it is essentially a name used in LDAP to identify a unique object
“Can a GPO be utilized to lockdown USB ports?”
No, hardware configuration should be done with WMI scripts, or you can buy a large stick of caulk to plug up those ports. :)
“;) thanks, that works too...(writes "caulk" on the shopping list)”
“Is there a GP Setting to restrict who can 'shutdown or restart a server?' ?”
Yes -- \computer settings\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Shut Down the System
“When a computer is booted there is a noticeable amount of time where the applying policies message is displayed how can you determine if the delay is normal or if something is wrong. I have a small 6 user single server 100M network.”
You should only see an extensive delay after a significant change to a GPO. If you continue to see extensive delays, even after the policies have been allowed to run and apply, you have an issue. First place to check would be to make sure DNS is configured properly.
“Can u give me link regarding automating of adding/deleting objects in AD using VB scripts?”
The TechNet Script Center is a GREAT resource for this: http://www.microsoft.com/technet/scriptcenter/default.mspx.
“I’m not sure this is the proper discussion to ask this, but is there a method to allow 'users' to access the Terminal Services? ie. Not just domain admins. <we already bought proper licenses>”
Once the licenses are applied, you can use the Terminal Server Manager to determine the number of connections and who can connect.
“I see that that GPO user configuration settings will be worked on XP clients, but will work on W95/W98 clients?”
No, GPO settings will have NO effect on Win95/Win98 clients.
“Is it possible to give users group access through TS to a win 2003 sever without being in an admin group”
Absolutely. If you just want the user to be able to log on through Terminal Services, they do not have to be in the admin group. You just need to grant TS and local log on privileges to their account.
“What is the tool i can use to move exchange 5.5 mailboxes across different organization/site?”
This is built into the Exchange System Manager with Exchange 2003 SP1.
“For exchange 5.5 ?”
If you don't have Exchange 2003 SP1 installed in your environment, then you would need to use ExMerge.
“Will that support moving exch 5.5 mailbox?”
“Where can I find this Webcast recorded, So I can watch it again since it took me 1 hour to get connected???”
“Can Win2003 allow a non-administrator to run taskmgr, see any process and kill any process (admin like access without admin)? Win2k wouldn't show the "Show processes from all users" unless the user was in the administrator group.”
Should be the same for Windows 2003.
“I didn't listening a Webcast from a beggining - what need to be installed on client machine to run terminal server?”
If you have a WinXP client, you use the Remote Desktop Connection tool under Start --> Programs --> Communications, otherwise, there are terminal Server clients that are added to the Terminal Server upon installation that can be distributed to Non XP Clients -- http://support.microsoft.com/default.aspx?scid=kb;en-us;816590
Regarding Terminal Services....Which configuration will take precedence regarding sessiion (1)ADUC User Properties (2)GPO Machine Config (3)GPO Computer Config (4) Terminal Services Configuration
LSDOu - Local machine policies are lowest priority, Site settings next higher priority, Domain GPO's next highest priority, and OU GPO's are highest priority. ADUC User Properties don't really conflict with GPO's, but they would have a higher priority than GPO's, I suppose. TS configuration also doesn't conflict with GPO settings.