Kevin Remde's IT Pro Weblog
My friend and developer/MSDN presenter colleague Jacob posted about this, and I’m going to steal it from him. <heh>
Hitachi has a fun animation showing off the potential for new hard disk storage technology… a GREAT example of explaining something in simple terms that would otherwise cause most people’s heads to explode if simply described. Fun stuff!
If you haven’t signed up already, you’d better get signed up soon! I’d love to meet you there!
Make sure you introduce yourself to me. I’ll probably be hanging out by the cabanas and answering questions when I’m not attending the many great IT Pro-related sessions going on.
See you there!
Kevin
Here, is this week’s “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the bulk of the credit for the information in this document. You guys are the best!
Also I want to make sure also have the link to the Session Resources I posted for Part 10, and the homework assignment also.
—
Part 10 Questions and Answers:
“Who's serving the popcorn?”
Yum… I don’t know. I can’t smell it on my end.
“I hear a country station, is that normal?”
Um… let’s see… how do I answer this without offending Country Music fans? <chuckle> I think I’ll just not say anything.
“Kevin, out of all the presenters I’ve heard, you provide clear on-point info, and your presenting is top notch!!!! GJ”
I know you can’t see it now, but I’m blushing. Thanks!
“Is the Connection Manager in SBS 2003 basically a VPN connection?”
Connection Manager is the package that allows you to install the client side of a connection - It will help you set up a VPN among many other connectivity options.
“Using ISA 2004 and AD can I restrict what servers a remote client can access?”
Yes you can.
“Can I use IAS authentication without active directory?”
Check out this great resource on IAS: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/d98eb914-258c-4f0b-ad04-dc4db9e4ee63.mspx
“Why does the VPN disconnect after about 3 minutes when connecting from a XP-SP2 machine?”
Do you have the VPN connection setting set to disconnect after three minutes of inactivity? If so, then after 3 minutes of doing nothing on the connection, it would disconnect.
“Well I create an entry in DNS to redirect www to other machine inside the network which has the company website.”
If this server on the internal side of the network is not accessible from the Internet, then users coming from the Internet will fail.
“For the umpteenth time I had problems connecting to these webcasts. I missed the beginning and effectively missed the whole webcast. I have wasted my time again fighting the system. This is getting beyond serious - to being utterly ridiculous!!!”
I agree wholeheartedly. We’re very sorry for the troubles these issues have caused. You are right, it is inexcusable. I encourage you to please visit this link to report these issues and voice your opinions: http://register.microsoft.com/contactus30/contactus.asp?domain=multimedia/webcast
“How much overhead in the protocol is estimated for the Microsoft VPN flavor?”
There is no specific number on this but PPTP has less overhead than L2TP. The reason there is no specific information is because hardware and connections are so varied.
“Has MPPE-128 been cracked?”
Not that I'm aware of.
“Certainly software based solutions generate more overhead than hardware based solutions. I was just curious on the overhead for Microsoft's version. Thanks”
We have always seen great performance and very little overhead. As a previous network engineer for Microsoft, I have never seen a limit hit.
“Is there a step-by-step guide for setup of L2TP with IPSec? Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?”
To use different pre-shared keys for all L2TP over IPSec router-to-router VPN connections, configure the following...see http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/intwork/inbe_vpn_qaax.asp
“The wire server room is used a lot by you guys. Don’t you have other pictures?”
Yes we have a few, but that is by far one of all our favorites because we can relate, as we hope you can too. I guess I’ll use it a little less often now. <sigh>
“Can I save this event for resume later?”
You can download and view the event later.
“Is the following correct: VPN can accept 11 connections? If you need more create another VPN object?”
No, VPN can accept much more than 11 connections. If you have configured it to be limited to 11, then you are more than welcome to increase the limit.
“Is VPN in sbs2003?”
Yes, it is exactly the same as in a regular server. But one drawback is managing the VPN endpoint on a DC. That is a security risk. I would recommend one NIC and a router that allows PPTP (GRE and 1433) or L2TP NAT traversal to the one internal address.
“Where I can download the event?”
You will be receiving an email tomorrow with links to download.
“Is VPN preferable over Terminal Services for remote access?”
Both have a high level of encryption. VPN with RDP would be the most secure.
Why is there two VPN servers? is this another office? i though you just need one.
I think what you were seeing there was the use of VPN for a site-to-site connection – so instead of it just being an employee connecting to the office, it’s also used for connecting one office to another, with two VPN servers on either side of the pipe.
“Has PPTP been broken?”
I do believe that was the case back in the Windows 95 / 98 hey days (1999). However, updated DUN components were released for W9x to address this. Windows 2000, XP and 2003 are not susceptible to this (to the best of my knowledge).
“thanks”
Thanks for coming! Any questions are good questions!
“Are there any webcasts coming on ms cluster services?”
There was one done last Friday (April 8, 2005) with Clustering and SQL - Other than that one try searching on Clustering at http://www.microsoft.com/webcasts
“Was presenter referring 11 connections limit to something else or I have misunderstood?”
At that point I was just talking about the demo systems and the configuration implemented.
“I understood that UDP is not as reliable as TCP so, can you use TCP with L2TP?”
Yes L2TP is only the tunneling protocol, whatever packets TCP or UDP are then sent over that.
“Is there a step-by-step guide for setup of L2TP with IPSec? Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server? RE: Step-by-step Guide for L2tP/IPSec - How about using certificates instead of pre-shared keys - can that be done? Is there a step-by-step?”
Might start here - http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/l2tpclientadmin.asp
“If they (hackers, listeners) go to that extent, don’t you think they will find another way to get in (listen). I just find it amusing that anyone would make a VPN on a dial-up connection.”
Well.. consider this scenario: Someone only has dialup for Internet Access (Netscape, Net Zero, EarthLink, whatever) at home, but their employer has only set up Internet VPN access which this person will need to use. So – they’re doing VPN over the Internet, but via their dialup connection. In fact, I was doing this very thing for at least a year before I had highspeed access at home.
“If PPTP is only set on the RRAS server is there any benefit to selecting automatic on type of VPN?”
If you mean the client, then yes, auto is fine. It will try both.
“When you create a VPN connection is there a way to keep a connection to the local network?”
Once, you've created your VPN connection you're still on the local network. You're given a new IP address for the destination network but you have two IP addresses one for the local network and one for the VPN network. Now.. that doesn’t mean that your default gateway for Internet Access hasn’t changed. That’s another issue.
“For VPNs, for which firewall ports do I need to configure an allow policy?”
PPTP is 1723 and the GRE protocol 47. Most routers will not work with L2TP.
“What happens if both local networks have the same local IP configs. ie: both are 192.168.0.x?”
There is no way to route between them if both networks are the same.
“Do you need to put an ACL on your firewall to allow a VPN that you have set up on your DC and workstation?”
You have to allow 1723 and GRE
“Is there a good way to export and import large amount of RADIUS clients?”
How to Add and Remove Radius Clients, see http://www.microsoft.com/technet/security/topics/cryptographyetc/secmod190.mspx
“What does RADIUS stand for?”
Remote Authentication Dial-In User Service (RADIUS)
“What's the RADIUS port(s)?”
RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports receiving RADIUS messages destined to both sets of UDP ports. For information about changing the UDP ports that are used by IAS, see Configure IAS port information. Only one RADIUS message is included in the UDP payload of a RADIUS packet.
“Why won't most routers work with L2TP and what can you do, if anything, to work around this? What about PPTP?”
Until 2003 there was no way to get through NAT with IPSec or L2TP. Most companies use NAT to allow them to address their internal network in a way that doesn’t require large numbers of valid external IP addresses to be used internally. These are L2TP connections are UDP connections usually over port 500. You have to make sure you have a router that can perform and allow NAT traversal back to your VPN server. It is in most newer routers.
“How many ram have machine hosting the virtual machines?”
My laptop has a total of 2 GB of physical RAM. The virtual machines I am running for this series are configured to use 512MB, 512MB, and 256MB (two servers and an XP Pro Client).
“Is there information configuring radius for use with a wireless access point?”
A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. Seehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/9ecf38e5-3200-490d-83d8-2c624da94d8b.mspx
“To all you out there configuring a ISA... Unpulg your connection to the interned until your ISA is configured. I was hacked between the time i configured the NIC and the ISA server. This was a timeframe less then 10 mins”.
Good point. And a good indication of the state of things today. NEVER connect a server or any PC directly to the Internet without first protecting it in some way. In your case, with your new server that is eventually going to be a firewall, you ran into something that is all too common. It takes now on average only 20 minutes for an unprotected machine to become infected. That is EXACTLY why we’re including things like Post Setup Security Update (PSSU) functions in Windows Server 2003 SP1 – installing the Windows Firewall and locking down external access until the machine is configured and up-to-date with the latest security updates.
“Thanks. I think I’ll see the recording. When will this be available? It`s 23.00 in Norway. Must get sleep :-)”
Thanks for staying up for us!
“I thought it was not a good practice to run RRAS or IAS on a domain controller.”
Generally speaking, yes. For our demos, we tend to "break" a lot of the best practices rules due to limitations on number of virtual machines we can run effectively in one session.
“OK Thanks. You guys are great.”
Thanks for attending. Always a pleasure to help.
“Can you specify a backup RADIUS server?”
Check out - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/54f4f112-d473-4b18-9501-53e92c5d4467.mspx
”1. Install 2003 server. 2. Configure NIC 3. Get hacked 4. Install ISA Server. Between 3 and 4 you are totally exposed, right?!”
If you are connected to the Internet during this installation process; yes, that is correct. If you were installing Windows 2003 with SP1 (slipstreamed), then the Firewall service would come active immediately to prevent step 3. (See my PSSU comment earlier) However, I would highly recommend that you install your servers without direct connectivity to the Internet until you've fully configured and secured it.
“Will there be a webcast on wireless w/certificate services for windows 2003?”
None currently planned that I’m aware of.
“Can I make this work with a Cisco router?”
As long as your router is up to date, PPTP is easy and L2TP is dependent on you having 2003 server and the ability for the router to pass L2TP.
“Applause!!!”
[bow] Thanks!
“Thank you ....when does this whole series repeat?”
You will be able to view or download the webcasts from this series anytime you want.
“My Cisco router has no firewall, but NAT is enabled. Is this a problem for L2TP?”
You will need to find out if it has the ability to allow l2tp traffic to pass through.
“I received an invitation to attend TechEd Europe in Amsterdam. Is this worth the money?”
TechEd is a very informative conference. And I am one of the biggest fans of TechEd you’re going to meet. One other noteworthy item is that our people in the product groups are GOALED on attending TechED and a couple of conferences. Therefore I do believe it would be worth your time.
“netopia made it sound like I need their router for a vpn, not true?”
Netopia offers a hardware based VPN solution. You can buy that, or you can go with a software solution such as the RRAS that’s already included in Windows Server 2003.
“I may be a little slow here, but what is the advantage of setting up a RADIUS server vs just VPN connections?”
RADIUS is just another way to authenticate users. It is a standard for both authentication and authorization, as well as accounting. Being standard, it can be used by many different hardware and software devices requiring authentication. And if it’s Microsoft’s IAS, it’s also able to use Active Directory accounts for that authentication. And it can be a central authorization point RAS servers with common Remote Access policies being managed there.
“I was thinking about choose the RAS client by IP or DNS”
I’m not sure what you were asking, but you may be referring to the demo where I configured the VPN client to connect to the external IP address of the VPN Server. Yes, if you want, you could also have a name defined for that address and as long as DNS is able to resolve it, you can add that in the connection parameters as well.
“Would running remote desktop connections through a VPN be a good practice or is that just a redundant level of security?”
Redundancy is always good - especially in Security. But if you are assured of an encrypted connection for RDP, you are safe.
“Is this correct - A person is using a WiFi and VPN into a network. Is the Internet controlled by VPN network permissions of by the WiFi provider?”
Completely by the VPN. WiFi would only be a concern if it was actually a connection on your internal network, then you would not need VPN.
“Can Kevin share those funny pictures with us?”
Absolutely!
Have a great day!
The Microsoft Security Response Center has a blog address now. Check it out!
Subscribe to it if you’re interested in good security-related posts and updates.
My friend and colleague Chris Henley is leading a 12 week Webcast Series all about strategies and tools for the migration to Active Directory.
Chris is an excellent presenter and quite knowledgeable on the subject, so this is going to be a great series. Sign up for all of them! And if you missed some of them live, you can also view the previous session’s recordings on-demand.
(Free training – and a chance to win a Portable Media Center, too!)
Sometimes I see or read about really cool things from Microsoft.. development tools and resources that really make me wish I were still a Software Engineer. I’ve always loved the creativity and problem solving that software development affords. Example: the new tools coming in Visual Studio 2005 still make me salivate, quite frankly.
I remember when I was a developer seeing good documentation coming from Microsoft and others, and getting really excited. I was especially pleased whenever Microsoft would release some white-paper about how THEY were doing development (the way I do now when I look at how Microsoft does IT, too.)
What made me think of that was a letter I found in my inbox this morning. Michael Howard sent a letter to the NTBugtraq e-mail listserver membership which was published earlier today. In it he describes a new Microsoft “Security Development Lifecycle” paper.
“The SDL is the process that Microsoft has implemented for the development of software that needs to withstand malicious attack. The process encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft's software development process. These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused "security push". Before software developed under the SDL can be released, it must undergo a Final Security Review by a team independent from its development group. When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities. This paper describes the SDL and discusses experience with its implementation across Microsoft software.”
So this is the sort of thing that, as a former developer, gets me excited on behalf of developers everywhere! You can compare your company’s secure development process to the way Microsoft does it, and borrow from our best practices. (Does the phrase, “Don’t reinvent the wheel” mean anything to you?)
And I encourage all of my counterparts on the MSDN team to blog about this paper, too.
..and we only have to wait until May 12th!
That’s when, according to gameindustry.biz, the official unveiling will be done. And on MTV, of all places!
Windows Server Administration Webcast Series Homework Assignment #10
1. http://blogs.technet.com/kevinremde
2. Windows Server 2003 Virtual Lab: VPN Scenarios with ISA 2004”
http://www.microsoft.com/technet/vlab
This virtual lab allows you to:
On that Virtual Lab homepage, click on the ISA section.
Resource Page forTechNet Webcast: Windows Server 2003 Administration Series (Part 10 of 12): VPN/RAS (Level 200) Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
Here are some resources relating to the webcast topic presented. I hope you find them useful.
“What is Dial-up Remote Access?”
“How Dial-up Remote Access Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dura_How.asp
Remote Access Concepts
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_RASS_concepts.asp
Virtual Private Networks for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx
“What is VPN?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_what.asp
“How VPN Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_vpn_how.asp
Placing Remote Access Servers
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_zsom.asp
Selecting an VPN Protocol
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_riyr.asp
Concepts for IAS
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_tttg.asp
Determine the Role of the IAS Server
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_dprk.asp
Integrate IAS with the Certificate Infrastructure
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_xkyp.asp
Secure the IAS RADIUS Server and RADIUS Proxy
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbk_ias_qnbl.asp
Microsoft TechNethttp://www.microsoft.com/technet
Official Series Content Resource Pagehttp://www.microsoft.com/technet/tnt4–04
Free Windows Server 2003 Virtual Labs:http://www.microsoft.com/technet/traincert/virtuallab/windowsserver2003.mspx
Windows Server 2003 Evaluation kit:http://www.microsoft.com/windowsserver2003/evaluation/trial/evalkit.mspx
Windows Server 2003 Training and Events:http://www.microsoft.com/windowsserver2003/techinfo/training/default.mspx
New and improved Microsoft Events page:
http://www.microsoft.com/events
Wednesday, April 20, 20051:00 P.M.–2:00 P.M. Pacific Time
Join this webcast and learn what you need to know about routing, routing protocol and configuring routing on Windows Server 2003.
Yay! No major audio or timing issues this week! It’s so much fun when things go right!
Here, is this week’s “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Wonderful!
Also I want to make sure also have the link to the Session Resources I posted for Part 9, and the homework assignment also.
Part 9 Questions and Answers:
“Thank for the informative webcast every week. Some times would be nice, if the webcast would earlier in the morning for you. Because it is exhausting to see all the good webcast late in the evening for us in Europe.”
Yeah… that’s a problem I wish I had considered further when originally scheduling these. Much of my job involves travel. I do these webcasts more often-than-not in hotels or other Microsoft Offices. During my normal TechNet Event weeks, Wednesdays are usually travel days between Tuesday and Thursday events, so if I can’t get a flight out or drive to the next location on Tuesday night, I’ll be doing it Wednesday morning… which is why I thought later on Wednesday afternoon would be better.
If I get the opportunity to do another series (and I’d LOVE to!), I’ll see if we can do it Monday morning instead.
“Will the past 2 events be available in live meeting format soon?”
The last one [part 8] should be posted. We've had problems with and are still trying to recover part 7.
Keith Combs: “I love DHCP”
Thanks, Keith.
“Can we download any presentation WMA? not pdf. Thanks.”
The WMV archive will be available 72 hours after the event.
“This is off topic, but our company would like to use this MS Office Live Meeting 7 application format for providing online demos with government Public Health Laboratories. Can you direct me to more information of how to utilize this application for such purposes (purchase, configuration, etc.)? Good class.”
Thanks. Have you looked at http://www.microsoft.com/livemeeting?
“No, that is the kind of thing I was asking about. Thank you. Are there others you know of?”
Yes. You might also check http://www.microsoft.com/office/livecomm/prodinfo/default.mspx
“Would you include addresses that are going to be reserved in an exclusion range?”
Yes, that's another good way to self document those addresses.
“Is it better to use exclusions or a narrow pool range to place static entries for like servers and printers?”
Because of the inflexibility of Pools once you’ve defined them, I would make them large to begin with, and then use exclusions to narrow down what is actually being handed out by individual DHCP servers.
“Followup to the exclusion question - is there any impact to doing it either way?”
Other than the inflexibility of re-configuring pools, no.
“Is there anyway to issue out IPV6 ip addresses via DHCP?”
Not aware of any - Great Overview here - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/14_s3ip6.mspx
“If you have an address range for DHCP to give out, but some of those addresses are used in reservations, would DHCP know not to give out those addresses or would it cause conflicts?”
Yes, it will not give that out, but be aware that if it is already in use, it won't force a release on the address.
“We have a number of remote users and I want to assign them an address when they VPN in. Is there a good article describing this when using a domain controller with and a separate RRAS server?”
An address that is the same each time they connect, or just any address from a pool?
“Can be either. Whatever would be the best practice.”
Most people set up a pool for VPN clients. Less maintenance and hassle.
“OK Is there a good KB article for setting up a pool?”
All of the VPN deployment and planning docs will go through this. It is also in the ISA Server 2004 planning documents in case you are using our firewall product.
“Should you confirm that there are no entries in the other tabs in TCP/IP properties before you switch to automatic pickup?”
No need.
“Does the DHCP server have to have a static address or can it obtain a reserved IP address from it's own database?”
It should have a static address.
“If you are going from a static IP environment to a DHCP environment, will you have to touch each PC to make that change, or is there another way?”
You could use NETSH - http://support.microsoft.com/default.aspx?scid=kb;en-us;257748
“I have a Linux-based computer set up for DHCP now. Can I configure a W2k server for DCHP while it's running on the Linux box - or do I need to shut down the Linux box first before configuring DHCP on the W2k server?”
It’s just another DHCP server on the line, so there shouldn’t be any issues unless they are both being configured to hand out the same or overlapping address ranges.
“Can you delete the bad scope are just leave it alone?”
You can delete it. I just left it in the demo so I could also show how superscopes were configured.
“When configuring a pool with a router, how will the dhcp know which ip address to give out for each subnet?”
Like most things computer related, it will do only what you tell it to – not what you WANT it to. If you’re using your router as a DHCP server, then you have to be aware what addresses it’s responsible for, just as you would if you were configuring more than one DHCP server within the same physical networked area.
“How can we integrate dhcp with DNS?”
Active Directory Integrated with DDNS - http://support.microsoft.com/default.aspx?scid=kb;en-us;816592
“I would like Kevin to settle a debate. When is DCHP is best handled; by a gateway vs. server?”
I wasn’t aware there was a debate. Do you mean, “Should I have my router handle addressing for me or should I have a separate server?” ? If you are happy with how your router is working, and if you don’t mind having that single point of failure, and want to limit how much (if any) logging or auditing you have available.. and don’t want flexible configuration options… then by all means, use your router. <grin>
“One DHCP server with multiple subnets all with different address pools, how can i insure the right IP address goes to the correct subnet”
Typically that is the job of the Relay Agent on a particular subnet - http://support.microsoft.com/default.aspx?scid=kb;en-us;120932
“I was trained to use DORK acronym discover offer release acknowledge”
Cool.
“Are the clients still can connect to resources on the network if i reboot the dhcp server?”
Yes. A DHCP server will only affect the clients if they go to request an address, and it's down.
Cheers!
Just a comment on what a strange day it’s been. I’m currently staying at a Sheraton in Madison, as tomorrow we’re doing live TechNet and other events at the Alliant Energy Center.
Today, however, in less than one hour, I’ll be doing a webcast from the hotel. Now… typically when I book my rooms I call the hotel to see if they have high-speed Internet. I’m a snob that way, I guess. <sigh> But mores if I’m going to do a webcast, I usually want to make sure that the Internet access is WIRED as opposed to WIRELESS.
Well… having not found any WIRED hotel rooms near the Alliant Energy Center, I decided to stay where the rest of my team were staying here at the Sheraton.
Problem: WiFi here has been up and down all day. Not good for webcasting at all.
Solution: The folks here are going to let me reserve the WIRED connection located in their Business Center here. They even provided me a phone for the audio portion of the webcast. (I’m heading down in just a couple minutes to set things up.)
In the meantime, I happened to see that the wireless from the hotel next door is available, so I’m using a low-signal, 1Mbps connection right now. I guess that’s the punch-line to an already interesting day.
Gotta run! Webcast time!
This question was asked during my TechNet Briefing event held yesterday (April 5th) in Appleton, Wisconsin.
The Answer: No, and Yes.
I found the answer in the Security Configuration Wizard Documentation, specifically page 10 of the deployment document which states:
“To configure multiple servers with a policy, you can use scwcmd configure /p:PolicyFile /i:MachineList at the command prompt, rather than this SCW UI procedure. Type scwcmd configure at the command prompt to learn about the parameters.”
Also – a VERY good resource of information is an on-demand webcast by Peter Meister, Lead Product Manager, Windows Server 2003, entitled “Windows Server 2003 Service Pack 1 – Security Configuration and Role-Based Server Deployment”
Enjoy!
Windows Server Administration Webcast Series HomeworkDHCPHomework Assignment #9
2. Review DHCP Online DocumentationClick on and read through at least the first two from my Session Resource Page:
“What is DHCP?”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
Review DHCP Online Documentation
Resource Page for
Wednesday, April 6, 20051:00 P.M.–2:00 P.M. Pacific Time
“What is DHCP?”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_what.asp
“How DHCP Works”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_dhcp_how.asp
“DHCP Terminology”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_ovr_Terms.asp
“Configuring Scopes”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_imp_ConfigScopes.asp
“IPv4 Multicasting Technical Reference”
http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/W2K3TR_Mcast_Intro.asp
“Best Practices”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/sag_DHCP_imp_BestPractices.asp
“DHCP Tools”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_tools.asp
“Security Information for DHCP”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_ovr_Security.asp
Wednesday, April 13, 20051:00 P.M.–2:00 P.M. Pacific Time
Join us for this presentation where we will investigate setup and configuration of RAS connections, the authorization of these connections, and finally implementing VPNs and IAS.
Hello all!
I’ve created a document containing useful links to related resources for our live-and-in-person TechNet Briefings this quarter. If you attended my event and want the document containing the LIVE links, or even if you’re just curious about resources relating to Windows Server 2003 Service Pack 1 or Microsoft SQL Server 2005, you’ll find this document useful.
CLICK HERE TO DOWNLOAD
Hope you find this helpful!
Consortium to Invest in Time Travel
I’m so proud that Microsoft is firmly behind this effort.
Part 7 of the Windows Server 2003 Administration Webcast Series has had more than its share of problems. Very bad live audio during the event, Print-to-PDF not functioning during the session, and now the recording of the webcast may be corrupted.
The folks who handle such things are working hard to make the recording of Part 7 available as soon as possible, but if they’re not able to, I’ll be re-recording this session for your listening/viewing/learning pleasure.
I’ll let you know here on my blog when I know more. Thanks for your patience!
Windows Server Administration Webcast Series HomeworkDNSHomework Assignment #8
2. Try out the Microsoft Events website (www.microsoft.com/events)
Wow!
Frustrating Audio! And for that I sincerely apologize. We’re finding that the servers somewhere in the pipe that were handling the audio for our LiveMeeting 2005 stream weren’t up to the task.
The good news: Part 8 and following will all be still using the new LiveMeeting, but with the old audio provider. (At least until they can prove that they’ve solved the problems.)
Here, as usual, is the “best of” Q&A log from the webcast. Sincere thanks again to my teammates for doing such a great job helping to answer questions! I give them the credit for the information in this document. Outstanding!
Also I want to make sure also have the link to the Session Resources I posted for Part 7, and the homework assignment also.
Questions and Answers:
“Is the Normal BU the same as a Full BU?”
Yes. We often use the terms interchangeably.
“Will the backup feature in 2003 server replace 3rd party backup software?”
Great question. The backup tool is exceptional and works fine in real world networks. There are some additional features and niceties of 3rd party backup programs that may make them desirable over the windows system. It all depends on your specific needs.
“When you say reset the bit, do you mean reset the bit in the original file or in the backup copy? FYI, I missed the first part of the audio because of the problem with the Live Meeting 2005.”
There is a bit on the original file that we mark to indicate backup.
“Can you send me the url to get previous PPT's for these livemeetings livemeeting?”
You have to return to the event page and confirm your registration info to be sent the PowerPoint. Check this link to find all the archived events: http://www.microsoft.com/events/series/windowsserver2003admin.mspx
“When taking a system state backup do you need to backup the window directory as well?”
System state backup is designed to allow for recovery of directory services and critical network services. It does not backup everything on the machine.
“Is Windows Server 2003 utility still unable to backup an opened SQL Server database?”
Check out this reference for how to backup SQL Server 2000:http://www.microsoft.com/technet/prodtechnol/sql/2000/books/c11ppcsq.mspx
“Do the questions and answers get saved during the recorded presentation so that we can view them later?”
Not during the presentation. I, however, capture the log and create this document you’re reading now; so at least there’s that.
“Long time ago I tried to use ASR. During recovery it asked for the ASR diskette but would not recognize it when I put it in and pressed enter. Has that problem been cured now?”
Interesting problem. I have not seen this. I use ASR regularly and it works very well.
“I have a problem with my 2003 servers and ntbackup scheduler. The backup will error out with "NTbackup error: The requested media failed to mount. The operation was aborted" I have taken the backup command and made a batch file that runs about three minutes after the scheduled job is to run. On two of my servers, scheduling both the ntbackup and the batchfile within 3 minutes of each other, the backup will run. The third server will not back up no matter what I have tried. I can kick it off by running the batchfile, but scheduling the batchfile always errors out with the message above. Help”
You might want to check out the article http://support.microsoft.com/default.aspx?scid=kb;en-us;555136
“If the backup winds up with corruption in it, do you know of any software packages that will repair / recover some of the data?”
I don't know of any. There's a great business opportunity.
“Can you backup these up to DAT drives used for backups in your domain?”
Yes and it works well.
“It sounds like then a full backup consists of two parts a) create a backup using the backup/restore utility, and then b) create an ASR. Is this correct?
Correct… if you’re going want ALL of the disk contents, a complete normal (full) backup will do that. The ASR will create a backup that really is just for restoring your system to fully operational state – without backing up documents or other non-essentials.
“Can you backup directly to a CD-R or do you need to back up to disk and then burn to CD-R?”
I prefer to backup to disk first and then burn to removable media.
“Can the same floppy be used on different machines if the machines are identical”
If they are truly identical yes. Same SID and all. So usually, no.
“What steps did needed to create a virtual Floppy?”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ads/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/ADS/en-us/nbs_vf_overview.asp
“If a 3rd party does the backup, does the archive bit get changed after its done?”
Yes. 3rd party tools generally carry through the same notion of the types of backups available, and use of the archive bit to support them.
“Kevin said if you delete a catalog, you can re-catalog it. How?”
For more info, check out: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ntbackup_delete_catalog.asp
“If you have the backup utility create a system recovery disk and direct it to a CD-R drive, will it create a bootable CD?”
No. You will need to add the appropriate files to make it bootable.
“Can ASR copy to a CD instead of a floppy?”
Unfortunately not. Please check out the ASR page at: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/asr_overview.asp
“How often will the ASR disk have to be updated?”
As often as you backup.
“Kevin mentioned last time that XP Home Edition will not recognize Dynamic Volume. Give KB please?”
There is no article that I know of. The option to create or convert basic to dynamic is simply not a part of the product.
“Will the ASR boot floppy be able to access external media, such as USB hdds?”
No, unfortunately not.
“How is a product like Vertas Back Up Exec the same, different, better or worse than the back up system we're looking at now?”
Other backup tools will offer additional options for backup, storage libraries, and methods of restoration.
“Do you only have to create an ASR floppy once per system or every time the system state changes... i.e. I perform an ASR backup two months ago and perform full data/system state backups weekly... would I be able to use the same floppy to restore to the latest full backup?”
You would. Remember what is on the ASR versus the system state data.
“To perform a full backup that backups SQL Server database - it is not same as creating an image that you can go back to if necessary? To perform a full backup that backups SQL Server database - it is not same as creating an image that you can go back to if necessary?”
Interesting you should bring this up because it is one of the new features of SQL 2005.
“Does XP Home Edition support Dynamic Volume?”
XP home does not have the options to convert to or use local dynamic volumes.
“I'm sorry if I missed it: what kinds of system changes necessitate remaking a system recovery disk. If the answer is complicated, please feel free to pass”?
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctasks007.asp
“Will VSS work for SQL and Exchange?”
You will still need to backup Exchange and SQL independently. SQL 2005 does have a feature like shadow copies.
“So with SQL Server 2005 full back is the same as an image of the server. Whereas you cannot perform a full backup or ADS image with SQL Server 2000 or earlier. Is that correct?”
Right on the money.
“Can you clarify with the SQL 2005 question? Are you saying that backups are now going to be candidates for VSS?”
No. I am saying SQL 2005 has a built-in feature that allows us to take a snapshot of a SQL database for recovery.
“My workstation has been backup everyday by a Network. If I want to create a local schedule backup on only my workstation using ASR method. I wonder to know if my local back up will interrupt the Network backup because both back up will reset the bit on the file it backup. I do not want to mess up the Network backup. What should I do?”
You might be able to script this out, check the switches at http://support.microsoft.com/default.aspx?scid=kb;en-us;814583
“Using VSS, does that mean the users on shared drives do not need to close out of open data bases and docs?”
Be careful because your results on VSS with open docs will be undetermined. To get a true complete snapshot they would need to be closed.
“You were able to access Floppy because you are using Virtual PC. What if you are Terminal Serving or Remotely connecting to your server. How can you excess the Floppy?”
You wouldn't.
“I read the article but there is nothing about restoring from tape, I know that I have an option in my Tivoli backup System that let me take an Image from the server, and I hope that ASR will give me the same option.
Correct. This sort of functionality might be supported in various ways by non-Microsoft products.
“Is there a way to shadow copy of a DFS share consisting of local and network drives?”
For more info, check out: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/en-us/w2k3tr_vss_how.asp
“What is the Microsoft best practice for backing up exchange server?”
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/disrecopgde.mspx
“How is the SQL 2005 snapshot different than a full backup? I don’t understand the difference.”
It would only copy delta's or changes to the database versus the entire database.
“Does VSS create a copy of all the files on the volume each time it is set to even if the files have not changes since last VSS copy?”
For more info on this check out: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/en-us/w2k3tr_vss_how.asp
“Ok, so we now have a true incremental backup now in sql 2005 versus the differential?”
If you used enough snapshots you would. The feature is designed for situations where you might be changing a database and need the ability to quickly go back if corruption should occur.
“I have WS03 Server with Workgroup with Dynamic Volume. does XP Home Edition able to access Dynamic volume on the server.”
Yes XP home can access files on a dynamic volume if it’s just a share across a network.
“Are the backup/restore tools cluster aware?”
Yes and no. The following article talks about how to backup a cluster in Exchange but generally speaking the backup tool assumes you are backing up a single machine. http://www.microsoft.com/technet/community/chats/trans/exchange/exch1203.mspx
“Is it possible to control how many versions are saved in VSS? Our organization would only want a few versions saved that would be available to users to restore.”
For more info check out: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/en-us/w2k3tr_vss_how.asp
“For ASR, what if you don't have a floppy on your server?”
Without a floppy drive ASR is not an option currently. I expect this to be remedied soon.
“Thank you guys for answering the Q/A!”
You're welcome!
Greetings!
Next week I’m going to be in Appleton and Madison, Wisconsin, doing our free, live TechNet Briefings for IT Professionals at the following locations:
April 5 – Appleton, WITheater- Regal College Avenue 16 W3091 Van Roy RdAppleton Wisconsin 54915Phone: 920 831-0973
April 7 – Madison, WIAlliant Energy Center1919 Alliant Energy Center Madison , WISCONSIN 55713Phone: 608-267-3976
We’ve got some great stuff coming your way this quarter:
Microsoft Windows Server 2003 Is EvolvingWith the recent release of Windows Server 2003 SP1, now is the best time to see the benefits of these significant updates. Are you prepared for the changes this upgrade will have on your network system? This is a great opportunity to see how SP1 may change your entire network infrastructure for the better. Join our experts at this technical briefing.
Microsoft SQL Server 2005 is comingIt has been 5 years since a major Microsoft SQL Server release. In a technology timeline, that could be considered a lifetime! Attending this session is your first step in preparing for a change that could give you a technical knowledge advantage over all the other IT Professionals working with corporate data. Get prepared for the change coming soon.
Click the links above to register, or visit the TechNet Briefings site (www.technetbriefings.com) for session topics and links to registration and additional resources.
Tell your friends! Invite your user groups!
This is cool…
Webcast Calendar downloadable in a MS Word doc.
Windows Server Administration Webcast Series HomeworkBACKUP, RESTORE, and RECOVERYHomework Assignment #7
1. http://blogs.msdn.com/kevinremde
2. Windows Server 2003 Virtual Lab: File, Storage, and Print
On that Virtual Lab homepage, click on the Windows Server 2003 section.
Ah… vacation. Sweet down-time with the family. This week finds me in lovely Naples, Florida visiting my parents who recently purchased a winter get-away condo down here. I sincerely wish everyone could have as lovely a retirement as this.
“But Kevin… you’re supposed to be doing Part 7 of your Webcast Series this week!”
Yep. And so I made sure my folks had high-speed Internet and a good phone for me to use on Wednesday. But other than that, I’m sizzlin-skin at the beach or wrestling with my kids in the pool. Tomorrow I think we’ll go to the zoo here in Naples. (Of course my Minnesota snow-bound kids are looking forward to seeing Alligators.)
I’ll post pictures up on the family photo album sometime, because we’re having lots of “Kodak Moments”, but I doubt I’ll have time to go through them when I get “back”. We return home late Sunday PM, and then early Monday I fly to Dallas for week of Seminar Sales Team meetings and training.
Keep on applyin’ that sunscreen!
Wednesday, March 30, 20051:00–2:00 P.M. Pacific Time, United States and Canada (UTC-8)
Tune in for an overview of the Domain Name System (DNS) and the associated terminology. We’ll also cover topics
“Deploying DNS”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_overview.asp
“How DNS Works”http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_dns_how.asp
“How DNS Query Works”http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_HowDnsWorks.asp
“DNS Domain Names”http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DomainNames.asp
“DNS Requirements for Installing Active Directory”http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_dns_und_dcpromo_requirements.asp
“Understanding Zones and Zone Transfers”http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_ZoneTransfers.asp
“Active Directory Integration”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_ActiveDirIntegration.asp
“DNS Overview – Server Features”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_ovr_ServerFeatures.asp
MSDN – Platform SDK – Active Directory Partitions
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/application_directory_partitions.asp
“Delegating Zones”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_DelegatingZones.asp
“Dynamic Updates”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_und_DynamicUpdates.asp
“Understanding Aging and Scavenging”http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/sag_DNS_und_AgingScavenging.asp
“Using Server Debug Logging Options”
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DNS_imp_UsingLoggingOptions.asp
Official Series Resource Pagehttp://www.microsoft.com/technet/tnt4–04
TechNet Webcast: Windows Server 2003 Administration Series (Part 9 of 12): Dynamic Host Configuration Protocol (DHCP) (Level 200)Wednesday, April 6, 20051:00–2:00 P.M. Pacific Time, United States and Canada (UTC-7)