RE: [ActiveDir] OT: Exchange Restrict Sending

2007-01-09 Thread Dan DeStefano 
I believe this option sets who can send to the group, not who the group
members can send to. Is this correct? If so, is there a way to restrict
who a group of users can send mail to?



 

You can define in the properties of a group in Exchange general, there
is the option to set the message restriction.there you can define a
white list of users. 

 

Dhiraj Haritwal

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, January 03, 2007 9:17 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Exchange Restrict Sending

 

Can anyone tell me if there is a way in Exchange to restrict who certain
users can send to? Almost a whitelist for certain groups of approved
recipients.

 

 

I would appreciate any help,

 




This email is confidential and intended only for the use of the
individual or entity named above and may contain information that is
privileged. If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this email is strictly
prohibited. If you have received this email in error, please notify us
immediately by return email or telephone and destroy the original
message. - This mail is sent via Sony Asia Pacific Mail Gateway. 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com <http://www.info-lution.com/> 
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.

[ActiveDir] OT: Exchange 2003 Copy Outgoing Messages

2007-01-03 Thread Dan DeStefano 
Is there a way built-into Exchange 2003 running on Server 2003 that a
user can be copied on all messages sent by another user? We have a
manager that wants to monitor all outgoing messages sent by certain
users regardless of the recipient. Is this possible?

 

Thank you in advance for any help.

 


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

[ActiveDir] OT: Exchange Restrict Sending

2007-01-03 Thread Dan DeStefano 
Can anyone tell me if there is a way in Exchange to restrict who certain
users can send to? Almost a whitelist for certain groups of approved
recipients.

 

 

I would appreciate any help,

 


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

[ActiveDir] TS Remote Control Mouse Pointer

2006-12-20 Thread Dan DeStefano 
When remote controlling a user's session on a Server 2k3 TS is there a
way to allow both users to see the mouse pointer? This makes it easier
when doing training. Currently, when one user is controlling the
session, the other user can only see what is going on on the screen, but
not the mouse pointer initiating the actions. Is this possible at all?

 

 

Thanks in advance for any help,

 


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

[ActiveDir] Public Folder Appointment Owner

2006-11-22 Thread Dan DeStefano 
I would like to know how to find out who created a meeting using a
calendar in a public folder. Right now, if I open an appointment that
someone else created and go into the "Scheduling" tab, it shows me as
the owner. If I then open the appointment logged on as another user, it
shows that user is the owner. Is this a configuration issue or is it
just the way it works?

 

 

Thanks,


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

[ActiveDir] Outlook Rules Lockdown

2006-11-22 Thread Dan DeStefano 
Is there a way to place restrictions on which rules users can create in
Outlook, like disallowing users to create an auto-forward rule? I would
like to control these settings by group membership.

 

 

Thanks in advance for any help,

 


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender, disregard 
any content  and remove it from your possession.

RE: [ActiveDir] Restrict VPN Access By Computer Name

2006-11-15 Thread Dan DeStefano 








Cool, I will test that out, thanks.

 

I am not too familiar with using or
configuring EAP – would this solution require installing a CA on the
network? Furthermore, would these certificates be assigned to the machine, not
the user?

 

No, I understand the difference between
IAS and ISA. I just mentioned ISA because you said that it might be a good idea
to use it. For most of our clients, a $1500 firewall solution is overkill. We are
pretty much standardized on the Netgear FVL328, which costs under $300,
provides 100 VPN tunnels for branch offices and is compact enough to fit in
most of our clients’ wiring closets (the term “closet” being
the operative word as most of our clients do not have or need a server room). I
would prefer a firewall appliance to one installed on a server and most ISA
appliances are on the expensive side and are designed for rack-mounting.

I can’t remember where, but I vaguely
remember reading that Microsoft would be offering a light version of ISA2006 that
can be used as an embedded solution for small business networks such as those
that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am
mistaken, but I will try to find out.

 

I will take your advice and wait for LH
server instead of messing with WS2k3 quarantine. I appreciate the
recommendation.

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, November 14, 2006
12:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restrict
VPN Access By Computer Name



 





You are right,
Calling-Station-Identifier (in some cases) map to the telephone
number. In 802.1x scenario, though, it's usually the MAC, but I have also
seen it map to the client's IP address. I attribute this to some vendors not
reading the RFC or just opting to do it their way. In our situation, MS maps it
to MAC.





 





I re-read your original message and I have another thought.
Since these are computers under your control, why not issue them certificates
and use EAP as your authentication filter?





 





Hope we are not mixing acronyms here, re:
IAS vs. ISA.





 





IAS is the RADIUS server. Free with the OS.





ISA is the proxy/caching/firewall solution. $1,500.00 for
Standard edition, comes in a black box version, too. For what it does, ISA is
on of the cheapest solutions of its type in the market. I am not aware of the
"light" version you mentioned.





 





If you think NAP is complex, try your hands on 2K3 qtine.
Also, you can combine all the NAP roles on one server, you do not have to
separate them. The only strict requirement is that it be installed on a LH
server.





 






Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon







 







From: Dan
DeStefano
Sent: Tue 11/14/2006 5:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restrict
VPN Access By Computer Name





Thank you for your response.

I thought the Calling-Station-Id was used
for phone numbers (that is what the description says anyway). But you are
saying that MAC addresses can be used here as well?

 

Other than the above, what would the
advantages of deploying IAS be? This is a small network with 100 or so users
and only a handful of them have VPN access (right now being controlled in the
user account properties). For this reason I am not sure I can also justify the
costs of implementing ISA especially with a current firewall solution in place.
Plus, we have no ISA experts in our organization or anyone who has even
administered ISA before. Maybe this will change with the new ISA 2006, but most
ISA solutions right now are enterprise-class and on the expensive side (for
most small businesses). I heard that ISA 2006 is supposed to have a
“light” version of some sort, but that being said, I am not sure if
it would be as fully-featured and support what you are suggesting (though I
know little of it other than the fact that it exists).

 

Thanks for the advice about ws2k3
quarantine, I guess we won’t waste our time with it. I have read about
Longhorn NAP and it looks great. But it also looks a bit complex, requiring a
bit more infrastructure than most small businesses need or can afford.

 

Have you ever tried restricting VPN access
by MAC address?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behal

RE: [ActiveDir] Restrict VPN Access By Computer Name

2006-11-14 Thread Dan DeStefano 








Thank you for your response.

I thought the Calling-Station-Id was used
for phone numbers (that is what the description says anyway). But you are
saying that MAC addresses can be used here as well?

 

Other than the above, what would the
advantages of deploying IAS be? This is a small network with 100 or so users
and only a handful of them have VPN access (right now being controlled in the
user account properties). For this reason I am not sure I can also justify the
costs of implementing ISA especially with a current firewall solution in place.
Plus, we have no ISA experts in our organization or anyone who has even
administered ISA before. Maybe this will change with the new ISA 2006, but most
ISA solutions right now are enterprise-class and on the expensive side (for
most small businesses). I heard that ISA 2006 is supposed to have a “light”
version of some sort, but that being said, I am not sure if it would be as
fully-featured and support what you are suggesting (though I know little of it
other than the fact that it exists).

 

Thanks for the advice about ws2k3
quarantine, I guess we won’t waste our time with it. I have read about
Longhorn NAP and it looks great. But it also looks a bit complex, requiring a
bit more infrastructure than most small businesses need or can afford.

 

Have you ever tried restricting VPN access
by MAC address?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, November 14, 2006
1:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restrict
VPN Access By Computer Name



 





Call-Station-Identifier is a much more
stable and reliable filter - it is the Client's MAC address. "Client
Friendly Name" is optional and may not be sent in many VPN negotiation.
The identifier will very likely be sent (I don't want to say ALWAYS since I
don't have any relevant doc that say that, but I am yet to see a negotiation
that does not include the identifier. Unfortunately, in order to use the
identifier as a filter, you will have to create a policy for each device. I
don't see how you can wildcard it. So, depending on how many clients you are
talking here, well





 





Yes, if I were you, I'd bring in RADIUS. Better, I'll bring
in something like ISA 2006. With ISA, you should be able to create a Computer
Set that includes the names or IPs of the Clients in question, and you can use
that to filter your inbound VPN connection requests. I don't have such
configuration, but it makes sense in my head.





 





Also, if you haven't started messing with that 2K3
quarantine thingamabob yet, thank your stars. You don't want to. Not now the
NAP in Longhorn is so close at hand. I'd recommend that you encourage your
techs to concentrate on learning NAP instead. I just took a quick look around
in NAP, and I can see where what you are trying to do here can be easily
accomplished.





 











Hope I haven't thoroughly confused you
yet.





 






Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon









 







From: Dan
DeStefano
Sent: Mon 11/13/2006 9:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restrict VPN
Access By Computer Name





I was wondering if there is a way to restrict client VPN
connections via computer name. The reason for this is that we only want clients
connecting from approved devices for which they do not have administrative
privileges. In other words, we do not want people VPNing into our network from
their possibly virus and spyware-infested home PCs. I know that a clever user
could rename his/her home PC, but this is probably not too likely and that type
of user is probably likely to be conscious of updated antivirus/spyware
software.

 

I saw a setting in Remote Access Policies called Client
Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to
set up an IAS server? If not, is there another way I can accomplish my goal. I
know that WS2k3 R2 has a quarantine feature, but I am not familiar with it,
though it looks like a bit of a PITA to set up and I am looking for a quick way
to fix this problem. We will probably eventually use the new quarantine feature
after our techs have had a chance to learn and test it a bit. I think another
problem with this feature is for small business networks that have just a
single SBS server.

 

Any help would be greatly appreciated.

 

 

Thanks,

RE: [ActiveDir] Restrict VPN Access By Computer Name

2006-11-14 Thread Dan DeStefano 








Thank you for your input.

 

I hear you about SBS, but for small
businesses it is really a great deal. We are a managed solution provider and
most of our clients are in the SBS range of 5-50 users, for which SBS cannot be
beat.

 

I love the RWW and try to use it as much
as possible on SBS networks. However, there are still some laptops that require
offline data access and intermittent connectivity to the network to update
offline files, OST files, etc, for which the RWW alone is not enough. Also, I should
have mentioned that the network of which I am speaking belongs to our largest
client who does not use SBS. The reason I mentioned SBS is that I would like to
leverage whatever solution comes out of this to our SBS clients.

 

We also have a policy that machines from
which users connect must have latest AV and AS software, but users are normally
admins on these machines (usually personal PCs/laptops). So, no matter what you
do to the PC to make it secure, ultimately the user has control over it and its
security is always in question.

 

Ideally, I would like any user that
requires VPN access to the network to be using a corporate asset, such as a
laptop, to which we are the only people with admin privileges. However,
management requires certain users that are not issued company notebooks to have
VPN access. I am just trying to balance requirements from management with
proper security.

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, November 14, 2006
1:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Restrict
VPN Access By Computer Name



 

(Say SBS and it's like waving a red flag in front of
me)

For SBS networks we don't use VPN, in fact the only time I use VPN is for
patching, otherwise we use RWW (Remote Web Workplace) which does not introduce
the risks that VPN does.  RWW is a web based remote access and can
typically be more secure (and thus not introduce the risks) from home
PCs.  And if you want two factor auth for RWW, Dana Epp is introducing
RWW-Guard.

But honestly I have a policy in my office that if they want remote access, they
are to have up to date a/v, antispyware and I have the right to inspect their
systems. (Logmein.com is great for this)

Akomolafe, Deji wrote: 





Call-Station-Identifier is a much more stable and
reliable filter - it is the Client's MAC address. "Client Friendly
Name" is optional and may not be sent in many VPN negotiation. The
identifier will very likely be sent (I don't want to say ALWAYS since I don't
have any relevant doc that say that, but I am yet to see a negotiation that
does not include the identifier. Unfortunately, in order to use the identifier
as a filter, you will have to create a policy for each device. I don't see how
you can wildcard it. So, depending on how many clients you are talking here,
well





 





Yes, if I were you, I'd bring in RADIUS. Better, I'll
bring in something like ISA 2006. With ISA, you should be able to create a
Computer Set that includes the names or IPs of the Clients in question, and you
can use that to filter your inbound VPN connection requests. I don't have such
configuration, but it makes sense in my head.





 





Also, if you haven't started messing
with that 2K3 quarantine thingamabob yet, thank your stars. You don't
want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that
you encourage your techs to concentrate on learning NAP instead. I just took a
quick look around in NAP, and I can see where what you are trying to do here
can be easily accomplished.





 











Hope I haven't thoroughly confused you yet.





 






Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon









 







From: Dan
DeStefano
Sent: Mon 11/13/2006 9:54 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restrict VPN
Access By Computer Name





I was wondering if there is a way to restrict client
VPN connections via computer name. The reason for this is that we only want
clients connecting from approved devices for which they do not have administrative
privileges. In other words, we do not want people VPNing into our network from
their possibly virus and spyware-infested home PCs. I know that a clever user
could rename his/her home PC, but this is probably not too likely and that type
of user is probably likely to

[ActiveDir] Restrict VPN Access By Computer Name

2006-11-13 Thread Dan DeStefano 








I was wondering if there is a way to restrict client VPN
connections via computer name. The reason for this is that we only want clients
connecting from approved devices for which they do not have administrative
privileges. In other words, we do not want people VPNing into our network from
their possibly virus and spyware-infested home PCs. I know that a clever user
could rename his/her home PC, but this is probably not too likely and that type
of user is probably likely to be conscious of updated antivirus/spyware
software.

 

I saw a setting in Remote Access Policies called Client
Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to
set up an IAS server? If not, is there another way I can accomplish my goal. I know
that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though
it looks like a bit of a PITA to set up and I am looking for a quick way to fix
this problem. We will probably eventually use the new quarantine feature after
our techs have had a chance to learn and test it a bit. I think another problem
with this feature is for small business networks that have just a single SBS
server.

 

Any help would be greatly appreciated.

 

 

Thanks,

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] Event ID 108

2006-11-10 Thread Dan DeStefano 








I just tried to deploy the package by
assigning it to a user who is an administrator of the test workstation and it
deployed fine. However, this is undesirable since the users of the domain are
not given administrative privileges on their workstations.

 

I believe that when assigning it to the
computers that all permissions are set correctly (E.G. – the computers
group being used for deployment is assigned “Apply Group Policy” on
the GPO, and the group has “read” share and NTFS permissions to the
AIP for the package). Plus, usually when there is a permissions problem, the
Event Log on the workstation will say something like “cannot find package”
or something and that is not what it is saying.

 

Do you think it is possible that the
problem is the domain is in Windows 2000 Mixed mode and there are both w2k3 and
w2k domain controllers?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, November 08, 2006
8:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Yes, if you deleted and recreated the GPO,
it would have a different GUID. So I'm guessing that one of those
packageRegistration objects is the package you've deployed and one is a package
that has been removed. I can't think of any reason why software deployment
would just fail like that, across GPOs. Can you successfully deploy another
package--say adminpak.msi--just to see if its something with that media you're
using? 

 

Darren

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan
 DeStefano
Sent: Wednesday, November 08, 2006
11:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108

I did delete and recreate the deployment
GPO so that may be the reason for the 2 packages. However, since the GPO was
deleted and recreated, wouldn’t the new GPO have a different GUID? If so,
then why would the old package be in the new GPO?

Additionally, the MSI packages is directly
from the Outlook 2003 media that works fine when run manually. Also, when I
create other software deployment GPOs, they fail as well. The AIP that I used
to create the GPO is the exact same AIP used on a different, w2k3 domain for a
different client and it works fine. So I think the problem is with software
deployment GPOs in genera. Does that make sense?

 

OK, I will rename the DDP back to the
default.

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, November 08, 2006
12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Dan-

The 2 packageRegistration objects
represent two separate packages. The MSI and MST are referenced within the
msiFileList attribute on each packageRegistration object. Its possible that one
of those packageRegistration objects is a "removed" package--removed
packages don't actually get deleted in AD--they just lie around forever :-).
So, I'm not sure why you're getting errors since it does appear that the
packages are getting created properly.

 

Renaming the DDP is not a problem for
Windows, but it can be confusing to administrators looking at it. I would
rename it back to "DDP" to avoid any confusion.

 

Darren

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Wednesday, November 08, 2006
8:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108

Thanks for your help.

When I look in the SYSVOL folder, I do see
the software deployment policy I have created. I can also see the policy in the
\System\Policies AD container. There are 2 packageRegistration objects in the
Domain\System\Policies\GUID\Machine\Class
Store\Packages container. I assume one is for the MSI and one for the MST,
correct? 

 

Yes, the “All Users and
Computers” GPO does begin with “31B2F3…” Also, there is
a container named “Default Domain Policy” under the System
container in AD.

Does renaming the DDP cause problems? Would
it be advisable to name it back to DDP?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 07, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Dan-

I would resolve the problem before
upgrading. It sounds like you have at least two things going on. First
off, the sw. deployment error sounds like something deeply wrong with AD. The
software installation data object referred to below is probably something called
a packageRegistration

RE: [ActiveDir] Event ID 108

2006-11-08 Thread Dan DeStefano 








I did delete and recreate the deployment
GPO so that may be the reason for the 2 packages. However, since the GPO was
deleted and recreated, wouldn’t the new GPO have a different GUID? If so,
then why would the old package be in the new GPO?

Additionally, the MSI packages is directly
from the Outlook 2003 media that works fine when run manually. Also, when I create
other software deployment GPOs, they fail as well. The AIP that I used to
create the GPO is the exact same AIP used on a different, w2k3 domain for a
different client and it works fine. So I think the problem is with software
deployment GPOs in genera. Does that make sense?

 

OK, I will rename the DDP back to the
default.

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, November 08, 2006
12:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Dan-

The 2 packageRegistration objects
represent two separate packages. The MSI and MST are referenced within the
msiFileList attribute on each packageRegistration object. Its possible that one
of those packageRegistration objects is a "removed" package--removed
packages don't actually get deleted in AD--they just lie around forever :-).
So, I'm not sure why you're getting errors since it does appear that the
packages are getting created properly.

 

Renaming the DDP is not a problem for
Windows, but it can be confusing to administrators looking at it. I would
rename it back to "DDP" to avoid any confusion.

 

Darren

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, November 08, 2006
8:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108

Thanks for your help.

When I look in the SYSVOL folder, I do see
the software deployment policy I have created. I can also see the policy in the
\System\Policies AD container. There are 2 packageRegistration objects in the
Domain\System\Policies\GUID\Machine\Class
Store\Packages container. I assume one is for the MSI and one for the MST,
correct? 

 

Yes, the “All Users and
Computers” GPO does begin with “31B2F3…” Also, there is
a container named “Default Domain Policy” under the System
container in AD.

Does renaming the DDP cause problems?
Would it be advisable to name it back to DDP?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 07, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Dan-

I would resolve the problem before
upgrading. It sounds like you have at least two things going on. First
off, the sw. deployment error sounds like something deeply wrong with AD. The
software installation data object referred to below is probably something
called a packageRegistration object, which should exist in AD under the GPC
portion of the GPO. The fact that you don't seem to have or be able to fix the
DDP GPO is strange. What is the GUID of the "All Users and
Workstations" GPO? If it starts with {31B2F3.., then its probably just the
DDP renamed.

 

Darren

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, November 06, 2006
5:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Event ID 108

I am having a problem when deploying applications via GPO in
a Windows 2000 SP4 AD domain. The clients do not receive the package and I
receive Event ID 108 "There is no software installation data object in the
Active Directory". 

I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1,
as well as from other MSKB articles, but without success.

I have deleted/recreated the GPO, msi and mst packages, but
the problem persists.

 

This is a network I inherited and when looking around in AD
I noticed that the “Default Domain Policy” has either been deleted
or renamed because it no longer exists. The only policy bound to the domain is
one called “All Users and Workstations”, which I do not recognize
as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and
netdiag /fix on the test-deploy workstations, but this has not solved the
problem.

 

Everything else with the domain including authentication,
name resolution, etc.. works fine, but I think this error may be evidence of a
larger problem with AD.

 

We are planning on upgrading the domain to WS2k3 within the
next few weeks. Does anyone think that may fix the problem? If not, would it be
wise to put off the upgrade until this issue is resolved?

 

 

Thanks i

RE: [ActiveDir] Event ID 108

2006-11-08 Thread Dan DeStefano 








Thanks for your help.

When I look in the SYSVOL folder, I do see
the software deployment policy I have created. I can also see the policy in the
\System\Policies AD container. There are 2 packageRegistration objects in the Domain\System\Policies\GUID\Machine\Class Store\Packages container.
I assume one is for the MSI and one for the MST, correct? 

 

Yes, the “All Users and Computers”
GPO does begin with “31B2F3…” Also, there is a container
named “Default Domain Policy” under the System container in AD.

Does renaming the DDP cause problems? Would
it be advisable to name it back to DDP?

 

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Tuesday, November 07, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Event ID
108



 

Dan-

I would resolve the problem before
upgrading. It sounds like you have at least two things going on. First
off, the sw. deployment error sounds like something deeply wrong with AD. The
software installation data object referred to below is probably something
called a packageRegistration object, which should exist in AD under the GPC
portion of the GPO. The fact that you don't seem to have or be able to fix the
DDP GPO is strange. What is the GUID of the "All Users and
Workstations" GPO? If it starts with {31B2F3.., then its probably just the
DDP renamed.

 

Darren

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, November 06, 2006
5:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Event ID 108

I am having a problem when deploying applications via GPO in
a Windows 2000 SP4 AD domain. The clients do not receive the package and I
receive Event ID 108 "There is no software installation data object in the
Active Directory". 

I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1,
as well as from other MSKB articles, but without success.

I have deleted/recreated the GPO, msi and mst packages, but
the problem persists.

 

This is a network I inherited and when looking around in AD
I noticed that the “Default Domain Policy” has either been deleted
or renamed because it no longer exists. The only policy bound to the domain is
one called “All Users and Workstations”, which I do not recognize
as a built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and
netdiag /fix on the test-deploy workstations, but this has not solved the
problem.

 

Everything else with the domain including authentication,
name resolution, etc.. works fine, but I think this error may be evidence of a
larger problem with AD.

 

We are planning on upgrading the domain to WS2k3 within the
next few weeks. Does anyone think that may fix the problem? If not, would it be
wise to put off the upgrade until this issue is resolved?

 

 

Thanks in advance for any help,

 

Dan
DeStefano
Info-lution
Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.

 

[ActiveDir] Event ID 108

2006-11-06 Thread Dan DeStefano 








I am having a problem when deploying applications via GPO in
a Windows 2000 SP4 AD domain. The clients do not receive the package and I receive
Event ID 108 "There is no software installation data object in the Active
Directory". 

I have followed the recommendations from http://eventid.net/display.asp?eventid=108&eventno=1181&source=Application%20Management&phase=1,
as well as from other MSKB articles, but without success.

I have deleted/recreated the GPO, msi and mst packages, but
the problem persists.

 

This is a network I inherited and when looking around in AD I
noticed that the “Default Domain Policy” has either been deleted or
renamed because it no longer exists. The only policy bound to the domain is one
called “All Users and Workstations”, which I do not recognize as a
built-in policy. I have run dcdiag /fix and netdiag /fix on all DCs and netdiag
/fix on the test-deploy workstations, but this has not solved the problem.

 

Everything else with the domain including authentication,
name resolution, etc.. works fine, but I think this error may be evidence of a
larger problem with AD.

 

We are planning on upgrading the domain to WS2k3 within the
next few weeks. Does anyone think that may fix the problem? If not, would it be
wise to put off the upgrade until this issue is resolved?

 

 

Thanks in advance for any help,

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] OT: Exchange Question

2006-11-01 Thread Dan DeStefano 








I have a client who would like certain users to no longer
receive e-mail, while still being able to access their mailboxes. Is there a
way to do this other than exporting their mailbox to PST and mailbox-disabling
the users?

 

 

Thank you in advance,

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] OT: SBS RWW Issue

2006-10-10 Thread Dan DeStefano 
How do I subscribe to the yahoo groups LS? Just send an e-mail to
[EMAIL PROTECTED] with "subscribe" in the subject line?

How do I access the MS partner newsgroup? I am not too familiar with the
partner site, though my company is a MS partner and I do have access to
the partner site.

Thank you - changing the companyweb, default web site and remote virtual
directory from ASP.Net 2.0 back to 1.1 resolved the issue.
Do you know why this happens? Is it something that will be resolved by
MS?

I am extremely grateful for your help.


Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 10, 2006 11:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: SBS RWW Issue

For the record we have an extremely active SBS listserve at 
[EMAIL PROTECTED] and as a MS partner there is a managed 
newsgroup with guaranteed MS engineer response

ISA on the front end?
Can you post your ipconfig /all?

(yes folks this is prob the number one SBS troubleshooting thing we ask 
for and people post their inner goo and big server land would freak I
know)

You have your nic's pointing to the internal nic's IP right?

One nic or two?

http://msmvps.com/blogs/bradley/archive/2006/05/12/94435.aspx
Hang on... you downloaded .NET 2.0 lately? If so flip that company web 
back to 1.1



Dan DeStefano wrote:
>
> I know this is way off topic, but I haven't been able to resolve this 
> issue.
>
> I am using SBS 2003 SP1 with all patches installed.
>
> I am having a problem with my companyweb website and the Remote Web 
> Workplace. When connecting to the companyweb site from the local LAN, 
> I receive Page Cannot Be Displayed. However, I can connect via IP 
> address and via the external domain name assigned to the server. The 
> internal DNS CNAME entry for companyweb points to the correct IP 
> address and this is confirmed via nslookup and ping.
>
> Additionally, regardless of how i connect, the Remote Web Workplace 
> does not come up at all, it always gives a 404 Page Cannot Be 
> Displayed error. I am using the self-signed certificate created with 
> the Configure E-mail and Internet Connection wizard.
>
> I have compared the IIS settings to another SBS implementation where 
> everything works fine and there are no differences.
>
> I would appreciate any help.
>
>
> Thanks,
>
> Dan
>
> Dan DeStefano
> *Info-lution Corporation*
> [EMAIL PROTECTED]
> http://www.info-lution.com <http://www.info-lution.com/>
> Office: 727 546-9143
> FAX: 727 541-5888
>
> If you have received this message in error please notify the sender, 
> disregard any content and remove it from your possession.
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] OT: SBS RWW Issue

2006-10-10 Thread Dan DeStefano 








I know this is way off topic, but I haven’t been able to resolve
this issue.

 

I am using SBS 2003 SP1 with all patches installed.

I am having a problem with my companyweb website and the Remote Web Workplace.
When connecting to the companyweb site from the local LAN, I receive Page
Cannot Be Displayed. However, I can connect via IP address and via the external
domain name assigned to the server. The internal DNS CNAME entry for companyweb
points to the correct IP address and this is confirmed via nslookup and ping.

Additionally, regardless of how i connect, the Remote Web Workplace does not come
up at all, it always gives a 404 Page Cannot Be Displayed error. I am using the
self-signed certificate created with the Configure E-mail and Internet
Connection wizard.

I have compared the IIS settings to another SBS implementation where everything
works fine and there are no differences.

I would appreciate any help.


Thanks,

Dan






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] OT: Possible Security Hole in RDP?

2006-10-10 Thread Dan DeStefano 








I should have mentioned that my RDP
connection to the TS was as a normal user as well.

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Tuesday, October 10, 2006
8:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Possible Security Hole in RDP?



 

If the RDP session
is being created to the target server with Admin privileges and that account
also has admin privileges on your machine then I would suspect that this is
what happening here. I.E. the connection is back to your PC from the server,
under the credentials you logged in with, and not from your PC to the server
under your local credentials.

 

Anyone else got any
ideas??

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: 10 October 2006 14:10
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Possible
Security Hole in RDP?





 

I have noticed something with Terminal Services and RDP that
is concerning.

 

I am using a notebook on which I am just a normal user (I do
not log on as administrator unless absolutely necessary).

I create an RDP connection to a WS2k3 terminal server and
choose to make the notebook’s local disks available on the terminal
server.

I can then browse through my notebook’s hard drive
with impunity. I can access all files and folders to which I should not have
any access at all, including the administrator profile. However, it does take
very long to open these files/folders.

 

I am sure this is a known issue, I just haven’t read
about it anywhere.

Does anyone know if there is a way to mitigate this other
than setting group policy to not allow local disks to connect to the terminal
server?

 

 

 

 

Dan DeStefano
Info-lution
Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.

 

 

Disclaimer: The Development Bank of Southern
 Africa exercises no control over information contained in any
e-mail message originating from within the organisation. The Bank makes no
representation relating to the completeness or accuracy and accepts no
responsibility for any loss, damage or liability that is incurred by reliance
on the content hereof by the recipient or any other party. Each page attached
hereto must also be read in conjunction with any disclaimer, which forms part
of it.
 
Confidentiality: The e-mail is
privileged and confidential and for use of the addressee only. Should you have
received this e-mail in error, please return it to [EMAIL PROTECTED].
 Dissemination, disclosure, copying or any similar actions of the content
of this e-mail is strictly prohibited.
 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] OT: Possible Security Hole in RDP?

2006-10-10 Thread Dan DeStefano 








I have noticed something with Terminal Services and RDP that
is concerning.

 

I am using a notebook on which I am just a normal user (I do
not log on as administrator unless absolutely necessary).

I create an RDP connection to a WS2k3 terminal server and
choose to make the notebook’s local disks available on the terminal
server.

I can then browse through my notebook’s hard drive
with impunity. I can access all files and folders to which I should not have
any access at all, including the administrator profile. However, it does take
very long to open these files/folders.

 

I am sure this is a known issue, I just haven’t read
about it anywhere.

Does anyone know if there is a way to mitigate this other
than setting group policy to not allow local disks to connect to the terminal
server?

 

 

 

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] Folder Redirection Issue

2006-10-06 Thread Dan DeStefano 








Thank everyone for their help. The problem
seems to be that users need read permissions to the root home folders directory
as just giving them traverse/read folder contents was not enough. This is not
such a big deal I guess because thanks to ws2k3 sp1’s new access-based
enumeration feature, users cannot even see other users’ home folders in the
home folder share.

 

 

Again, thank all of you for your help,

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Thursday, October 05, 2006
9:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Folder
Redirection Issue



 

Sorry, didn't read
thoroughly first (oops).  Yeah, it sounds like a perms issue, I usually
set the root of my user shares directory to have Read/Traverse perms for users
in case of an emergency and/or troubleshooting.  It's an administrative
share anyway, I can understand the paranoia of also setting it to basically be
unbrowsable, but it sounds like you're going 1/2 a step too far (at least for
the purposes of the applications in your environment). 





On 10/5/06, Matt
Hargraves <[EMAIL PROTECTED]>
wrote:

If you're using a transform file to deploy, you should be able to
define the default file location, either as a variable (%homedrive%) or
alternatively, you can install the GPO extensions for MS Office and set the
item via GPO and stop worrying, as long as you test it a little bit before
deploying it out to everyone. 









On 10/4/06, Kennedy,
Jim <
[EMAIL PROTECTED]> wrote:





"Office was deployed to the workstations via group policy using an AIP
and MST transform."

 

Bet you
will find something in that MST that is pointing to the wrong location. Blow
out an Outlook profile on one as a test.

 

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan DeStefano
Sent: Wednesday, October 04, 2006
11:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Folder
Redirection Issue





 

I am
having a weird problem with folder redirection. I have set the My Documents
redirection to the subfolder of the root drive option and set the path to the
homefolders directory (\\servername\homefolders$). This is supposed to redirect
users my documents to \\servername\homefolders$\%username%\my documents and it
does. The users log onto their PCs and open their My Documents folder fine –
and looking at the properties of their my documents folder confirms that the
redirection is working properly. The problem is that in certain applications,
namely Outlook 2003 (all latest patches and SPs applied). When a user goes to
save an attachment, for example, and clicks on my documents in the save dialog,
they receive the error "cannot access \\servername\homefolders$, which
makes sense since the users do not have access to the homefolders$ share, just
to their subfolder. So Outlook, for some reason, is not drilling down into the
users my documents in the home folder, but instead is trying to access the root
of the homefolders$ share. In other Office apps, the my documents works fine.
There are also no event log entries that reference this issue.

 

I am
stuck here as I am unable to find any KB articles that discuss this. Does
anyone have any suggestions? I have not yet reinstalled Outlook because all
other Office apps work fine. Office was deployed to the workstations via group
policy using an AIP and MST transform.

 

 

Any help
would be greatly appreciated.

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.

 

















 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] Folder Redirection Problem

2006-10-04 Thread Dan DeStefano 








I am sorry if this is a repost, but I inadvertently deleted
any responses:

 

I am having a weird problem with folder redirection. I have
set the My Documents redirection to the subfolder of the root drive option and
set the path to the homefolders directory (\\servername\homefolders$). This is
supposed to redirect users my documents to
\\servername\homefolders$\%username%\my documents and it does. The users log
onto their PCs and open their My Documents folder fine – and looking at
the properties of their my documents folder confirms that the redirection is
working properly. The problem is that in certain applications, namely Outlook
2003 (all latest patches and SPs applied). When a user goes to save an
attachment, for example, and clicks on my documents in the save dialog, they
receive the error “cannot access \\servername\homefolders$, which makes
sense since the users do not have access to the homefolders$ share, just to
their subfolder. So Outlook, for some reason, is not drilling down into the users
my documents in the home folder, but instead is trying to access the root of
the homefolders$ share. In other Office apps, the my documents works fine.
There are also no event log entries that reference this issue.

 

I am stuck here as I am unable to find any KB articles that
discuss this. Does anyone have any suggestions? I have not yet reinstalled
Outlook because all other Office apps work fine. Office was deployed to the
workstations via group policy using an AIP and MST transform.

 

 

Any help would be greatly appreciated.

 

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] Folder Redirection Issue

2006-10-04 Thread Dan DeStefano 








I am having a weird problem with folder redirection. I have
set the My Documents redirection to the subfolder of the root drive option and
set the path to the homefolders directory (\\servername\homefolders$). This is
supposed to redirect users my documents to \\servername\homefolders$\%username%\my
documents and it does. The users log onto their PCs and open their My Documents
folder fine – and looking at the properties of their my documents folder
confirms that the redirection is working properly. The problem is that in
certain applications, namely Outlook 2003 (all latest patches and SPs applied).
When a user goes to save an attachment, for example, and clicks on my documents
in the save dialog, they receive the error “cannot access \\servername\homefolders$,
which makes sense since the users do not have access to the homefolders$ share,
just to their subfolder. So Outlook, for some reason, is not drilling down into
the users my documents in the home folder, but instead is trying to access the
root of the homefolders$ share. In other Office apps, the my documents works
fine. There are also no event log entries that reference this issue.

 

I am stuck here as I am unable to find any KB articles that
discuss this. Does anyone have any suggestions? I have not yet reinstalled
Outlook because all other Office apps work fine. Office was deployed to the
workstations via group policy using an AIP and MST transform.

 

 

Any help would be greatly appreciated.

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] Search Mailbox

2006-09-21 Thread Dan DeStefano 








Thanks for all your help. I appreciate it.

 



Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, September 21, 2006
11:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Search
Mailbox



 

No – not without a third party product (e.g. Veritas Enterprise
Vault or EMC Legato). This feature is native to Exchange 2007.

 



Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132



 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Thursday, September 21, 2006
9:02 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Search
Mailbox





 

Is there any way to search for messages within a mailbox
without using Outlook in Exchange 2000; like using System Administrator?

 

Dan DeStefano
Info-lution
Corporation
[EMAIL PROTECTED]
http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] Search Mailbox

2006-09-21 Thread Dan DeStefano 








Is there any way to search for messages within a mailbox
without using Outlook in Exchange 2000; like using System Administrator?

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] OT - Redirect Incoming Mail on Exchange 2003

2006-08-28 Thread Dan DeStefano 








I am running Exchange 2003 SP2 and have a question about
mail forwarding. I would like to forward all mail from a specific domain to an
outside e-mail address. So, when a message comes in from [EMAIL PROTECTED], the
message is automatically forwarded to [EMAIL PROTECTED].
Is this possible using built-in Exchange functionality? If not, can anyone
recommend a product that can do this? I have been looking at GFI Mail
Essentials for other purposes, but cannot ascertain whether or not it can do
this for me.

 

I would appreciate any help that can be provided.

 

 

Thanks,

 

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] OT - Redirect Incoming Mail on Exchange 2003

2006-08-27 Thread Dan DeStefano 








I am running Exchange 2003 SP2 and have a question about
mail forwarding. I would like to forward all mail from a specific domain to an
outside e-mail address. So, when a message comes in from [EMAIL PROTECTED], the
message is automatically forwarded to [EMAIL PROTECTED].
Is this possible using built-in Exchange functionality? If not, can anyone
recommend a product that can do this? I have been looking at GFI Mail
Essentials for other purposes, but cannot ascertain whether or not it can do
this for me.

 

I would appreciate any help that can be provided.

 

 

Thanks,

 

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: OT [ActiveDir] Optimize Exchange Pagefile

2006-05-08 Thread Dan DeStefano 
I understand what you are saying and, in a perfect world, I would always 
recommend mirrored/duplexed arrays to hold at least the exchange log files. 
However, most of my clients are small businesses with which money is more of an 
object than performance. And at $300+ per SCSI disk, it is difficult to justify 
having 2 or more disks that aren’t used to store data.

All that being said, I will discuss this with the people in my organization as 
I do not like using RAID5 especially where Exchange is concerned.

Does anyone have any experience with using SATA II drives in applications as I 
have described? With their new NCQ and 3Gb/s features, combined with their 
cost/GB, they make an attractive alternative to SCSI for small businesses.


Dan


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Monday, May 08, 2006 4:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: OT [ActiveDir] Optimize Exchange Pagefile 

Al,

 I still think that interesting (i.e. BAD) things might happen if the RAID-5 
ever flips into degraded mode(i.e. runs on two drives.) The first proper 
Exchange Server I built (yes it was 5.0 RTM) was designed for a similar 
situation. We were a small business without about 20 people and the server was 
a Dual Pentium Pro (I guess with NT4) with a third party raid card (I can't 
remember the make). Any way I built it the same way as Dan proposes, and it ran 
fine for a while. However we had some issues with temperature control in the 
server room and we lost a drive from the array. These days I would have taken 
the server off line and allowed the re-build to complete. I didn't and the RAID 
card could just not cope with re-building the array and the minimal load we 
placed on it. To cut a long story short I spent a long time sorting out the 
mess it made of the databases .

Since then I have been very wary of such configs. In " theory" they should 
work. In my experience, and yes it was a long time ago, and hardware should 
have improved, it may not.

Dave.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 05 May 2006 19:06
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

yeah, there would be some general disagreement from me.  Why? Only because this 
is SBS box vs. an enterprise Exchange server hosting 5K users.

My laptop (crud that it is) could host 20 heavy exchange users with usable/good 
performance with that amount of memory.  I don't think the focus of a machine 
that will only ever have <75 users should be optimized for more than space in 
most situations.  It would be a waste of money that could be spent on other 
things like better backups, better coffee, etc.

I don't believe there's any value in buying a system such as SBS and then 
having to make adjustments to things like pagefile size.  That's counter to the 
product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the biggest 
benefit, but it's SBS and as such it's "special".  Just ask SBS-Lady ;)

Al

On 5/4/06, Dave Wade <[EMAIL PROTECTED]> wrote:
> If you have 4gig of RAM then you should get minimal paging. (I know 
> this is a great generalization)
>
> 1) Log file access is sequential, database is random
> 2) Keeping Log files write queue down is key to performance
> 3) log files are write only
> 4) raid-5 tends to have poor write performance (again greate generalization).
>
> So I would try and get another drive in the box so I could have a mirrored 
> pair for OS & LOGS, and a mirrored pair for Databases. . Putting these on 
> seperate drives will do far more for performance than changing the page file. 
> RAID-5 is a real bad performer on write. These days I woudl avoid as far as 
> possible...
>
> I am sure other folks may disagree...
>
>-Original Message-
>From: [EMAIL PROTECTED] on behalf of Dan DeStefano
>Sent: Thu 04/05/2006 21:36
>To: ActiveDir@mail.activedir.org
>Cc:
>Subject: RE: [ActiveDir] Optimize Exchange Pagefile
>
>
>
>Yes, far less than 100, on this box it is under 20.
>
>You do not think it is necessary to mess with the page file, even if 
> only to make it static?
>
>
>
>
>
>Dan
>
>
>
>
>
>
>
>
>  _
>
>
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
> Wade
>Sent: Thursday, May 04, 2006 4:06 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Optimize Exchange Pagefile
>
>
>
>There is no point in messing about with memory config if you only have 
> a three drive RAID 5 array. Disk config is critical. How many users

RE: [ActiveDir] Optimize Exchange Pagefile

2006-05-04 Thread Dan DeStefano 








Yes, far less than 100, on this box it is
under 20.

You do not think it is necessary to mess
with the page file, even if only to make it static?

 

 

Dan

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize
Exchange Pagefile



 



There is no point in messing about with memory config if you
only have a three drive RAID 5 array. Disk config is critical. How many users
do you want to put on this box. less than 100?





 





 





-Original
Message- 
From: [EMAIL PROTECTED] on
behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org

Cc: 
Subject: [ActiveDir] Optimize
Exchange Pagefile





I was wondering if anyone can point me to any MS document
that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372,
but this article does not discuss the page file. I am running SBS 2003 on a 3
GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical
drives. I plan on installing the Exchange binaries on the first logical drive
(which will also contain the system and boot partitions) and the Exchange
databases, logs, queues, etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set
it to be static and 1.5x physical RAM. I also create a pagefile on each disk
and let Windows choose the best one (which will be the second logical drive). I
do not want to disable the pagefile on C: because, from what I understand, this
will disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be appropriate
to set the pagefile on C: to something small like 256MB since the OS will be
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any
other differences between the memory/pagefile settings on a regular Exchange
box running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 





**





This email and any files transmitted with it are confidential and





intended solely for the use of the individual or entity to whom they





are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of Information
Act 2000, unless the information in it is covered by one of the exemptions in
the Act. 





If you receive this email in error please notify Stockport
e-Services via [EMAIL PROTECTED] and then permanently remove it from
your system. 





Thank you.





http://www.stockport.gov.uk





**








Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

[ActiveDir] Optimize Exchange Pagefile

2006-05-04 Thread Dan DeStefano 








I was wondering if anyone can point me to any MS document
that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372,
but this article does not discuss the page file. I am running SBS 2003 on a 3
GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical
drives. I plan on installing the Exchange binaries on the first logical drive
(which will also contain the system and boot partitions) and the Exchange
databases, logs, queues, etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set
it to be static and 1.5x physical RAM. I also create a pagefile on each disk and
let Windows choose the best one (which will be the second logical drive). I do
not want to disable the pagefile on C: because, from what I understand, this
will disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be appropriate
to set the pagefile on C: to something small like 256MB since the OS will be
using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any
other differences between the memory/pagefile settings on a regular Exchange
box running WS2k3 and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 






Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.
 

RE: [ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-19 Thread Dan DeStefano 








I can connect and bind successfully to the
ex5.5 machine from the new ws2k3 machine using the domain admin account and the
service account and via both ports: 389 and 38900.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 19, 2006
2:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange
5.5 Upgrade Problems



 



I missed the part about the ADC then.  :)





 





Try the event log - what do you see at startup of the machine? If you
connect to tcp 389 of that machine, what answers? (try LDP and just connect -
you should see what you're looking for there.)  Until you can connect to
the Exchange directory via LDAP, you're not going anywhere. Basically, be sure
to check that the LDAP component is operational and work from there. 





 





Al

 





On 4/19/06, Dan
DeStefano <[EMAIL PROTECTED]>
wrote: 





The ADC is set to use port 38900 and the LDAP protocol at the
Ex5.5 site level is set to use 38900, but at the server level it is set to use
389 (when I change this, mail stops flowing). Regardless, when I try connecting
in ADC tools to the Ex5.5 box it fails on either port.

 

I am trying to build a new Ex2k3 server in the domain, but it
will not join the organization because the ADC tools have not bee run, or at
least that is the error message I am getting. 

 

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Ion Gott
Sent: Wednesday, April 19, 2006
10:25 AM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org






Subject: RE:
[ActiveDir] Exchange 5.5 Upgrade Problems



 





The Exchange 5.5 directory should be listening
on another port since it is running on a DC that is already listening on 389
for AD LDAP operations. 









 





If
possible it would probably be a lot safer and easier to build a new Exchange
2003 server and just migrate to the new machine...if possible. 





 















Ion 





 





 














 







From: [EMAIL PROTECTED]
on behalf of Dan DeStefano
Sent: Tue 4/18/2006 6:50 PM






To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Exchange 5.5 Upgrade Problems









We are planning a complete domain migration and restructuring,
but that takes a while and the client has not signed off yet, but they want
ex2k3 features quickly. So we determined the fastest way to implement ex2k3
would be to do an in-place upgrade of their server. 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 9:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Why are you doing this interim upgrade when
your end goal is a 2k3 native environment? 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 9:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Yes, I can connect to the dc/ex5.5 box from the new ex2k3
member server using ldp on both ports 389 and 38900. I can also bind using the
enterprise/domain admin account and the ex service account. 

 

I am not trying to do a direct upgrade from 5.5 to 2k3, rather
I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to ex2k3.
I am receiving the database inconsistent errors when trying to do the ex2k
upgrade. 

 

Note: I am not sure if it matters, but in ex5.5
administrator, the ldap protocol for the site is set to 38900, but for the
server it is set to 389. I tried changing it in the server to 38900, but that
stopped mail from flowing. 

 

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Could be all sorts of things here, but lets
start simple. Can you do an ldap bind to the exchange box on port 38900 using
the ldp tool (or similar) from the support tools? 

 

You can't do an inplace upgrade from 5.5 to
2003 which is what it sounds like you're doing when you get the consistency
error. 

 

 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 8:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange 5.5
Upgrade Problems



 

I
have taken over administration of a w2k AD domain running Exchange 5.5. This
domain was a mess and it took a lot of doing just to resolve all the errors in
the event logs, but now they are just about all resolved and the DC/Ex5.5
server passes all netdiag/dcdiag tests. 

 

My
current project is to upgrade the Ex5.5 server (which is also the domain's only
DC) to Ex2k3, but I a

RE: [ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-19 Thread Dan DeStefano 








I am not trying to upgrade from Ex5.5 to
Ex2k3, but rather from Ex5.5 to Ex2k, then, from Ex2k to Ex2k3.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, April 19, 2006
10:45 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange
5.5 Upgrade Problems



 



In place of Exchange 5.5 to Exchange 2003? Check the readme, release
notes and migration path scenarios again.  Last I checked, that was
not a supported upgrade path (2000 to 2003 is supported although not always
preferred).  





 





 





 





Al

 





On 4/18/06, Dan
DeStefano <[EMAIL PROTECTED]>
wrote: 





We are planning a complete domain migration and
restructuring, but that takes a while and the client has not signed off yet,
but they want ex2k3 features quickly. So we determined the fastest way to
implement ex2k3 would be to do an in-place upgrade of their server. 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 9:38
PM






To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] Exchange 5.5 Upgrade Problems







 

Why are you doing this interim upgrade when
your end goal is a 2k3 native environment? 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 9:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Yes, I can connect to the dc/ex5.5 box from the new ex2k3
member server using ldp on both ports 389 and 38900. I can also bind using the
enterprise/domain admin account and the ex service account. 

 

I am not trying to do a direct upgrade from 5.5 to 2k3,
rather I am trying to do an interim upgrade to ex2k, then upgrade from ex2k to
ex2k3. I am receiving the database inconsistent errors when trying to do the
ex2k upgrade. 

 

Note: I am not sure if it matters, but in ex5.5
administrator, the ldap protocol for the site is set to 38900, but for the
server it is set to 389. I tried changing it in the server to 38900, but that
stopped mail from flowing. 

 

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Could be all sorts of things here, but lets
start simple. Can you do an ldap bind to the exchange box on port 38900 using
the ldp tool (or similar) from the support tools? 

 

You can't do an inplace upgrade from 5.5 to
2003 which is what it sounds like you're doing when you get the consistency
error. 

 

 

 



Thanks, 
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 8:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange 5.5
Upgrade Problems



 

I
have taken over administration of a w2k AD domain running Exchange 5.5. This
domain was a mess and it took a lot of doing just to resolve all the errors in
the event logs, but now they are just about all resolved and the DC/Ex5.5
server passes all netdiag/dcdiag tests. 

 

My
current project is to upgrade the Ex5.5 server (which is also the domain's only
DC) to Ex2k3, but I am running into problems. I have successfully run
Forestprep and Domainprep. However, when I attempt to run the installation, I
receive the error "Exchange… cannot be assigned the task
"upgrade" because… the directory database is in an inconsistent
state… the private and or public stores are in an inconsistent state".
However, when using Eseutil to check database consistency of all 3 databases,
it reports that they are consistent. Even so, I tried using Eseutil to: repair
all 3 DBs and perform soft recovery on all 3 DBs, but nothing worked. I then
ran every test/repair using isinteg, all of which completed successfully and
only some of which reported errors. However, nothing has worked and I am still
getting the same errors when trying to upgrade. I also upgraded the ADC to the
Ex2k SP3 version, which had no effect. 

 

Now
my plan is to install a new WS2k3/Ex2k3 server into the Ex5.5 organization,
move all mailboxes to it, then decommission the old Ex5.5 box. While waiting
for my maintenance window to upgrade the current ADC to the 2k3 version, I
installed EX2k3 ADC on the new mail server (which is not a DC). Now, when I try
to run the "Data collection" step in ADC tools on the new ws2k3 box,
I receive the error "Server :389 is not an Exchange 5.5
server or an SRS service". I realized that since it was installed on a DC
that the LDAP port in ADC was changed to 38900, so I changed it in ADC tools.
However, I am now receiving the error "Could not connect to server
:38900 with LDAP error

RE: [ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-19 Thread Dan DeStefano 








The ADC is set to use port 38900 and the
LDAP protocol at the Ex5.5 site level is set to use 38900, but at the server
level it is set to use 389 (when I change this, mail stops flowing). Regardless,
when I try connecting in ADC tools to the Ex5.5 box it fails on either port.

 

I am trying to build a new Ex2k3 server in
the domain, but it will not join the organization because the ADC tools have
not bee run, or at least that is the error message I am getting.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott
Sent: Wednesday, April 19, 2006
10:25 AM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 





The Exchange 5.5 directory should be
listening on another port since it is running on a DC that is already listening
on 389 for AD LDAP operations.





 





If possible it would probably be a lot safer and easier to
build a new Exchange 2003 server and just migrate to the new machine...if
possible.





 

















Ion 





 





 













 







From:
[EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Tue 4/18/2006 6:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems





We are planning a complete domain
migration and restructuring, but that takes a while and the client has not
signed off yet, but they want ex2k3 features quickly. So we determined the
fastest way to implement ex2k3 would be to do an in-place upgrade of their
server.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 9:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Why are you doing
this interim upgrade when your end goal is a 2k3 native environment? 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 9:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Yes, I can connect to the dc/ex5.5 box
from the new ex2k3 member server using ldp on both ports 389 and 38900. I can
also bind using the enterprise/domain admin account and the ex service account.

 

I am not trying to do a direct upgrade
from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then
upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors
when trying to do the ex2k upgrade.

 

Note: I am not sure if it matters, but in
ex5.5 administrator, the ldap protocol for the site is set to 38900, but for
the server it is set to 389. I tried changing it in the server to 38900, but
that stopped mail from flowing.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Could be all sorts
of things here, but lets start simple. Can you do an ldap bind to the exchange
box on port 38900 using the ldp tool (or similar) from the support tools?

 

You can’t do
an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re
doing when you get the consistency error.

 

 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 8:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange 5.5
Upgrade Problems



 

I have taken over administration of a w2k AD domain running
Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve
all the errors in the event logs, but now they are just about all resolved and
the DC/Ex5.5 server passes all netdiag/dcdiag tests.

 

My current project is to upgrade the Ex5.5 server (which is
also the domain’s only DC) to Ex2k3, but I am running into problems. I
have successfully run Forestprep and Domainprep. However, when I attempt to run
the installation, I receive the error “Exchange… cannot be assigned
the task “upgrade” because… the directory database is in an
inconsistent state… the private and or public stores are in an
inconsistent state”. However, when using Eseutil to check database
consistency of all 3 databases, it reports that they are consistent. Even so, I
tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3
DBs, but nothing worked. I then ran every test/repair using isinteg, all of
which completed successfully and only some of which reported errors. However,
nothing has worked and I am still getting the same errors when trying to
upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect.

 

Now my plan is to install a new WS2k3/Ex2k3 server into the
Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5
box. While

RE: [ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-18 Thread Dan DeStefano 








We are planning a complete domain
migration and restructuring, but that takes a while and the client has not
signed off yet, but they want ex2k3 features quickly. So we determined the
fastest way to implement ex2k3 would be to do an in-place upgrade of their
server.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 9:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Why are you doing
this interim upgrade when your end goal is a 2k3 native environment? 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 9:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Yes, I can connect to the dc/ex5.5 box
from the new ex2k3 member server using ldp on both ports 389 and 38900. I can
also bind using the enterprise/domain admin account and the ex service account.

 

I am not trying to do a direct upgrade
from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then
upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors
when trying to do the ex2k upgrade.

 

Note: I am not sure if it matters, but in
ex5.5 administrator, the ldap protocol for the site is set to 38900, but for
the server it is set to 389. I tried changing it in the server to 38900, but
that stopped mail from flowing.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Could be all sorts
of things here, but lets start simple. Can you do an ldap bind to the exchange
box on port 38900 using the ldp tool (or similar) from the support tools?

 

You can’t do
an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re
doing when you get the consistency error.

 

 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 8:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange 5.5
Upgrade Problems



 

I have taken over administration of a w2k AD domain running
Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve
all the errors in the event logs, but now they are just about all resolved and
the DC/Ex5.5 server passes all netdiag/dcdiag tests.

 

My current project is to upgrade the Ex5.5 server (which is
also the domain’s only DC) to Ex2k3, but I am running into problems. I
have successfully run Forestprep and Domainprep. However, when I attempt to run
the installation, I receive the error “Exchange… cannot be assigned
the task “upgrade” because… the directory database is in an
inconsistent state… the private and or public stores are in an
inconsistent state”. However, when using Eseutil to check database
consistency of all 3 databases, it reports that they are consistent. Even so, I
tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3
DBs, but nothing worked. I then ran every test/repair using isinteg, all of
which completed successfully and only some of which reported errors. However,
nothing has worked and I am still getting the same errors when trying to
upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect.

 

Now my plan is to install a new WS2k3/Ex2k3 server into the
Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5
box. While waiting for my maintenance window to upgrade the current ADC to the
2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC).
Now, when I try to run the “Data collection” step in ADC tools on
the new ws2k3 box, I receive the error “Server :389 is
not an Exchange 5.5 server or an SRS service”. I realized that since it
was installed on a DC that the LDAP port in ADC was changed to 38900, so I
changed it in ADC tools. However, I am now receiving the error “Could not
connect to server :38900 with LDAP error 6.  Check server
name, port number and account permissions”. I am logged on with the
Enterprise/Domain Administrator account and the ADC service is set to use the
same service account as the ADC on the Ex5.5 server.

 

If you need any more info please let me know.

Any help that anyone can provide will be greatly
appreciated.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.





If you have received this message in error please notify the

RE: [ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-18 Thread Dan DeStefano 








Yes, I can connect to the dc/ex5.5 box
from the new ex2k3 member server using ldp on both ports 389 and 38900. I can
also bind using the enterprise/domain admin account and the ex service account.

 

I am not trying to do a direct upgrade
from 5.5 to 2k3, rather I am trying to do an interim upgrade to ex2k, then
upgrade from ex2k to ex2k3. I am receiving the database inconsistent errors
when trying to do the ex2k upgrade.

 

Note: I am not sure if it matters, but in
ex5.5 administrator, the ldap protocol for the site is set to 38900, but for
the server it is set to 389. I tried changing it in the server to 38900, but
that stopped mail from flowing.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, April 18, 2006 8:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
5.5 Upgrade Problems



 

Could be all sorts
of things here, but lets start simple. Can you do an ldap bind to the exchange
box on port 38900 using the ldp tool (or similar) from the support tools?

 

You can’t do
an inplace upgrade from 5.5 to 2003 which is what it sounds like you’re
doing when you get the consistency error.

 

 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, April 18, 2006 8:10
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange 5.5
Upgrade Problems



 

I have taken over administration of a w2k AD domain running
Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve
all the errors in the event logs, but now they are just about all resolved and
the DC/Ex5.5 server passes all netdiag/dcdiag tests.

 

My current project is to upgrade the Ex5.5 server (which is
also the domain’s only DC) to Ex2k3, but I am running into problems. I
have successfully run Forestprep and Domainprep. However, when I attempt to run
the installation, I receive the error “Exchange… cannot be assigned
the task “upgrade” because… the directory database is in an
inconsistent state… the private and or public stores are in an
inconsistent state”. However, when using Eseutil to check database
consistency of all 3 databases, it reports that they are consistent. Even so, I
tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3
DBs, but nothing worked. I then ran every test/repair using isinteg, all of
which completed successfully and only some of which reported errors. However,
nothing has worked and I am still getting the same errors when trying to
upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect.

 

Now my plan is to install a new WS2k3/Ex2k3 server into the
Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5
box. While waiting for my maintenance window to upgrade the current ADC to the
2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC).
Now, when I try to run the “Data collection” step in ADC tools on
the new ws2k3 box, I receive the error “Server :389 is
not an Exchange 5.5 server or an SRS service”. I realized that since it
was installed on a DC that the LDAP port in ADC was changed to 38900, so I
changed it in ADC tools. However, I am now receiving the error “Could not
connect to server :38900 with LDAP error 6.  Check server
name, port number and account permissions”. I am logged on with the
Enterprise/Domain Administrator account and the ADC service is set to use the
same service account as the ADC on the Ex5.5 server.

 

If you need any more info please let me know.

Any help that anyone can provide will be greatly
appreciated.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

If you have received this message in error
please notify the sender, disregard any content  and remove it from your
possession.





If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.

[ActiveDir] Exchange 5.5 Upgrade Problems

2006-04-18 Thread Dan DeStefano 








I have taken over administration of a w2k AD domain running
Exchange 5.5. This domain was a mess and it took a lot of doing just to resolve
all the errors in the event logs, but now they are just about all resolved and the
DC/Ex5.5 server passes all netdiag/dcdiag tests.

 

My current project is to upgrade the Ex5.5 server (which is
also the domain’s only DC) to Ex2k3, but I am running into problems. I
have successfully run Forestprep and Domainprep. However, when I attempt to run
the installation, I receive the error “Exchange… cannot be assigned
the task “upgrade” because… the directory database is in an
inconsistent state… the private and or public stores are in an
inconsistent state”. However, when using Eseutil to check database
consistency of all 3 databases, it reports that they are consistent. Even so, I
tried using Eseutil to: repair all 3 DBs and perform soft recovery on all 3
DBs, but nothing worked. I then ran every test/repair using isinteg, all of
which completed successfully and only some of which reported errors. However,
nothing has worked and I am still getting the same errors when trying to
upgrade. I also upgraded the ADC to the Ex2k SP3 version, which had no effect.

 

Now my plan is to install a new WS2k3/Ex2k3 server into the
Ex5.5 organization, move all mailboxes to it, then decommission the old Ex5.5
box. While waiting for my maintenance window to upgrade the current ADC to the
2k3 version, I installed EX2k3 ADC on the new mail server (which is not a DC). Now,
when I try to run the “Data collection” step in ADC tools on the
new ws2k3 box, I receive the error “Server :389 is not an
Exchange 5.5 server or an SRS service”. I realized that since it was
installed on a DC that the LDAP port in ADC was changed to 38900, so I changed
it in ADC tools. However, I am now receiving the error “Could not connect
to server :38900 with LDAP error 6.  Check server name,
port number and account permissions”. I am logged on with the
Enterprise/Domain Administrator account and the ADC service is set to use the
same service account as the ADC on the Ex5.5 server.

 

If you need any more info please let me know.

Any help that anyone can provide will be greatly
appreciated.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 





If you have received this message in error please notify the sender, disregard any content  and remove it from your possession.

[ActiveDir] Outlook Contacts Problem

2005-08-03 Thread Dan DeStefano 








We recently had an Exchange server failure and mailboxes had
to be restored from backup. Now some users are having problems with their
contacts. When they click ‘To’ in a message and select ‘Contacts’,
the list is empty. However, the contacts are present in the ‘Contacts’
folder in the users’ mailboxes. I went to the properties of the Contacts
folder and selected “Show this folder as an address book” and
restarted Outlook, but the problem persists. I also removed and recreated the
Outlook profile, with no success. We are using Outlook 2000.

 

I would appreciate any suggestions.

 

_

 



Daniel DeStefano



 

[ActiveDir] Permissions Problem

2005-07-08 Thread Dan DeStefano 








I am trying to set permissions to a folder and all
subfolders/files that allow a group to read/execute and write but not delete. I
have assigned the permissions appropriately for the group (read/execute, list
folder contents, read, write) to the parent folder and reset all
subfolders/files.

 

The users are supposed to open a template excel file, edit
it and save it as a different file name into a subfolder in this folder tree. The
problem is that when they try to save the file as, they receive an error
stating that the folder is read-only. They can create a subfolder and save the
file in there, but this is not acceptable.

 

Is what I propose possible or does this group simply need
modify permissions to the folder tree?

 

 

Thanks in advance,

 



Daniel DeStefano



 

RE: [ActiveDir] Do you make your users local admins on their PCs?

2005-06-30 Thread Dan DeStefano 








It is a very poor idea to allow users
local admin privileges on their machine. First of all, it is a security
vulnerability and makes it much easier for a machine to be compromised by
malware. Also, denying admin privileges will help mitigate most Windows
vulnerabilities as most of them run in the security context of the locally
logged-on user.

 

Another plus is that it allows you to more
easily control locally-saved data: if users are only allowed to save data to
one or two folder trees, then those are all you have to worry about backing up
when you need to move the user.

 

I think it is a poor idea to allow users
to install software on their machines. You should control all the software on
all machines this way all the PCs can be kept in a known state, which makes
troubleshooting problems much easier. Not to mention the fact that many
programs that users tend to download/install will cause increased network
traffic and network vulnerability; and these days many freeware programs will
also install malware.



_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 













From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 30, 2005 8:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Do you make
your users local admins on their PCs?



 



We're having a big discussion about
users being local administrators on their PCs.  We've made them local
admins in the past (on NT4 domain) because they needed to be able to install
apps, and we kept running into issues that led back to them not having local
admin rights.






Is there easy way now that we're on a Win2k3 AD domain to take admin rights
away but still ensure things work correctly?  What's the general
consensus, do most of you give your users local admin rights?








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] Automate Adding Environment Variables

2005-06-28 Thread Dan DeStefano 








Is there a way to have a user specify an environment variable at first
logon? We have a program that needs to send mail to an e-mail address and this
has to be specific to each user. This server (a terminal server) will likely
contain 200+ user accounts and doing this manually would be undesirable.

Ideally, I would like it if the first time a user logs onto the server, they are
prompted to enter their e-mail address and hit enter, and this will set a user
variable that points to this e-mail address (something like 
[EMAIL PROTECTED].
I was thinking it would be best if this can be done with a simple DOS batch
file that can be set to run at first user logon, probably by adding it to the
"Runonce" key in the user's registry hive (unless there is a better
way). We do not want this to execute every time the user logs onto the terminal
server.

I would greatly appreciate any help,


Dan DeStefano

RE: [ActiveDir] Open Another User's Registry File

2005-06-27 Thread Dan DeStefano 








Thank you for your help

 



_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 













From: Robinson, Chuck
[mailto:[EMAIL PROTECTED] 
Sent: Monday, June 27, 2005 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Open
Another User's Registry File



 

Open Regedit, set your
focus to HKLM, use Load Hive from the File Menu. Be sure to unload the hive
when you are done.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, June 27, 2005 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Open Another
User's Registry File

Is it possible to open another
user’s ntuser.dat file for editing? I would like to be able to edit some
per-user settings for specific users, but when I try to open it using regedt or
regedt32, I am asked if I want to add the information in the file to the
registry, which I do not want to do. This is on a Windows 2000 Server machine.

 

 

I appreciate any help,

_

 



Daniel DeStefano



 

RE: [ActiveDir] Logon server bad discovery

2005-06-27 Thread Dan DeStefano 








Thanks a lot, I appreciate it.

 



_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 













From: Lev Zdenek
[mailto:[EMAIL PROTECTED] 
Sent: Monday, June 27, 2005 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Logon server
bad discovery



 

Hello 

I have the following
problem. I Have network with only W2K3 SP1 domain controllers in several sites
(uhnete). Subnet, site, and site links are configured . There are DNS, GC in
each site. My klient are XP SP2. When I tested my logon server through set
„l=logon server“ I discovered that my logon server is from another
site, than client reside (belongs) . DC and DNS and replication in function
corectly. I discovered that the clients after logon belong to incorect site
(nltest /dsgetsite) Site which client belongs
to changes randomly. When I set parametr "DynamicSiteName"
 "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
to correct SITE evr. Is function
correctly. I would like to get more information how the logon process discovery
right site and right domain controller. I found some information on MSDN about
DsGetDcName, but this information is incomplete. http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

Does anybody solution for this.

THX

Zdenek

 

 

[ActiveDir] Open Another User's Registry File

2005-06-27 Thread Dan DeStefano 








Is it possible to open another user’s ntuser.dat file
for editing? I would like to be able to edit some per-user settings for
specific users, but when I try to open it using regedt or regedt32, I am asked
if I want to add the information in the file to the registry, which I do not
want to do. This is on a Windows 2000 Server machine.

 

 

I appreciate any help,

_

 



Daniel DeStefano



 

[ActiveDir] Remove View Menu From Explorer

2005-06-27 Thread Dan DeStefano 








In Windows 2000, is it possible to remove or disable the “View”
menu from Windows Explorer and Internet Explorer 6? If not, then is it possible
to remove or disable the “Explorer Bar” submenu? It would also be
OK to be able to just remove all text menus (Edit, View, Go, etc). We are
locking down a kiosk machine and want the clients to be able to see one folder
only and not be able to navigate to others. The problem is that if we just
remove access from the parent folder, a certain program we are using does not
work properly, plus, even though the user account is given ‘modify’
permissions to their folder and no permissions to the parent folder, the
shortcut used to open their folder does not work.

 

 

I appreciate any help on this issue,

 

_

 



Daniel DeStefano



 

RE: [ActiveDir] Lock down server not in a domain using GPO

2005-06-21 Thread Dan DeStefano 
Title: Message








Where do you set permissions on a local
policy?

 



_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 













From: Adams, Kenneth W
(Ken) [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 21, 2005 8:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lock down
server not in a domain using GPO



 



You can set the policy
permissions to allow the local administrator account to read but not apply the
policy.  Or, you can do what we do and create a special local account for
policy administration and set that special account to read and not apply the
policy.



Ken Adams 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, June 21, 2005 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lock down server
not in a domain using GPO

We have a terminal server we would
like to use for clients to access some of our data that they need and this
server should be locked-down so the clients can only do what they need. The
problem is that management would rather this server not be a member of our
domain so we cannot use AD GPOs to lock the server down. I looked into using
local policies to lock down the machine, but found out that they would also
affect the administrator account unless that group/account is denied
‘read’ permissions to the “..\system32\grouppolicy”
folder. However, would this not deny editing of the policies in the folder as
well.

 

It has been suggested that we create
a new AD domain solely for use with this terminal server. Is this a good idea?
I tend to think this is too much solution.

 

Can anyone make any suggestions on
the best way to accomplish our goals?

 

 

Thank you in advance,

_

 

Daniel DeStefano

PC Support Specialist

[ActiveDir] Lock down server not in a domain using GPO

2005-06-21 Thread Dan DeStefano 








We have a terminal server we would like to use for clients
to access some of our data that they need and this server should be locked-down
so the clients can only do what they need. The problem is that management would
rather this server not be a member of our domain so we cannot use AD GPOs to
lock the server down. I looked into using local policies to lock down the
machine, but found out that they would also affect the administrator account
unless that group/account is denied ‘read’ permissions to the
“..\system32\grouppolicy” folder. However, would this not deny
editing of the policies in the folder as well.

 

It has been suggested that we create a new AD domain solely
for use with this terminal server. Is this a good idea? I tend to think this is
too much solution.

 

Can anyone make any suggestions on the best way to
accomplish our goals?

 

 

Thank you in advance,

_

 

Daniel DeStefano

PC Support Specialist

RE: [ActiveDir] Secure DHCP

2005-05-16 Thread Dan DeStefano 
I thought about that, but I think it would quickly become cumbersome to
manage. Kind of defeats most of the purpose of DHCP.

Dan

-Original Message-
From: Cace, Andrew [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 16, 2005 10:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

This would require some effort to configure and maintain, but what about
using DHCP reservations?  This will accomplish the goal of only allowing
approved PC's on your network.

-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Monday, May 16, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure DHCP

At the lower layers of the OSI stack, the only way I'm aware of to block
computers from getting an IP address is to use port-based authentication
if
your network hardware supports it. As Al mentioned, quarantine networks
are
becoming a more realistic solution, but don't address the basics of
DHCP.
Using IPSec to ensure only trusted computers can get access to resources
is
a decent solution as well; the rogue PC can get an address, but cannot
connect to anything except perhaps the internet. Not simple to set up,
though...

Hmmm. Maybe we can develop a power over ethernet solution. Run 220V AC
through the ethernet cables and put a high-pass filter on the legit
machines. Then, if someone plugs a rogue laptop into the network, the
laptop
gets a little hot... :-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Monday, May 16, 2005 7:00 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure DHCP
> 
> I am wondering if there is any way to secure DHCP from assigning 
> leases to PCs that are not authorized on the domain. I imagine that 
> this is not possible since, in order to authenticate, a PC needs an IP

> address.
> 
> The problem is that the other day we had a rogue PC plug into our 
> network and, though probably coincidental, our browse list was messed 
> up afterwards. So I have been tasked with finding out if there is a 
> way to prevent unauthorized PCs from obtaining IP leases on our 
> network (other than disabling all jacks not in use, which is what we 
> will be doing). If not, does anyone have any suggestions on how to 
> prevent the above situation in the future?
> 
>  
> 
> _
> 
>  
> 
> Daniel DeStefano
> 
> PC Support Specialist
> 
>  
> 
> IAG Research
> 
> 345 Park Avenue South, 12th Floor
> 
> New York, NY 10010
> 
> T. 212.871.5262
> 
> F. 212.871.5300
> 
>  
> 
> www.iagr.net <http://www.iagr.net/>
> 
> Measuring Ad Effectiveness on Television
> 
>  
> 
> The information contained in this communication is confidential, may 
> be privileged and is intended for the exclusive use of the above named

> addressee(s). If you are not the intended recipient(s), you are 
> expressly prohibited from copying, distributing, disseminating, or in 
> any other way using any of the information contained within this 
> communication. If you have received this communication in error, 
> please contact the sender by telephone 212.871.5262 or by response via

> e-mail.
> 
>  
> 
>  
> 
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Secure DHCP

2005-05-16 Thread Dan DeStefano 








I am wondering if there is any way to secure DHCP from
assigning leases to PCs that are not authorized on the domain. I imagine that
this is not possible since, in order to authenticate, a PC needs an IP address.

The problem is that the other day we had a rogue PC plug
into our network and, though probably coincidental, our browse list was messed
up afterwards. So I have been tasked with finding out if there is a way to
prevent unauthorized PCs from obtaining IP leases on our network (other than
disabling all jacks not in use, which is what we will be doing). If not, does
anyone have any suggestions on how to prevent the above situation in the future?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] DNS vs. Hosts File

2005-05-05 Thread Dan DeStefano 








Well, he said that he wanted it on domain
controllers so that if DNS goes down that people can still log on. But that is
not the case, right? People can logon to a DC in AD as long as that DC can
query a GC, right?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M.
 Long
Sent: Thursday, May 05, 2005 4:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS vs.
Hosts File



 

Did you ask him if you
could have the host file on his machine… that he MUST be using to browse
the web with? DNS untrustworthy vs host file… bahaha

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Thursday, May 05, 2005 4:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS vs. Hosts
File



 

Recently, one of my colleagues and I
got into a discussion about DNS vs. hosts files in AD. He has configured the
hosts file on all of our domain controllers (Windows 2000 AD in native mode) to
point to other DCs. One of our DCs was moved to another site and the hosts file
on a DC was not changed to point to the moved DC on its new subnet – this
obviously resulted in NTFRS errors.

 

Anyway, after this I got into a
discussion with my boss about the need of the hosts file in AD. It is my
position that the hosts file is no longer necessary and should not really be
used in AD and is only included for backward-compatibility, testing and for
certain special instances. It is his position that DNS is untrustworthy and
that the hosts file should be configured as a backup in case DNS goes down. My
response to this was twofold – 1. the hosts file is queried before DNS so
it is not really a backup, it is a primary method of name-resolution, plus, it
does not support SRV records; 2.
DNS is the foundation of AD and if it goes down, AD will not work correctly
anyway. Plus, that is the reason for secondary DNS servers, of which we have
several.

 

Could anyone point to any
documentation that discusses the role of the hosts file in AD and also include
your own opinions and comments.

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] DNS vs. Hosts File

2005-05-05 Thread Dan DeStefano 








Recently, one of my colleagues and I got into a discussion
about DNS vs. hosts files in AD. He has configured the hosts file on all of our
domain controllers (Windows 2000 AD in native mode) to point to other DCs. One
of our DCs was moved to another site and the hosts file on a DC was not changed
to point to the moved DC on its new subnet – this obviously resulted in
NTFRS errors.

 

Anyway, after this I got into a discussion with my boss
about the need of the hosts file in AD. It is my position that the hosts file
is no longer necessary and should not really be used in AD and is only included
for backward-compatibility, testing and for certain special instances. It is
his position that DNS is untrustworthy and that the hosts file should be
configured as a backup in case DNS goes down. My response to this was twofold –
1. the hosts file is queried before DNS so it is not really a backup, it is a
primary method of name-resolution, plus, it does not support SRV records; 2. DNS is the foundation of AD and if
it goes down, AD will not work correctly anyway. Plus, that is the reason for
secondary DNS servers, of which we have several.

 

Could anyone point to any documentation that discusses the
role of the hosts file in AD and also include your own opinions and comments.

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] File Share Access

2005-04-29 Thread Dan DeStefano 








I am sorry about re-posting this question, but we lost some
e-mail here at my company and I would have missed any responses to the original
post.

 

I am having a problem with accessing a share on a server.
The problem is that when I am logged onto a PC with a local administrator
account and I connect to a share on a certain server, the contents of the share
are displayed without me being prompted for a username/password to make the
connection. The problem is that since permissions are set on these
files/folders, I cannot access any of them when logged on with the local admin
account. When connecting to other server shares, I am prompted for a
username/pass, which I enter and am subsequently able to access shares.

 

I have looked into various settings on the server, most
notably the anonymous enumeration of shares, but nothing helps. This share I am
speaking of is a share cluster resource, but I am not sure if this would have
anything to do with it. Also, the everyone group is not in the share or ntfs
permissions anywhere.

 

I would appreciate any help provided.

 

Thanks in advance,

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] File Share Access

2005-04-27 Thread Dan DeStefano 








I am having a problem with accessing a share on a server. The
problem is that when I am logged onto a PC with a local administrator account
and I connect to a share on a certain server, the contents of the share are
displayed without me being prompted for a username/password to make the
connection. The problem is that since permissions are set on these
files/folders, I cannot access any of them when logged on with the local admin
account. When connecting to other server shares, I am prompted for a
username/pass, which I enter and am subsequently able to access shares.

 

I have looked into various settings on the server, most
notably the anonymous enumeration of shares, but nothing helps. This share I am
speaking of is a share cluster resource, but I am not sure if this would have
anything to do with it. Also, the everyone group is not in the share or ntfs
permissions anywhere.

 

I would appreciate any help provided.

 

Thanks in advance,

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] Kerberos authentication and 2003 /2000

2005-04-26 Thread Dan DeStefano 
Have you tried running netdiag /fix?

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Friday, April 22, 2005 9:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos authentication and 2003 /2000

Domain running 2000 native mode.  DC are 2000.

Have member servers with 2003.  when I run netdiag I see that Kerberos
authentication failed.   Should I be concerned or is something wrong on
either the member server or the Domain controllers. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] All Folders Read Only

2005-04-18 Thread Dan DeStefano 
That is the way it is supposed to be - all folders usually have the
'read only' attribute enabled. I think even if you disable the
attribute, it will enable again automatically. Access to the folders is
set by the NTFS permissions.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan
Sent: Friday, April 15, 2005 3:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] All Folders Read Only

We have a computer running Windows XP SP2 that all folders are listed as
read only.  I know that the read only attribute is typically ignored on
folders, but the user is no longer able to save any files to the
computer.  

We have followed the steps in KB326549 with no luck.  Has anyone else
run into this problem that might have a possible work around.  

Any suggestions would be much appreciated

Thanks
Mike

Michael O'Sullivan
Information Technology Specialist
College of Veterinary Medicine
University of Florida
352.392.4700x4343
352.392.7259 (fax)
[EMAIL PROTECTED] 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Clustered Printers

2005-04-13 Thread Dan DeStefano 
I Just wanted to update this post. I have resolved the issue. It turns out that 
it was a permissions problem on the spool directory on the cluster. This was 
determined by the audit logs. Once I gave full control permissions to Domain 
Computers and Local System everything worked fine.


Dan



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Monday, April 11, 2005 5:52 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Clustered Printers

I am trying to get printing working on a w2k cluster. I have done the following:
1. Installed all printer drivers on both nodes of the cluster (active/passive). 
2. Set up a print spooler resource and pointed it to a folder on the shared 
disk array that has domain users - modify permissions and brought the print 
spooler online. 
3. Browsed to the cluster virtual server through network places and used the 
"add printer" applet to set up the printers. Made sure domain users had "print" 
permissions on all printers. 

I can now connect to the clustered printers and set them up on a workstation 
(xppro).  However, when I try to print a test page, I immediately get the 
"document failed to print...) error. But there are no errors in the event logs, 
just the warning saying the printer driver was installed. 

I read a kb article that said the w2k cluster service was not ad-aware and that 
you need to add the everyone group to the "pre-windows 2000..." Group. I have 
done this but the problem persists. 

Am I doing something wrong? Do more permissions need to be added somewhere? I 
would appreciate any help. 


Dan DeStefano


_
 
Daniel DeStefano
PC Support Specialist
 
IAG Research
345 Park Avenue South, 12th Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300
www.iagr.net

Measuring Ad Effectiveness on Television
The information contained in this communication is confidential, may be 
privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have 
received this communication in error, please contact the sender by telephone 
212.871.5262 or by response via e-mail.
.BövrzÊryi
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Clustered Printers

2005-04-11 Thread Dan DeStefano 
I am trying to get printing working on a w2k cluster. I have done the following:
1. Installed all printer drivers on both nodes of the cluster (active/passive). 
2. Set up a print spooler resource and pointed it to a folder on the shared 
disk array that has domain users - modify permissions and brought the print 
spooler online. 
3. Browsed to the cluster virtual server through network places and used the 
"add printer" applet to set up the printers. Made sure domain users had "print" 
permissions on all printers. 

I can now connect to the clustered printers and set them up on a workstation 
(xppro).  However, when I try to print a test page, I immediately get the 
"document failed to print...) error. But there are no errors in the event logs, 
just the warning saying the printer driver was installed. 

I read a kb article that said the w2k cluster service was not ad-aware and that 
you need to add the everyone group to the "pre-windows 2000..." Group. I have 
done this but the problem persists. 

Am I doing something wrong? Do more permissions need to be added somewhere? I 
would appreciate any help. 


Dan DeStefano


_
 
Daniel DeStefano
PC Support Specialist
 
IAG Research
345 Park Avenue South, 12th Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300
www.iagr.net

Measuring Ad Effectiveness on Television
The information contained in this communication is confidential, may be 
privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have 
received this communication in error, please contact the sender by telephone 
212.871.5262 or by response via e-mail.

RE: [ActiveDir] Clustering Question

2005-04-08 Thread Dan DeStefano 








So then I can just add an additional
network name resource to the current cluster group? Is there any way to hide
the shares from users when accessing the cluster through the new network name? I
just don’t want any confusion with the users.

 

Dan

 

 









From: Brian Desmond [mailto:[EMAIL PROTECTED]
On Behalf Of Brian Desmond
Sent: Friday, April 08, 2005 3:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Clustering Question



 





No, you can't do this. The disk reosurce has to be in one group so
that it fails over with that group. Why don't you just add the spooler service
to the existing file print group if you only have one lun available? You can
add an additional virtual name as well so users don't notice the changeover. 





 









--Brian Desmond
[EMAIL PROTECTED]
Payton on the web!
www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101





c - 312.731.3132







 







From:
[EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Fri 4/8/2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Clustering
Question





I am a relative novice when it comes
to clustering so please forgive me. Is it possible to have two different
cluster groups use the same disk resource? We currently have a cluster group
that is handling file shares and want to add to it a print spooler as our
current print server is on the edge of failure. However, we would like to keep
the same network name so that the switch will be transparent to users. So would
the following configuration work:

 

cluster group 1:

 

network name –
“file”

disk resource –
“z”

file share –
“share”

master node – node1

standby node – node2

active/passive

 

cluster group 2:

 

network name – “print”

disk resource –
“z”

spooler –
“spooler1”

master node – node2

standby node – node1

active/passive

 

will this configuration work? What
about if the same node was made master for both groups?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] Clustering Question

2005-04-08 Thread Dan DeStefano 








I am a relative novice when it comes to clustering so please
forgive me. Is it possible to have two different cluster groups use the same
disk resource? We currently have a cluster group that is handling file shares
and want to add to it a print spooler as our current print server is on the
edge of failure. However, we would like to keep the same network name so that
the switch will be transparent to users. So would the following configuration
work:

 

cluster group 1:

 

network name – “file”

disk resource – “z”

file share – “share”

master node – node1

standby node – node2

active/passive

 

cluster group 2:

 

network name – “print”

disk resource – “z”

spooler – “spooler1”

master node – node2

standby node – node1

active/passive

 

will this configuration work? What about if the same node
was made master for both groups?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] Exchange CALs

2005-04-06 Thread Dan DeStefano 








I was told by a colleague that he heard that each Exchange CAL includes a license for Outlook. Is this true?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

[ActiveDir] Exchange 2000

2005-04-06 Thread Dan DeStefano 








I need to find out how many mailboxes are on particular
Exchange 2000 servers for auditing purposes. What is the quickest way to do
this?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] time sync script

2005-04-05 Thread Dan DeStefano 
You shouldn't need to do this. Once a client is joined to a domain, it
should automatically sync its clock with the "closest" DC in the site.
This is done via the Windows Time Service (w32time.exe) and its
functionality is controlled via the "w32tm.exe" command.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, April 05, 2005 2:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] time sync script

Anybody have a script that can check the time on client machines and
auto
sync them with the Domain Controller?

Thanks,
--
Matt Brown
[ SELECT * FROM IT WHERE EyeContact=True ]
Information Technology System Specialist
Eastern Washington University
 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain Groups / users in lab

2005-03-18 Thread Dan DeStefano 








All you want is that certain teachers
should not have the teachers have the same GPO applied as the labs? You should
be able to do this in several different ways. Are you saying that you do not
want the default domain GPO to apply to these teachers? If so then you may want
to think about restructuring your GPOs so that any lab policies are not applied
at the domain level, but rather to the specific lab OUs themselves.

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Matt Brown
Sent: Friday, March 18, 2005 2:12
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Groups
/ users in lab



 

Hi,

 

I’m
run a domain in a University environment.  I currently have 1 domain with
all accounts in it: students, faculty, and staff.  We have computer labs
that any users (students, fac/staff) can use.  These computers do not
offer roaming profiles and we allow accounts local administrative access. 
Each lab has its own profile that is specific to their lab and not the user.

 

What
I would also like to do is allow faculty/staff members to use the domain for
their personal workstations but I don’t want them to have the same GPO as
they would have if they were using a computer lab.

 

Do I
need to setup a separate domain? Or a child domain?  Or is it possible for
user OU’s to apply to computer groups rather than applying them on the
User OU?

 

Current
domain structure example

mydomain.edu

mycomputers

lab1

lab2

human
resources

Information
Technology

people

 
employees

 
students

 



Thanks,

--

Matt Brown

[ SELECT * FROM computers WHERE OS > MS ]

Information Technology System Specialist

Eastern Washington
 University

 

RE: [ActiveDir] Roaming Profiles

2005-03-17 Thread Dan DeStefano 








Sorry, I should mention that the servers
are all W2k and the clients are mostly WXPP (the others are W2k).

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Thursday, March 17, 2005
12:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Roaming
Profiles



 

I have a question about roaming
profiles: Is there a way to restrict the size of a profile? I could probably
create a new partition on a file server just for the roaming profiles and then
enable quotas, but I am looking for a more elegant solution. I vaguely remember
some way of limiting profile size through GPO or something, but I can’t
seem to remember how.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

[ActiveDir] Roaming Profiles

2005-03-17 Thread Dan DeStefano 








I have a question about roaming profiles: Is there a way to
restrict the size of a profile? I could probably create a new partition on a
file server just for the roaming profiles and then enable quotas, but I am
looking for a more elegant solution. I vaguely remember some way of limiting
profile size through GPO or something, but I can’t seem to remember how.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] XP Srv Pk 2

2005-03-15 Thread Dan DeStefano 








Yes, I have done this.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, March 15, 2005 9:54
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] XP Srv Pk 2



 



Anyone sucessfully pushed XP Service
Pack 2 via GPO to XP clients from a W2K AD?





 





Thank you,





Z.V.

RE: [ActiveDir] WINS

2005-03-07 Thread Dan DeStefano 
Title: Re: [ActiveDir] WINS








Did you just remove WINS or did you also
disable NetBIOS on your network? Isn’t it the case that as long as NetBIOS
is enabled and being used on your network that you should also be using WINS as
this will greatly reduce broadcasts and improve name-resolution, especially
across subnets? From what I understand, the only reason to remove WINS is if
you are also going to disable NetBIOS on your network.

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Van Noy, Glen
Sent: Sunday, March 06, 2005 2:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WINS



 

Okay, I will  look
into it also.  We removed WINS from our forest about a year ago and have
seen no ill effects. We are not real big, 2000 exchange accounts and 25000
users, but everything seems to be running fine without it. Over the next few months,
we are going to add student accounts to Exchange, so we will end up with quite
a few more accounts.

 

If I find out anything I
will post it.

 

Thanks,



 



glen

The University
of Texas at Dallas



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone
Sent: Sunday, March 06, 2005 1:20
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WINS

I'll look when I get home. I
remember reading about it a year ago and was bummed out. I thought I could rid
myself of wins. I did run Exchange without wins for a while but added it being
MS recommends it. Only thing is it didn't give a reason why. Just said it was
needed. It may not be the deployment guide, it's in one of the three recommended
reading documents, deployment, admin guide and I forget the name of the other
doc (planning an exchange environment?)

Robert


-Original Message-
From: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org

Sent: Sun Mar 06 13:27:42 2005
Subject: RE: [ActiveDir] WINS

Just curious, where in the deployment guide does it say that Exchange 2003
needs WINS?  We are running a clustered Exchange 2003 setup and we don't
have WINS configured on our domain.

glen
[EMAIL PROTECTED]   
The University of Texas at Dallas






    From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Robert Mezzone
    Sent: Sunday, March 06, 2005 12:20
PM
    To: ActiveDir@mail.activedir.org
    Subject: Re: [ActiveDir] WINS
   
   

    Unfortunetly it does. I thought it
didn't until I read the deployment guide. Recently upgraded for 5.5.
   
    Robert
   
   
    -Original Message-
    From:
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
    To: ActiveDir@mail.activedir.org

    Sent: Sun Mar 06 12:55:30 2005
    Subject: [ActiveDir] WINS
   
    Is WINS still needed for exchange
2003? Some have said outlook still needs
    WINS.
   
    List info   : http://www.activedir.org/List.aspx
    List FAQ    : http://www.activedir.org/ListFAQ.aspx
    List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
   

RE: [ActiveDir] Exchange Routing

2005-03-02 Thread Dan DeStefano 








I would like to install an smtp server in
the colo, but we do not have any spare servers and the other servers at the
colo are mission-critical, so we really don’t want to mess with them.

 

I thank everyone for all the help,

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 02, 2005
12:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

OK, so if you have a
GC/DC in the same location, then you are good to go. Just ensure that the
Exchange server is using this GC/DC for its operations. Bring down your TTL
beforehand. Also do the MX switch maybe 2 days before the power outage to
verify the colo Exchange is happy and that it is indeed receiving and routing.

 

If I were you, though,
I’d take the easy way out and do what has been suggested several times
here – let a plain vanilla SMTP server do the storing for you during this
outage.

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 3:03
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

The colo site has a DC
that is a GC. And once we move the mail server to the colo, we will re-register
its DNS records and clear internal DNS server caches. This will be done 3-days
in advance, so hopefully all client resolver caches should have timed out by
then, right? But anyway, all we are concerned with is the server’s
ability to receive mail from the outside, since most of our workstations are
located in the building that will have the power outage.

 

Dan

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mulnick, Al
Sent: Tuesday, March 01, 2005 5:50
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

Yes and
no.  The problem is moving an Exchange server along with the supporting
requirements such as DC/GC/DNS/(AD in general).  Outside of that, it would
probably work with those gotchas and the DNS TTL issues to contend with.

 

It's
just that it's simpler to prop up a simple MTA that will just queue the mail
until your Exchange servers come back online to take delivery. W2K server would
work just fine (note: make the timeout of delivery longer than the default to
account for your outage).

 

Al

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 4:54
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing

The
thing is that the server we are planning to move is currently idle, for all
intents and purposes, but Exchange is installed and working on it. Plus, the
server uses a private IP and has a NAT mapping to a public IP. So
shouldn’t we just have to change the NAT mapping and add the MX record to
our public zone file; then, for internal, just re-register the DNS records with
the new IP?

 

I did
not mention this in my previous message, but we are not concerned with users
being able to access their e-mail during this outage, we would just like to
make sure the mail sent during this time period is eventually delivered.

To
deliver these few requirements, will the plan work?

 

Also, we
do not have any W2k3 servers.

 

 

Dan

 

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

Is
cutting off your arm a way to get rid of a hangnail?

 

Sure,
but it's overmuch.

 

Doing
what you want, properly, is pretty involved - you've gotta get DNS, GC,
AD, Exchange, etc. all happy at the remote location - not just SMTP.

 

Just
stick a standalone W2K3 server with the SMTP service installed at the remote
location if you REALLY want to put a server somewhere else. 

 

Or pay some service
provider to do your secondary MX/store-and-forward for you. Worst case,
you're looking at less than $100 for a month's service.

 















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 3:26
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing

I am not
sure about that with our ISP. But will the procedures I suggested work?

 

 

Dan

 

 





















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:00
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

You
don't need to move an Exchange server you just need to have some company act as
a secondary MX (store and forward mail services) for the domain of
interest.

 

PROBABLY
your bandwidth provider will do this for you, for free.

 



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 2:27
PM
To: A

RE: [ActiveDir] Exchange Routing

2005-03-01 Thread Dan DeStefano 








The colo site has a DC that is a GC. And once
we move the mail server to the colo, we will re-register its DNS records and
clear internal DNS server caches. This will be done 3-days in advance, so
hopefully all client resolver caches should have timed out by then, right? But anyway,
all we are concerned with is the server’s ability to receive mail from
the outside, since most of our workstations are located in the building that
will have the power outage.

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 01, 2005 5:50
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

Yes and no.  The
problem is moving an Exchange server along with the supporting requirements
such as DC/GC/DNS/(AD in general).  Outside of that, it would probably
work with those gotchas and the DNS TTL issues to contend with.

 

It's just that it's
simpler to prop up a simple MTA that will just queue the mail until your
Exchange servers come back online to take delivery. W2K server would work just
fine (note: make the timeout of delivery longer than the default to account for
your outage).

 

Al

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 4:54
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing

The thing is that the
server we are planning to move is currently idle, for all intents and purposes,
but Exchange is installed and working on it. Plus, the server uses a private IP
and has a NAT mapping to a public IP. So shouldn’t we just have to change
the NAT mapping and add the MX record to our public zone file; then, for
internal, just re-register the DNS records with the new IP?

 

I did not mention this in
my previous message, but we are not concerned with users being able to access
their e-mail during this outage, we would just like to make sure the mail sent
during this time period is eventually delivered.

To deliver these few
requirements, will the plan work?

 

Also, we do not have any
W2k3 servers.

 

 

Dan

 

 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

Is
cutting off your arm a way to get rid of a hangnail?

 

Sure,
but it's overmuch.

 

Doing
what you want, properly, is pretty involved - you've gotta get DNS, GC,
AD, Exchange, etc. all happy at the remote location - not just SMTP.

 

Just
stick a standalone W2K3 server with the SMTP service installed at the remote
location if you REALLY want to put a server somewhere else. 

 

Or pay
some service provider to do your secondary MX/store-and-forward for
you. Worst case, you're looking at less than $100 for a month's service.

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 3:26
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing

I am not
sure about that with our ISP. But will the procedures I suggested work?

 

 

Dan

 

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:00
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

You
don't need to move an Exchange server you just need to have some company act as
a secondary MX (store and forward mail services) for the domain of
interest.

 

PROBABLY
your bandwidth provider will do this for you, for free.

 















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 2:27
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
Routing

I have a question about Exchange
routing.

 

We have 2 Exchange 2000 servers at
our main site, one that holds all the mailboxes and the other currently holds
just a few mailboxes that aren’t being used, but the server is up and
working. Both servers are in the same routing and administrative groups. Both
servers are in the data center of our main site.

 

The problem is that this weekend,
the power will be turned off in our building and our network will be
unavailable as will user’s mailboxes. We currently have no offsite data
replication or Exchange DR
strategy (though it’s not for lack of trying/nagging by our department to
upper management).

 

So, as a temporary solution, our
current plan is to move the second Ex server to one of our colo sites and add a
lower-priority MX record for it to our public DNS zone. The thinking is that
messages sent to our domain will be sent to the second server at the colo, and
this server will cache all the messages until the main server is back up and
mail can be delivered to it. And, since the mail was received, no senders
should receive NDRs. Then, on Monday, when the

RE: [ActiveDir] Exchange Routing

2005-03-01 Thread Dan DeStefano 








The thing is that the server we are
planning to move is currently idle, for all intents and purposes, but Exchange
is installed and working on it. Plus, the server uses a private IP and has a
NAT mapping to a public IP. So shouldn’t we just have to change the NAT mapping
and add the MX record to our public zone file; then, for internal, just re-register
the DNS records with the new IP?

 

I did not mention this in my previous
message, but we are not concerned with users being able to access their e-mail
during this outage, we would just like to make sure the mail sent during this
time period is eventually delivered.

To deliver these few requirements, will
the plan work?

 

Also, we do not have any W2k3 servers.

 

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

Is cutting off your arm a
way to get rid of a hangnail?

 

Sure, but it's overmuch.

 

Doing what you want,
properly, is pretty involved - you've gotta get DNS, GC, AD, Exchange,
etc. all happy at the remote location - not just SMTP.

 

Just stick a standalone
W2K3 server with the SMTP service installed at the remote location if you
REALLY want to put a server somewhere else. 

 

Or pay some service
provider to do your secondary MX/store-and-forward for you. Worst case,
you're looking at less than $100 for a month's service.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 3:26
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing

I am not sure about that
with our ISP. But will the procedures I suggested work?

 

 

Dan

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:00
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

You
don't need to move an Exchange server you just need to have some company act as
a secondary MX (store and forward mail services) for the domain of
interest.

 

PROBABLY
your bandwidth provider will do this for you, for free.

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 2:27
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
Routing

I have a question about Exchange
routing.

 

We have 2 Exchange 2000 servers at
our main site, one that holds all the mailboxes and the other currently holds
just a few mailboxes that aren’t being used, but the server is up and
working. Both servers are in the same routing and administrative groups. Both
servers are in the data center of our main site.

 

The problem is that this weekend,
the power will be turned off in our building and our network will be
unavailable as will user’s mailboxes. We currently have no offsite data
replication or Exchange DR
strategy (though it’s not for lack of trying/nagging by our department to
upper management).

 

So, as a temporary solution, our
current plan is to move the second Ex server to one of our colo sites and add a
lower-priority MX record for it to our public DNS zone. The thinking is that
messages sent to our domain will be sent to the second server at the colo, and
this server will cache all the messages until the main server is back up and
mail can be delivered to it. And, since the mail was received, no senders
should receive NDRs. Then, on Monday, when the power is back, all messages will
be delivered to the main server.

 

Is this plan going to work? If so,
how long will the messages be cached by the second server? How many messages
will it cache (until it fills the drive)? Are these options configurable? Does
anyone see any gotchas or things to consider?

 

Thank you very much. I am a novice
when it comes to Exchange, but trying to change that by studying my MSPress
70-284 text. Besides, I usually do not like to make any major changes to our
mail/AD infrastructure without consulting you guys first.

 

_

 

Daniel DeStefano

RE: [ActiveDir] Exchange Routing

2005-03-01 Thread Dan DeStefano 








I am not sure about that with our ISP. But
will the procedures I suggested work?

 

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 01, 2005 3:00
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange
Routing



 

You don't need to move an
Exchange server you just need to have some company act as a secondary
MX (store and forward mail services) for the domain of interest.

 

PROBABLY your bandwidth
provider will do this for you, for free.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, March 01, 2005 2:27
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange
Routing

I have a question about Exchange
routing.

 

We have 2 Exchange 2000 servers at
our main site, one that holds all the mailboxes and the other currently holds
just a few mailboxes that aren’t being used, but the server is up and
working. Both servers are in the same routing and administrative groups. Both
servers are in the data center of our main site.

 

The problem is that this weekend,
the power will be turned off in our building and our network will be
unavailable as will user’s mailboxes. We currently have no offsite data
replication or Exchange DR
strategy (though it’s not for lack of trying/nagging by our department to
upper management).

 

So, as a temporary solution, our
current plan is to move the second Ex server to one of our colo sites and add a
lower-priority MX record for it to our public DNS zone. The thinking is that
messages sent to our domain will be sent to the second server at the colo, and
this server will cache all the messages until the main server is back up and
mail can be delivered to it. And, since the mail was received, no senders
should receive NDRs. Then, on Monday, when the power is back, all messages will
be delivered to the main server.

 

Is this plan going to work? If so,
how long will the messages be cached by the second server? How many messages will
it cache (until it fills the drive)? Are these options configurable? Does
anyone see any gotchas or things to consider?

 

Thank you very much. I am a novice
when it comes to Exchange, but trying to change that by studying my MSPress
70-284 text. Besides, I usually do not like to make any major changes to our
mail/AD infrastructure without consulting you guys first.

 

_

 

Daniel DeStefano

[ActiveDir] Exchange Routing

2005-03-01 Thread Dan DeStefano 








I have a question about Exchange routing.

 

We have 2 Exchange 2000 servers at our main site, one that
holds all the mailboxes and the other currently holds just a few mailboxes that
aren’t being used, but the server is up and working. Both servers are in
the same routing and administrative groups. Both servers are in the data center
of our main site.

 

The problem is that this weekend, the power will be turned
off in our building and our network will be unavailable as will user’s
mailboxes. We currently have no offsite data replication or Exchange DR strategy (though it’s
not for lack of trying/nagging by our department to upper management).

 

So, as a temporary solution, our current plan is to move the
second Ex server to one of our colo sites and add a lower-priority MX record
for it to our public DNS zone. The thinking is that messages sent to our domain
will be sent to the second server at the colo, and this server will cache all
the messages until the main server is back up and mail can be delivered to it. And,
since the mail was received, no senders should receive NDRs. Then, on Monday,
when the power is back, all messages will be delivered to the main server.

 

Is this plan going to work? If so, how long will the
messages be cached by the second server? How many messages will it cache (until
it fills the drive)? Are these options configurable? Does anyone see any
gotchas or things to consider?

 

Thank you very much. I am a novice when it comes to
Exchange, but trying to change that by studying my MSPress 70-284 text.
Besides, I usually do not like to make any major changes to our mail/AD
infrastructure without consulting you guys first.

 

_

 

Daniel DeStefano

[ActiveDir] Exchange 2000 and Disabled User Accounts

2005-02-25 Thread Dan DeStefano 








Is there any way to prevent Exchange from sending NDRs when someone
sends a message to a disabled user? The problem is that I am usually given at
least a week’s notice to new users and would like to create the new user
account in advance so that the morning the user starts I just have to enable
the account. If I do this, though, anyone sending a message to any DG to which
the user belongs, the sender receives an NDR and subsequently makes a support
call.

 

If there is no way to suppress this behavior, then does
anyone have any suggestions? Do I just wait until the morning the user starts
before creating the user account? Create the account in advance with a strong,
random password?

 

Thanks in advance,

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing, disseminating,
or in any other way using any of the information contained within this
communication. If you have received this communication in error, please contact
the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] GPO Software Deployment

2005-02-24 Thread Dan DeStefano 








I have it set in SSC to retrieve product
updates using Live Update, so I assume this would patch all machines to the
latest version.

 

 

Dan

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet
Sent: Wednesday, February 23, 2005
1:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment



 

Hello Dan,

 

 

Only one piece of advise
for you: Make sure you patch the .msi with the latest .msp provided by Symantec
(I think it's 9.00.1400) For some odd reason you can't update the clients
through a GPO using the provided .msp once the client have had the SAV .msi
package installed.

 

Good luck,

Francis Ouellet

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: 23 février 2005 10:16
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO Software
Deployment

I would like to deploy a package
(SAV 9.0) using GPO and use some of the switches with the msi package. However,
I cannot figure out how to do this. Is it even possible or do I have to create
a new package with all of the options embedded?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

RE: [ActiveDir] GPO Software Deployment

2005-02-23 Thread Dan DeStefano 








I never realized that the msi file in the
vphome share would properly configure the client in managed mode and to the proper
parent server. Now that I think about it, however, it makes perfect sense.

I piloted out the deployment using that
package and it worked flawlessly.

 

Thanks,

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, February 23, 2005
12:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment



 

I believe 9.0.0.338 is
the first version of SAV that supports GPO deployment.  I haven’t
seen a transform creator per se, but the Symantec System
 Center allows you to
configure most options.  These settings are stored in GRC.dat on \\ParentServer\VPHOME\CLT-INST\WIN32
along with the MSI needed for GPO deployment.  Are there other settings
you’re hoping to tweak besides those configured in SSC?  If not, you
just create a new GPO with an assigned computer application with the source
being \\ParentServer\VPHOME\CLT-INST\WIN32\Symantec
Antivirus.msi

 

One caveat, there will be
problems removing the application if a password is required to uninstall since
it will hang waiting for it, but since it will be invisible to the user, there
will be no way to enter it.  This results in a lengthy timeout.  Not
sure how this will affect clients that may have an earlier version installed,
but again you can remove the password requirement through SSC.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, February 23, 2005
9:16 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO Software
Deployment



 

I would like to deploy a package
(SAV 9.0) using GPO and use some of the switches with the msi package. However,
I cannot figure out how to do this. Is it even possible or do I have to create
a new package with all of the options embedded?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

[ActiveDir] GPO Software Deployment

2005-02-23 Thread Dan DeStefano 








I would like to deploy a package (SAV 9.0) using GPO and use
some of the switches with the msi package. However, I cannot figure out how to do
this. Is it even possible or do I have to create a new package with all of the
options embedded?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] Using GPO to install an MSI package

2005-02-15 Thread Dan DeStefano 



Are they willing to let you know what user rights are 
required? I have found that applications that "require" admin or pu privileges 
can usually be run if appropriate permissions are given to select registry 
entries, directories, system files, etc and user rights. I have even run across 
a program that claimed to need admin privileges, but all it needed was modify 
permissions to the %systemroot%\temp directory. Maybe you can speak to a 
high-level tech and ask exactly why these privileges are required and from there 
you can extrapolate what rights and permissions are required. Then there are 
some apps that simply won't work. This is one of my biggest pet peeves - lazy 
coding that does not properly adhere to the Windows security model. I can think 
of no reason why an Accounting application needs PU privileges and usually you 
cannot get any good reason from the company itself.
 
Anyway, good luck, and if you can figure it out, please 
post it or e-mail me directly at [EMAIL PROTECTED], as I also have a 
couple of users using Quickbooks and would like them not to have PU or admin 
privileges.
 
 
Dan
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jason 
  BSent: Tuesday, February 15, 2005 10:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using GPO to 
  install an MSI package
  
  Okay, our environment is that all our clients are 
  running Windows XP SP2, and our servers are Windows 2003.  The situation 
  is that our Accounting department uses Quickbooks, and about 70 of our 
  employees need to use an application that comes with Quickbooks called "QB 
  Timer".  It's free for use for our employees and it integrates with 
  Quickbooks without requiring a Quickbooks install on each machine.  Now, 
  the quandry:  according to Intuit/Quickbooks, the program requires at 
  least Power User permissions to install and run.  Neither I, nor our CIO 
  are willing to give local Power User permissions for these users, as that 
  opens things up to too many potential problems, but our CFO and COO are 
  REQUIRING the use of this application, or a similar one that integrates with 
  Quickbooks.  Now, the QBTimer is free, which is good, so that's the 
  *preferred* app to use.  It comes as an exe with a few other files, so I 
  used WinInstall LE 2003 on a clean XP SP2 machine to package it into an MSI 
  file.  That worked well, and I can install it/assign it through GPO 
  - even if the user doesn't have local Power User privs.  However, true to 
  form with Intuit products, it won't run if the logged on user doesn't have 
  local admin or PU privs.  If I grant PU privs to the user, it runs 
  fine.  I feel like I am --> <-- this close to getting this done, 
  but I ran out of ideas to get this to work.  I tried looking at the reg 
  file that was made when I ran WinInstall and gave the users full rights to the 
  specific areas in the registry to see if that did anything; which it 
  didn't.
   
  Does anyone else have any siggestions, or am I 
  stuck with Intuit's "users must have >= Power User privs" to run that 
  app?
   
  ANY help or suggestions are GREATLY 
  appreciated!
   
  --Jason

RE: [ActiveDir] Automate Computer Name Changes

2005-02-14 Thread Dan DeStefano 








I would prefer not to use RIS as there are
a lot of customizations that I make to the OS, many of which cannot be done
with unattended installation via RIS (or, at least I do not know or any way).

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell
Sent: Monday, February 14, 2005
3:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes



 

Is it safe to assume that
RIS is not an option?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, February 14, 2005
3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Automate
Computer Name Changes





Dan-





 





You can certainly script this with netdom. If you want to use
sysprep, you could set the compnay name to be that dny01pd, and then sysprep
will populate the rest with random crap. 





 









--Brian
Desmond
[EMAIL PROTECTED]
Payton on the web!
www.wpcp.org
 
v - 773.534.0034
x135
f - 773.534.8101







 







From:
[EMAIL PROTECTED] on behalf of Dan DeStefano
Sent: Mon 2/14/2005 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automate
Computer Name Changes





I have not been able to find a way
to sufficiently solve the following problem: automatically changing computer
names after imaging. I would like to reassign computer names based on a company
naming convention plus variable. So a computer name would be something like
“dny01pd***”, with the asterisks representing an automatically
assigned number. As far as I know, Sysprep does not allow this; it will only
allow you to assign a random name, which is not acceptable. I am not using
unattended installations so I cannot use .udb files to assign computer names. I
have been using GhostWalker to rename and join the PCs to a domain after
imaging, but it just randomly-assigns numbers for the variables. This is a
little better, but GhostWalker doesn’t increment the numbers, nor does it
check the network for duplicate names (or so I’m told by Symantec
support).

 

Ideally, what I would like is some
program or script or whatever, that can be run after imaging that will assign
computer names consecutively or will consult a file for a list of names; then
go and check on the network for a duplicate name preferably by fqdn – and
ideally, be able to join the PC to a domain and assign it to a specific OU as
icing on the cake. Does anyone know of a tool that will do this? (Are you
working on something like this, Joe?)

 

I am also curious about how others
currently handle imaging and automatic computer naming.

 

 

 

Dan DeStefano

[ActiveDir] Automate Computer Name Changes

2005-02-14 Thread Dan DeStefano 








I have not been able to find a way to sufficiently solve the
following problem: automatically changing computer names after imaging. I would
like to reassign computer names based on a company naming convention plus
variable. So a computer name would be something like “dny01pd***”,
with the asterisks representing an automatically assigned number. As far as I know,
Sysprep does not allow this; it will only allow you to assign a random name,
which is not acceptable. I am not using unattended installations so I cannot
use .udb files to assign computer names. I have been using GhostWalker to
rename and join the PCs to a domain after imaging, but it just randomly-assigns
numbers for the variables. This is a little better, but GhostWalker doesn’t
increment the numbers, nor does it check the network for duplicate names (or so
I’m told by Symantec support).

 

Ideally, what I would like is some program or script or
whatever, that can be run after imaging that will assign computer names
consecutively or will consult a file for a list of names; then go and check on
the network for a duplicate name preferably by fqdn – and ideally, be
able to join the PC to a domain and assign it to a specific OU as icing on the
cake. Does anyone know of a tool that will do this? (Are you working on
something like this, Joe?)

 

I am also curious about how others currently handle imaging
and automatic computer naming.

 

 

 

Dan DeStefano

[ActiveDir] Very OT: Please Settle a Bet

2005-02-11 Thread Dan DeStefano 








Could anyone settle a bet for me? I would like to know if
Windows 95 was a 16 or 32-bit OS. One of us is saying that it was natively
32-bit, but ran 16-bit apps in a VM, while the other one is saying the reverse:
it was a 16-bit OS that was capable of running 32-bit apps in a VM.

 

Also, one person is saying that W95 required DOS (like Win3.1.1)
and the other is saying that, while built on DOS, DOS was not required and the
OS went above and beyond its DOS roots.

 

If anyone can settle these issues and offer proof like links
to Web pages and such, we would be grateful.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] Built-in Defragger and Clustering

2005-02-09 Thread Dan DeStefano 








That did sound like a silly superstition
to me. Anyway, do you use the built-in defragger to defragment your shared
cluster drives?

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, February 09, 2005
12:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Built-in
Defragger and Clustering



 

Dan,

 

Been working with
Clusters for a number of years, and I have never heard of this.  I can
ping a couple folks, but I can’t surmise what the problem would be. 
If data is re-ordered, the disk is going to work fine one way or another.

 

-rtk

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, February 08, 2005
10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built-in
Defragger and Clustering



 

It has been suggested to me that
W2k’s built-in defragger should not be used to defrag a shared disk in a
MSCS cluster. I am hesitant to believe this since the fact that the servers are
clustered does not change how the data is written to the disk, correct? So, is
there any foundation for this belief?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

[ActiveDir] Built-in Defragger and Clustering

2005-02-08 Thread Dan DeStefano 








It has been suggested to me that W2k’s built-in
defragger should not be used to defrag a shared disk in a MSCS cluster. I am
hesitant to believe this since the fact that the servers are clustered does not
change how the data is written to the disk, correct? So, is there any
foundation for this belief?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] Cloning and SIDs

2005-02-04 Thread Dan DeStefano 








Thank you, I never knew that.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Thursday, February 03, 2005
12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cloning
and SIDs



 

The member machine
SID and the machine's objectSID from AD are different things. The objectSID
will be composed of the domain SID with a unique RID appended. The member
machine's SID will stay constant through a domain change.

 

If you clone machines,
changing the machine SIDS is highly desirable.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Thursday, February 03, 2005
11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cloning and
SIDs

Does a machine’s SID change
when it is added to a domain, or is the domain SID just appended to the current
machine’s SID?

I ask because I am creating desktop
images and want to know if it is necessary to run Sysprep prior to imaging if
the PC is not going to be joined to the domain until after imaging. In other
words, I create the template installation and image it when the PC is still a
workgroup member.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

[ActiveDir] Cloning and SIDs

2005-02-03 Thread Dan DeStefano 








Does a machine’s SID change when it is added to a
domain, or is the domain SID just appended to the current machine’s SID?

I ask because I am creating desktop images and want to know
if it is necessary to run Sysprep prior to imaging if the PC is not going to be
joined to the domain until after imaging. In other words, I create the template
installation and image it when the PC is still a workgroup member.

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue
  South, 12th Floor

New York, NY 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on Television

 

The information contained in this
communication is confidential, may be privileged and is intended for the
exclusive use of the above named addressee(s). If you are not the intended
recipient(s), you are expressly prohibited from copying, distributing,
disseminating, or in any other way using any of the information contained
within this communication. If you have received this communication in error,
please contact the sender by telephone 212.871.5262 or by response via e-mail.



 



 

RE: [ActiveDir] Outlook/Exchange Issue

2005-02-02 Thread Dan DeStefano 
No, believe it or not, we currently have no network sniffer/tracer set
up at the remote site. We just asked the firewall admin if he changed
anything and he said that he would look into it... it worked 5 minutes
later. I guess we'll find out what the problem exactly was tomorrow, but
it's working now, so we and the user are happy.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, February 02, 2005 3:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue

Did the network trace crack it for you?  :o)

  joe 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, February 02, 2005 1:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Outlook/Exchange Issue

This issue has been resolved.
We believe that there was an undocumented change made to the firewall at
the
site. I will post more info when/if I receive it.

I greatly appreciate everyone's help.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Wednesday, February 02, 2005 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Outlook/Exchange Issue

One more thing...we can try is..make a change in the DC @ HQ and then
try to
replicate it across to the LA site.

if the replication is success then this might avoid any replication or
permissions issues.


Chandra


On Wed, 2 Feb 2005 09:50:03 -0500, Dan DeStefano <[EMAIL PROTECTED]>
wrote:
> 
> 
> Yes. The thing is that this is not a new user. This user has been with
the
> company for a while and it worked fine before.
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: Tuesday, February 01, 2005 6:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> 
> Dan, did u check on local DC @ LA site?  can you check if the user
account
> has replicated properlythink it could be the attribute changes may
not
> have replicated properly to the DC in LA
> 
> 
>  
> 
> 
> Regards,
> Chandra
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano
> Sent: 01 February 2005 17:04
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> 
> 
> 
> When logging onto a machine at the HQ site, Outlook works fine for the
user.
> But when logging on from any PC at the LA site, Outlook hangs.
However,
> other users at the LA site are not having this problem. It is very
weird
> that only this one user is having this problem when logging on from
this one
> site.
> 
>  
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, February 01, 2005 4:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> What happens if you log into a machine at the HQ site with the user's
info?
> 
>  
> 
> As for account corruption. I have never actually ever seen account 
> corruption. I know a lot of folks who said they had corruption and
they
> proved it was corruption by deleting and recreating. That doesn't
actually
> prove corruption, it just proves something wasn't right that the admin

> didn't understand. Mailbox corruption, well that is another matter.
MAPI is
> a four letter word. 
> 
> 
>  
> 
> 
>   joe
> 
> 
>  
> 
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Tuesday, February 01, 2005 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> The tech working on the problem has tried this, but to no avail.
> 
> Some more information:
> 
> If I logon to the PC with any other user account and open Outlook it
works
> fine. I also had the user logon to PCs in other sites and the problem 
> persists. This has led me to believe that the problem may be with the
user's
> account itself. However the user can logon using OWA and has no
problems
> logging onto the domain so I am at a loss.
> 
> Is it possible that there is some weird corruption with the user's
domain
> account and/or mailbox? Would re-creating the mailbox/user account be
worth
> a try? If so, what is the best way to go about doing this? Export the
user&

RE: [ActiveDir] Outlook/Exchange Issue

2005-02-02 Thread Dan DeStefano 
This issue has been resolved.
We believe that there was an undocumented change made to the firewall at
the site. I will post more info when/if I receive it.

I greatly appreciate everyone's help.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: Wednesday, February 02, 2005 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Outlook/Exchange Issue

One more thing...we can try is..make a change in the DC @ HQ and then
try to replicate it across to the LA site.

if the replication is success then this might avoid any replication or
permissions issues.


Chandra


On Wed, 2 Feb 2005 09:50:03 -0500, Dan DeStefano <[EMAIL PROTECTED]>
wrote:
> 
> 
> Yes. The thing is that this is not a new user. This user has been with
the
> company for a while and it worked fine before.
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: Tuesday, February 01, 2005 6:14 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> 
> Dan, did u check on local DC @ LA site?  can you check if the user
account
> has replicated properlythink it could be the attribute changes may
not
> have replicated properly to the DC in LA
> 
> 
>  
> 
> 
> Regards,
> Chandra
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dan DeStefano
> Sent: 01 February 2005 17:04
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> 
> 
> 
> When logging onto a machine at the HQ site, Outlook works fine for the
user.
> But when logging on from any PC at the LA site, Outlook hangs.
However,
> other users at the LA site are not having this problem. It is very
weird
> that only this one user is having this problem when logging on from
this one
> site.
> 
>  
> 
>  
> 
> Dan
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Tuesday, February 01, 2005 4:57 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> What happens if you log into a machine at the HQ site with the user's
info?
> 
>  
> 
> As for account corruption. I have never actually ever seen account
> corruption. I know a lot of folks who said they had corruption and
they
> proved it was corruption by deleting and recreating. That doesn't
actually
> prove corruption, it just proves something wasn't right that the admin
> didn't understand. Mailbox corruption, well that is another matter.
MAPI is
> a four letter word. 
> 
> 
>  
> 
> 
>   joe
> 
> 
>  
> 
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
> Sent: Tuesday, February 01, 2005 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
> The tech working on the problem has tried this, but to no avail.
> 
> Some more information:
> 
> If I logon to the PC with any other user account and open Outlook it
works
> fine. I also had the user logon to PCs in other sites and the problem
> persists. This has led me to believe that the problem may be with the
user's
> account itself. However the user can logon using OWA and has no
problems
> logging onto the domain so I am at a loss.
> 
> Is it possible that there is some weird corruption with the user's
domain
> account and/or mailbox? Would re-creating the mailbox/user account be
worth
> a try? If so, what is the best way to go about doing this? Export the
user's
> mailbox to a .pst file and delete the account/mailbox, recreate it,
then
> import the .pst file? If so, what preferences, appointments, tasks,
etc.
> will the user lose?
> 
>  
> 
> I greatly appreciate everyone's help with this frustrating issue.
> 
>  
> 
>  
> 
> Dan
> 
>  
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Tuesday, February 01, 2005 2:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Outlook/Exchange Issue
> 
>  
> 
> 
> We have lots of kerberos authentication problems over VPN connections.
The
> solution is to force kerberos to use TCP.
> 
> 
>  
> 
> 
>
[HKEY_LOCAL_MACHINE\SYSTEM\Cur

RE: [ActiveDir] Outlook/Exchange Issue

2005-02-02 Thread Dan DeStefano 
Title: Message








Yes. The thing is that this is not a new
user. This user has been with the company for a while and it worked fine
before.

 

Dan

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Chandra Burra
Sent: Tuesday, February 01, 2005
6:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 



Dan, did u check
on local DC @ LA site?  can you check if the user account has
replicated properlythink it could be the attribute changes may not have
replicated properly to the DC in LA





 





Regards,
Chandra





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Dan DeStefano
Sent: 01 February 2005 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue

When logging onto a
machine at the HQ site, Outlook works fine for the user. But when logging on
from any PC at the LA site, Outlook hangs. However, other users at the LA site
are not having this problem. It is very weird that only this one user is having
this problem when logging on from this one site.

 

 

Dan

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 01, 2005
4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 

What
happens if you log into a machine at the HQ site with the user's info?

 

As for
account corruption. I have never actually ever seen account corruption. I know
a lot of folks who said they had corruption and they proved it was corruption
by deleting and recreating. That doesn't actually prove corruption, it just
proves something wasn't right that the admin didn't understand. Mailbox
corruption, well that is another matter. MAPI is a four letter word. 



 





 
joe





 





 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005
4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue

The tech
working on the problem has tried this, but to no avail.

Some
more information:

If I
logon to the PC with any other user account and open Outlook it works fine. I
also had the user logon to PCs in other sites and the problem persists. This
has led me to believe that the problem may be with the user’s account
itself. However the user can logon using OWA and has no problems logging onto
the domain so I am at a loss.

Is it
possible that there is some weird corruption with the user’s domain
account and/or mailbox? Would re-creating the mailbox/user account be worth a
try? If so, what is the best way to go about doing this? Export the
user’s mailbox to a .pst file and delete the account/mailbox, recreate
it, then import the .pst file? If so, what preferences, appointments, tasks,
etc. will the user lose?

 

I
greatly appreciate everyone’s help with this frustrating issue.

 

 

Dan

 

 

 

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, February 01, 2005
2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 



We have
lots of kerberos authentication problems over VPN connections. The solution is
to force kerberos to use TCP.





 





[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:0001





 





Not sure
if that is your problem, but it's worth a shot.





 





BTW,
does anyone why kerberos was designed to use UDP in the first place? Seems
pretty silly to me.





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005
1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Outlook/Exchange Issue

I have a frustrating problem:

We have a W2k AD domain with 3 sites
and 5 subnets – 3 bound to our HQ site and one each bound to our other
two sites. These sites are connected by persistent VPN connections using our
Nokia Checkpoint firewalls – two of our sites have dedicated T3
connections and the other site has a dedicated T1.Each site has a GC.

I recently configured a laptop here
in our main site for a user in our LA site. The laptop has a wired and wireless
connection, however, our only site with wireless access is our main site
– but since the user travels between sites periodically I configured the
wireless connection as well. I installed Office 2000 from an administrative
installation point at this site and configured Outlook to connect to our sole
Exchange server here at our main site. I also set up the user’s Outlook
profile from this site, connected to our Exchange server, synchronized the
user’s mailbox (I set up Outlook in cached mode) and all worked well.

After shipping the laptop to the
user at the remote site, I got a call from the user. Outlook hangs after
opening and gives me the “Not Responding”

RE: [ActiveDir] Outlook/Exchange Issue

2005-02-01 Thread Dan DeStefano 
Title: Message








When logging onto a machine at the HQ
site, Outlook works fine for the user. But when logging on from any PC at the LA
site, Outlook hangs. However, other users at the LA site are not having this
problem. It is very weird that only this one user is having this problem when
logging on from this one site.

 

 

Dan

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, February 01, 2005
4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 

What happens if you log
into a machine at the HQ site with the user's info?

 

As for account
corruption. I have never actually ever seen account corruption. I know a lot of
folks who said they had corruption and they proved it was corruption by
deleting and recreating. That doesn't actually prove corruption, it just proves
something wasn't right that the admin didn't understand. Mailbox corruption,
well that is another matter. MAPI is a four letter word. 



 





  joe





 





 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005
4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue

The tech working on the
problem has tried this, but to no avail.

Some more information:

If I logon to the PC with
any other user account and open Outlook it works fine. I also had the user
logon to PCs in other sites and the problem persists. This has led me to
believe that the problem may be with the user’s account itself. However
the user can logon using OWA and has no problems logging onto the domain so I
am at a loss.

Is it possible that there
is some weird corruption with the user’s domain account and/or mailbox?
Would re-creating the mailbox/user account be worth a try? If so, what is the
best way to go about doing this? Export the user’s mailbox to a .pst file
and delete the account/mailbox, recreate it, then import the .pst file? If so,
what preferences, appointments, tasks, etc. will the user lose?

 

I greatly appreciate
everyone’s help with this frustrating issue.

 

 

Dan

 

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, February 01, 2005
2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 



We have
lots of kerberos authentication problems over VPN connections. The solution is
to force kerberos to use TCP.





 





[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:0001





 





Not sure
if that is your problem, but it's worth a shot.





 





BTW,
does anyone why kerberos was designed to use UDP in the first place? Seems
pretty silly to me.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005
1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Outlook/Exchange Issue

I have a frustrating problem:

We have a W2k AD domain with 3 sites
and 5 subnets – 3 bound to our HQ site and one each bound to our other
two sites. These sites are connected by persistent VPN connections using our
Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections
and the other site has a dedicated T1.Each site has a GC.

I recently configured a laptop here
in our main site for a user in our LA site. The laptop has a wired and wireless
connection, however, our only site with wireless access is our main site
– but since the user travels between sites periodically I configured the
wireless connection as well. I installed Office 2000 from an administrative
installation point at this site and configured Outlook to connect to our sole
Exchange server here at our main site. I also set up the user’s Outlook
profile from this site, connected to our Exchange server, synchronized the
user’s mailbox (I set up Outlook in cached mode) and all worked well.

After shipping the laptop to the
user at the remote site, I got a call from the user. Outlook hangs after
opening and gives me the “Not Responding” even after leaving it
alone for 10+minutes.

One of the other techs here is
working on the problem and he tried repairing the Office installation,
disabling the wireless connection, reinstalling Outlook, tried creating a new
user profile, but nothing has been successful so far.

 

Has anyone experienced this before?
If I have left out any info, please let me know and I will provide it.

 

 



Dan DeStefano

 



 

RE: [ActiveDir] Outlook/Exchange Issue

2005-02-01 Thread Dan DeStefano 
Title: Message








The tech working on the problem has tried
this, but to no avail.

Some more information:

If I logon to the PC with any other user
account and open Outlook it works fine. I also had the user logon to PCs in other
sites and the problem persists. This has led me to believe that the problem may
be with the user’s account itself. However the user can logon using OWA
and has no problems logging onto the domain so I am at a loss.

Is it possible that there is some weird
corruption with the user’s domain account and/or mailbox? Would re-creating
the mailbox/user account be worth a try? If so, what is the best way to go
about doing this? Export the user’s mailbox to a .pst file and delete the
account/mailbox, recreate it, then import the .pst file? If so, what
preferences, appointments, tasks, etc. will the user lose?

 

I greatly appreciate everyone’s help
with this frustrating issue.

 

 

Dan

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, February 01, 2005
2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Outlook/Exchange Issue



 



We have lots of kerberos
authentication problems over VPN connections. The solution is to force kerberos
to use TCP.





 





[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:0001





 





Not sure if that is your
problem, but it's worth a shot.





 





BTW, does anyone why
kerberos was designed to use UDP in the first place? Seems pretty silly to me.





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005
1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Outlook/Exchange Issue

I have a frustrating problem:

We have a W2k AD domain with 3 sites
and 5 subnets – 3 bound to our HQ site and one each bound to our other
two sites. These sites are connected by persistent VPN connections using our
Nokia Checkpoint firewalls – two of our sites have dedicated T3
connections and the other site has a dedicated T1.Each site has a GC.

I recently configured a laptop here
in our main site for a user in our LA site. The laptop has a wired and wireless
connection, however, our only site with wireless access is our main site
– but since the user travels between sites periodically I configured the
wireless connection as well. I installed Office 2000 from an administrative
installation point at this site and configured Outlook to connect to our sole
Exchange server here at our main site. I also set up the user’s Outlook
profile from this site, connected to our Exchange server, synchronized the
user’s mailbox (I set up Outlook in cached mode) and all worked well.

After shipping the laptop to the
user at the remote site, I got a call from the user. Outlook hangs after
opening and gives me the “Not Responding” even after leaving it
alone for 10+minutes.

One of the other techs here is
working on the problem and he tried repairing the Office installation,
disabling the wireless connection, reinstalling Outlook, tried creating a new
user profile, but nothing has been successful so far.

 

Has anyone experienced this before?
If I have left out any info, please let me know and I will provide it.

 

 



Dan DeStefano

 



 

RE: [ActiveDir] OT: Exchange Mail Forwarding

2005-02-01 Thread Dan DeStefano 
Thanks.
What about the rules still applying if the user's account is disabled?
What about if the account is deleted, but the mailbox kept?

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, February 01, 2005 1:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange Mail Forwarding

I like to shoot the departing users, but my HR says that's not something
I
should tell outsiders about. 

Seriously, the way you're doing it is about the only way you can do it
because there is no easy way to get an auto-reply server side ( you
could
write code, but..)  That's best done via the client.  

If not for that, you *could* put the SMTP addr as a secondary on a DL
that
included the two other mailboxes.  Or PF, or contact, or whatever
mailbox/mail-enabled object you wanted and remove the users mailbox.  

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 01, 2005 12:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange Mail Forwarding

We have a W2k AD domain with Exchange 2000.

I am an Exchange novice.

I have a user who has recently left the company and need his e-mail
forwarded to 2 different users. The way I have done this is by setting
up a
rule using the user's Outlook profile that forwards all messages to
these
two users and also replies to the sender with a message that the user is
no
longer with the company and who to send future e-mails to. I am not too
happy with this solution as I believe there may be a way to set this up
on
the Exchange server itself. However, I have only found how to forward
the
user's e-mail to another user's mailbox, but not to multiple mailboxes
or to
a distribution group and no way to create the auto-reply. 

My questions are:

Is it possible to set this up on the server without having to use the
client's Outlook? What about the auto-reply message?

I would like to disable the user's domain account for security reasons.
If I
do, will the user's mailbox still receive messages and will the Outlook
rules still work?

What are the commonly-accepted procedures for dealing with departing
users?

 

I would greatly appreciate any help that can be provided.

 

 

Dan DeStefano

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Outlook/Exchange Issue

2005-02-01 Thread Dan DeStefano 








I have a frustrating problem:

We have a W2k AD domain with 3 sites and 5 subnets – 3
bound to our HQ site and one each bound to our other two sites. These sites are
connected by persistent VPN connections using our Nokia Checkpoint firewalls
– two of our sites have dedicated T3 connections and the other site has a
dedicated T1.Each site has a GC.

I recently configured a laptop here in our main site for a
user in our LA site. The laptop has a wired and wireless connection, however,
our only site with wireless access is our main site – but since the user
travels between sites periodically I configured the wireless connection as
well. I installed Office 2000 from an administrative installation point at this
site and configured Outlook to connect to our sole Exchange server here at our
main site. I also set up the user’s Outlook profile from this site,
connected to our Exchange server, synchronized the user’s mailbox (I set
up Outlook in cached mode) and all worked well.

After shipping the laptop to the user at the remote site, I
got a call from the user. Outlook hangs after opening and gives me the
“Not Responding” even after leaving it alone for 10+minutes.

One of the other techs here is working on the problem and he
tried repairing the Office installation, disabling the wireless connection,
reinstalling Outlook, tried creating a new user profile, but nothing has been
successful so far.

 

Has anyone experienced this before? If I have left out any
info, please let me know and I will provide it.

 

 



Dan DeStefano

 



 

[ActiveDir] OT: Exchange Mail Forwarding

2005-02-01 Thread Dan DeStefano 








We have a W2k AD domain with Exchange 2000.

I am an Exchange novice.

I have a user who has recently left the company and need his
e-mail forwarded to 2 different users. The way I have done this is by setting
up a rule using the user’s Outlook profile that forwards all messages to
these two users and also replies to the sender with a message that the user is
no longer with the company and who to send future e-mails to. I am not too
happy with this solution as I believe there may be a way to set this up on the
Exchange server itself. However, I have only found how to forward the user’s
e-mail to another user’s mailbox, but not to multiple mailboxes or to a
distribution group and no way to create the auto-reply. 

My questions are:

Is it possible to set this up on the server without having
to use the client’s Outlook? What about the auto-reply message?

I would like to disable the user’s domain account for
security reasons. If I do, will the user’s mailbox still receive messages
and will the Outlook rules still work?

What are the commonly-accepted procedures for dealing with
departing users?

 

I would greatly appreciate any help that can be provided.

 

 

Dan DeStefano

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Dan DeStefano 








You can probably do this using the “shutdown”
utility from the W2k Resource Kit (this utility is included with Server 2k3)

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: Monday, January 31, 2005
4:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Unattended
Restart



 



Is there any way to schedule an
unattended restart, warm or cold boot, of a DC ?

RE: [ActiveDir] Office deployments via GPO

2005-01-25 Thread Dan DeStefano 
I believe you can control this behavior via the Office 2003 Custom
Installation Wizard, which is part of the o2k3 resource kit toolbox:
http://download.microsoft.com/download/0/e/d/0eda9ae6-f5c9-44be-98c7-ccc
3016a296a/ork.exe.

Dan DeStefano


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, January 24, 2005 7:38 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Office deployments via GPO


We have many desktops that we want to deploy Office 2003 to, and some of
them already have Office 2003.  Seperating which ones do and don't would
be difficult, so we want to apply the GPO to a whole list of computers
and let it deploy.  The problem is, if they already have Office 2003 on
the workstations, it deploys over top of it anyway, and this could cause
Outlook or some other issues.  Is there any way to get the GPO to detect
if O2K3 is already installed and skip deployment if so?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT how to change how explorer lists computers

2005-01-19 Thread Dan DeStefano 
I have been looking for a way to change this myself and have not found
one. The only thing I have found is that supposedly this is a design
decision and unchangeable. The most annoying part of this is that not
only does it display the comment first, but the comments are not even
alphabetized, but the computer names are. This is really frustrating.

If you find a way to do this please let me know - [EMAIL PROTECTED]

Thanks,

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, January 18, 2005 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT how to change how explorer lists computers

Does anyone know how or if you can change how explorer lists the
computers when you go to network places and view the entire network.
Under 2000 it showed the computer name.  Under XP it is showing the
comment/description and then the computer name in parenthesis.  We would
like to only have the computer name. 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Setup

2005-01-18 Thread Dan DeStefano 
Are you asking if Windows DNS needs to be used with AD? If so, then the
answer is no, you can use another DNS server such as BIND, the only
requirement being that it must support SRV records - dynamic updates are
optional, but preferred.

Dan


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, January 18, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Setup

Does DNS need to be setup with Active Directory?  My DNS isn't showing
any
of the LDAP ports or standard stuff that shows when you have an AD
Integrated DNS.  I tried deleting all the Zones and re-creating them...
but
it doesn't seem to help.

Thanks,
--
Matt Brown
[ SELECT * FROM users WHERE clue > 0 ]
Information Technology System Specialist
Eastern Washington University

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, January 18, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policies that effect secure websites

Putting the web sites into the security zones did not work.  Still
unable to browse to the sites on the XP workstations. 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Thursday, January 13, 2005 5:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policies that effect secure websites

The firewall is disabled on the machines.  I will try the security
zones.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Thursday, January 13, 2005 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Policies that effect secure websites

Are you sure it's the firewall and not some other setting?  For example,
some of the other security settings will prevent you from loading
ActiveX
controls and won't even prompt you for that.  Firewall has nothing to do
with that.  

Once you have connected to a web page via SSL, the conversation is
encrypted
and the firewall either allows the TCP 443 connection or it doesn't.
Not
partially, etc.  

Troubleshooting the firewall usually starts with logging.  Have you
tried
logging the firewall to see what it's doing? Do you see it dropping
connections to that page? 

You may also want to turn on script debugging to see if something is
failing
before the page loads.  Finally, you may also want to put the web page
into
a different security zone for testing purposes to see if some of the
security zone settings are too restrictive. 


Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Thursday, January 13, 2005 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Policies that effect secure websites


I am having an issue on a windows XP SP2 where some of the secure web
sites
will not come up.  I have SSL and TSL selected and we are able to
connect to
our OWA server, but unable to connect a banking page for example.  Now I
checked on a windows 2000 machine and we are able to get to the page.  I
don't have anything in the policies that I see that tells IE how to
handle
secure sites but then I could be missing something.  Any Ideas where to
look.

Jeff


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain name and server name don't match

2005-01-11 Thread Dan DeStefano 
1) Yes, if you have a single DC, it will hold all FSMO roles as well as
be a Global Catalog.
2) If you add more DCs the FSMO roles do not automatically change, you
must manually transfer whichever role you want.
3) Those groups must be present and are default built-in groups. Maybe
someone has renamed them. Switching from Mixed mode to native mode has
no effect on groups. Switching to Native mode allows AD to operate in
true multi-master mode and once you switch, you can no longer have NT
BDCs in your AD domain.
You only have to be a member of the Schema Admins and Enterprise Admins
to run Forestprep. Running Domainprep only requires membership in the
Domain Admins group for the domain against which you are running the
utility

What do you mean your domain name and server name do not match? Could
you clarify this?


Dan DeStefano



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess
Sent: Monday, January 10, 2005 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain name and server name don't match

Apparently I'm now the new parent of an(misconfigured, I thnk ) AD that
was unceremoniously dumped in my lap. Not having any 'real' experience
with AD I set off on a search. I've used my trusty O'Reilly Bookshelf to
grab some of the more recomended books (AD Cookbook, AD Forestry and
Inside Active Directory). Until I can make it through these books I have
a couple of questions.

1) If there is only one Win2k DC in a domain, does it take on all the 
FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC 
Emulater, Infrastructure Daemon)?

2) If you add more DC's, how/what decides who is going to be the Schema 
master, Domain Naming Master, etc?

3) To run the AdPrep /ForestPrep and AdPrep /DomainPrep commands you 
must be a member of the Schema Admins and Enterprise Admins groups. Are 
those groups created when you up the functional level from Mixed to 
Native mode? Because our AD is in mixed mode and those groups are not 
present.



Thanks is advance.

Alonzo



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Software Deployment From MSCS Share

2004-12-30 Thread Dan DeStefano 
Duh, can't believe I didn't realize that. It works now, thank you. 

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield
Sent: Wednesday, December 29, 2004 6:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Software Deployment From MSCS Share

You have to create a clustered resource for the file share and not grant
permissions inside windows explorer but inside mscs.

steve schofield


- Original Message -----
From: "Dan DeStefano" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, December 29, 2004 10:24 AM
Subject: [ActiveDir] Software Deployment From MSCS Share


I have an odd problem: When attempting to deploy a package stored on an
MS Cluster shared resource, I receive "source unavailable" errors. The
NTFS and share permissions on the share are set properly: the package is
assigned to computers in an OU and the "Domain Computers" group has
"Read" share/NTFS permissions to the package.

However, when I move the package to a non-clustered share using the same
settings and permissions, the application deploys fine. Is there a bug
or problem with deploying packages located on an MSCS shared resource?
If so, are there any workarounds?

Thanks in advance,


_

Daniel DeStefano
PC Support Specialist

IAG Research
345 Park Avenue South, 12th Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300

www.iagr.net <http://www.iagr.net/>
Measuring Ad Effectiveness on Television

The information contained in this communication is confidential, may be
privileged and is intended for the exclusive use of the above named
addressee(s). If you are not the intended recipient(s), you are
expressly prohibited from copying, distributing, disseminating, or in
any other way using any of the information contained within this
communication. If you have received this communication in error, please
contact the sender by telephone 212.871.5262 or by response via e-mail.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Processing

2004-12-30 Thread Dan DeStefano 



I had this problem on a PC and I fixed it by simply 
updating the NIC driver. Have you tried this?

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, 
  Justin A.Sent: Thursday, December 30, 2004 11:31 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO 
  Processing
  
  
  I keep getting these errors on my 
  Windows XP SP 1 Computer.  I have rebuilt the machine twice and have put 
  on XP SP2 and XP SP1a and the results are always the same, I have replaced the 
  NIC and the Cable it uses to connect to the network and can’t seem to figure 
  out what is going on.  Any help is appreciated.
   
   
  Event 
  Type:   Error
  Event Source:    
  Userenv
  Event Category: 
  None
  Event 
  ID:   
  1054
  Date:    
  12/30/2004
  Time:    
  11:24:46 AM
  User:    
  NT AUTHORITY\SYSTEM
  Computer: 
  CHCSWS26
  Description:
  Windows cannot obtain the domain 
  controller name for your computer network. (The specified domain either does 
  not exist or could not be contacted. ). Group Policy processing aborted. 
  
   
  For more information, see Help and 
  Support 
  Center at 
  http://go.microsoft.com/fwlink/events.asp.

[ActiveDir] Software Deployment From MSCS Share

2004-12-29 Thread Dan DeStefano 




I have an odd 
problem: When attempting to deploy a package stored on an MS Cluster shared 
resource, I receive "source unavailable" errors. The NTFS and share permissions 
on the share are set properly: the package is assigned to computers in an OU and 
the "Domain Computers" group has "Read" share/NTFS permissions to the 
package.
 
However, when I move 
the package to a non-clustered share using the same settings and permissions, 
the application deploys fine. Is there a bug or problem with deploying packages 
located on an MSCS shared resource? If so, are there any 
workarounds?
 
Thanks in 
advance,
 
 
_
 
Daniel DeStefano
PC Support Specialist
 
IAG Research
345 Park Avenue South, 12th 
Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information contained in this communication is confidential, 
may be privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have received 
this communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.
 

[ActiveDir] Terminal Services Web Client ActiveX Control

2004-12-16 Thread Dan DeStefano 



I am trying to 
deploy the TS Web Client ActiveX control to Windows XP Pro desktops using group 
policy (I know that XP Pro has the RDC client built-in, but the manager of the 
department wants the users using the Web client for testing). Anyway, the users 
do not have Admin privileges on their machines and cannot install ActiveX 
controls.
I have tried 
deploying the Full Terminal Services Client to a test machine using group 
policy, but was still prompted to install the ActiveX control when connecting to 
the TS Web page.
Is there any way to 
deploy this ActiveX control using group policy? If so, how?
I noticed the file 
"mstsax.dll" installed in the system32 directory and was wondering if this is 
the control? If so, can I simply copy this file to the client machines and have 
the TS web page work?
Is there any way to 
simply authorize this ActiveX control to allow installation by normal 
users?
 
Thanks in 
advance,
 
_
 
Daniel DeStefano
PC Support Specialist
 
IAG Research
345 Park Avenue South, 12th 
Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information contained in this communication is confidential, 
may be privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have received 
this communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.
 

RE: [ActiveDir] account lockout OT

2004-12-09 Thread Dan DeStefano 
Title: account lockout OT



This 
is determined by the "Reset account lockout counter after" 
setting.
 
_
 
Daniel DeStefano
PC Support Specialist
 
IAG Research
345 Park Avenue South, 12th 
Floor
New York, NY 10010
T. 212.871.5262
F. 212.871.5300
 
www.iagr.net
Measuring Ad Effectiveness on 
Television
 
The information contained in this communication is confidential, 
may be privileged and is intended for the exclusive use of the above named 
addressee(s). If you are not the intended recipient(s), you are expressly 
prohibited from copying, distributing, disseminating, or in any other way using 
any of the information contained within this communication. If you have received 
this communication in error, please contact the sender by telephone 212.871.5262 
or by response via e-mail.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Thursday, December 09, 2004 11:13 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  account lockout OT
  Say I have my accounts setup to lock after 3 failed 
  attempts and to stay locked out for 
  30 minutes. I do 2 failed attempts, how long do I have wait before I can do 2 
  more attempts without the account getting locked out. Is based upon the 
  lockout period? Or does it require a successful login to reset the 
  counter?
  Thanks in advance for any 
  responses.
  Holland + 
  Knight Travis AbramsSystems 
  EngineerHolland & Knight 
  LLP 92 
  Lake Wire DrLakeland, FL 33815  Direct 863 499 5705Fax863 499 5711Email  [EMAIL PROTECTED]  www.hklaw.com 
  
  NOTICE:  This e-mail is from a law 
  firm, Holland & Knight LLP ("H&K"), and is intended solely for the use 
  of the individual(s) to whom it is addressed.  If you believe you 
  received this e-mail in error, please notify the sender immediately, delete 
  the e-mail from your computer and do not copy or disclose it to anyone 
  else.  If you are not an existing client of H&K, do not construe 
  anything in this e-mail to make you a client unless it contains a specific 
  statement to that effect and do not disclose anything to H&K in reply that 
  you expect it to hold in confidence.  If you properly received this 
  e-mail as a client, co-counsel or retained expert of H&K, you should 
  maintain its contents in confidence in order to preserve the attorney-client 
  or work product privilege that may be available to protect 
  confidentiality.

  1   2   >