date:20080130

I'd price out the rental of a Savin or other networked color digital copier.

If the muckety-mucks are worried about privacy/confidentiality, units
like this offer management options like passcodes for print jobs (must
put in a passcode at the printer to print the document if it's
confidential, or put a passcode in when requesting the print job from
the PC if it's color or it goes into th bitbucket, etc.)

Might be able to make the economic case with something like that.

Kurt

On 1/29/08, Ben Scott <[EMAIL PROTECTED]> wrote:
> Howdy list,
>
>  So, after some truly abysmal tech support experiences with HP this
> month, I've decided it's time to look at other printer brands.  I've
> been buying HP's almost exclusively for over a decade, so I'm starting
> from scratch.  There are so many brands that even a product field
> survey is non-trivial: Dell, Samsung, Canon, Epson, IBM/Lexmark,
> Xerox, Ricoh, Sharp, Toshiba, Panasonic, just to name a few.
> Recommendations?  Opinions?  Horror stories?
>
>  Relatively small company, roughly 75 workstations.  Mostly
> monochrome laser printers serving workgroups of 5-10 people.  Typical
> volume might be 1K-3K pages/month.  A couple color laser printers
> serving supersets of same.
>
>  A few bigwigs have color inkjets in their office, because of course
> they're too important to have to walk out to the printer in the hall,
> but they also don't want to clutter up their fancy mahogany office
> furniture with a larger laser printer that might actually work.  For
> example, the Director of HR.  Since she works with personal/private
> stuff, she wanted one of those print/scan/copy/fax jobs (reasonable, I
> guess).  The supposedly high-end HP inkjet we bought has been a
> disaster, which is why I'm here.
>
>  Almost every printer we have is network-attached (easier to manage,
> they roam with the user profile if hardware is changed, enables the
> frequent requests to share printers).  As I recall from some
> experience a few years ago, that seems to be a common failing with
> many brands.  Even if they have a network jack, functionality/features
> are severely reduced over the network.
>
>  One thing I really dislike is printers which require special
> software installation to the tune of hundreds of megabytes, a few
> startup programs, a dozen desktop icons, and their own support,
> update, and maintenance hassles.  Windows has APIs for printing and
> scanning; if we stick to those, support and training are so much
> easier.
>
>  Thoughts?
>
> -- Ben
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On 1/30/08, Ben Scott <[EMAIL PROTECTED]> wrote:
> On Jan 30, 2008 11:10 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> > But the cn value in the presented certificate will not
> > match the FQDN that the client initially connected to.
>
>  Why wouldn't it?  The proxy has the CA key and can make up new
> certificates all day long, each one with the right CN/DN to match what
> the client requested in the HTTP proxy CONNECT method.
>
> -- Ben

After thinking about this for a couple of hours (and without having
looked at documentation at all yet - we're just sitting down
today/tomorrow with the VAR to unbox things, and start the
implementation), I want to qualify my statement a bit.

The Sidewinder *does* show in its configuration an option to examine
SSL traffic. However, I don't know for what purpose, or under what
circumstances.

It's entirely possible that it's only meant as a proxy for a web
server sitting in a DMZ that it's protecting. This is a far less
onerous task, since the cert is under control of the site that runs
the firewall.

However, if someone wants to remind me next week, after I've had a
chance to breathe a moment, I'll be very happy to delve into the docs
and see what I can find.

Kurt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: VPN with Server 2003

2008-01-30 Thread Carl Houseman

Yes, Windows 2003 with single NIC can be a VPN server providing access to
the entire LAN.

http://www.google.com/search?q=single+nic+vpn+windows+2003

Carl 

-Original Message-
From: Jim Dandy [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 31, 2008 1:19 AM
To: NT System Admin Issues
Subject: VPN with Server 2003

The stuff I've read so far on setting up a Server 2003 box to do VPN has
you use a machine with two NICs in it and direct all traffic from the
internet through that box (in one NIC and out the other).  Only a very
small amount of traffic between my LAN and the internet will be VPN.  I
don't particularly want to route everything through that box.  It
creates another single point of failure that could take my network out.
Does it have to be configured that way?  I envisioned it working on a
box on my LAN with a single NIC and that packets coming into the NIC
would be stripped of encryption and redirected out the same NIC where
they came in.  Can it work that way or am I just stupid to think that
it's possible to do it that way?

Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

VPN with Server 2003

2008-01-30 Thread Jim Dandy

The stuff I've read so far on setting up a Server 2003 box to do VPN has
you use a machine with two NICs in it and direct all traffic from the
internet through that box (in one NIC and out the other).  Only a very
small amount of traffic between my LAN and the internet will be VPN.  I
don't particularly want to route everything through that box.  It
creates another single point of failure that could take my network out.
Does it have to be configured that way?  I envisioned it working on a
box on my LAN with a single NIC and that packets coming into the NIC
would be stripped of encryption and redirected out the same NIC where
they came in.  Can it work that way or am I just stupid to think that
it's possible to do it that way?

Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

Ah - OK - I see how this works now.

I suppose I'm glad I have my 3G 5250 WWAN card built into my Dell laptop now :-)

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 3:23 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

On Jan 30, 2008 11:10 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> But the cn value in the presented certificate will not
> match the FQDN that the client initially connected to.

  Why wouldn't it?  The proxy has the CA key and can make up new
certificates all day long, each one with the right CN/DN to match what
the client requested in the HTTP proxy CONNECT method.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: FW: Nokia VPN question-SOLVED

Well, it didnt make much sense otherwise.  ;-)

On Jan 30, 2008 6:52 PM, Andy Shook <[EMAIL PROTECTED]> wrote:
> Since no one responded, I'll ass-u-me non of you slacker-jacks care but
> I just want to let the collective know, that this is fixed; I fat
> fingered an isakmp command in my ASA config
>
> Hooray Shook!
>
> Shook
> -Original Message-
> From: Andy Shook
> Sent: Wednesday, January 30, 2008 3:53 PM
> To: 'NT System Admin Issues'
> Subject: Nokia VPN question
>
> Anyone out there using a Nokia VPN appliance in production?
>
> Here's the deal.  Just cutover to a Cisco ASA-5510 from a Sonicwall 2040
> (enhanced OS) and this one LAN-to-LAN tunnel will not establish phase 2.
> Settings did not change and everything else is groovy.  Is there any
> "feature" that is required for these two boxes to swap packets?
>
> Pullin' my hair out on this one.
>
> Shook
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

Hi Ben,

You are correct. If you're using an ISA Firewall, you can use
ClearTunnel add on to do this. Who knows, it *might* be included in the
next version of the ISA Firewall.

Tom

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:23 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

On Jan 30, 2008 11:10 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> But the cn value in the presented certificate will not
> match the FQDN that the client initially connected to.

  Why wouldn't it?  The proxy has the CA key and can make up new
certificates all day long, each one with the right CN/DN to match what
the client requested in the HTTP proxy CONNECT method.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

My New Year's resolution is to be civil and only offer useful
information on the list. 

I'm a nice guy nice now :)

Thanks!
Tom

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 8:57 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

On Jan 30, 2008 9:17 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> The only cure is an application proxy that actually understand the
> protocols, and enforces them, and that's nearly unobtainable.

  It's not actually that rare.  It's a Simple Matter of Programming to
confirm that the traffic on TCP/443 actually is SSL.  (As I'm sure Tom
will point out, ISA Server can do this (I believe)).  The real problem
is that SSL, by design and intent, prevents you from looking inside
the secure tunnel.  (If it didn't, it wouldn't be very secure, now
would it?)  You don't know what the SSL tunnel is being used to carry.
 Could be HTTP.  Could be a backdoor to an attacker.

  Default deny with whitelisting of SSL sites is one approach, but
that's an obvious hassle.

  Approaches which explicitly open the payload to trusted inspection
have been proposed.  The idea is, have the client software create an
SSL tunnel to the proxy.  Using a special protocol over that
connection, the client requests an SSL tunnel to the real destination.
 The proxy creates that SSL tunnel.  The client then sends the payload
(without further encryption) over the tunnel to the proxy, which can
inspect it and (if it passes inspection) forward it over its own SSL
tunnel.

  The problem is there are no standards for this (that I'm aware of),
and there are cases which are non-trivial to handle.  (What if the
remote's CA is unknown?  What about client certificates?)  Even if we
get standards, adoption is going to take some time.  There are also
obvious security implications with deliberately defeating the
end-to-end security model.  Presumably one can manage that risk
internally, but it's still an issue.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 11:10 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> But the cn value in the presented certificate will not
> match the FQDN that the client initially connected to.

  Why wouldn't it?  The proxy has the CA key and can make up new
certificates all day long, each one with the right CN/DN to match what
the client requested in the HTTP proxy CONNECT method.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

On Jan 30, 2008 10:24 PM, Jonathan Link <[EMAIL PROTECTED]> wrote:
> Get the bigwigs a personal laser printer, they'll be happier with improved
> availability, you'll have less support headaches.

  Color laser printers, especially the all-in-one units, are all
decidedly bigger than the inkjet alternatives.  Like I've said
multiple times now, the bigwigs want something physically small, so it
doesn't conflict with their feng shui or whatever.  Maybe this is just
a case of wanting something that doesn't exist, but you'd think there
would be a market for products which don't suck.

  And lately they're wanting to print photos, too.  Anyone seen a
color laser printer with good photo printing performance?  Most seem
to be only 600 DPI.

> I only ever install the driver for a printer, despite what comes with it.

  That's what I want to do.  The "driver only kit" for the HP
PhotoSmart C7280 is over 300 megabytes, and doesn't work if I try to
force it to install via the Add Hardware Wizard and INFs only.
Apparently you *need* to run HP's elaborate install utility, and let
it copy tons of crap to the system, for it to setup whatever magic HP
wants.  And then the scanner doesn't work anyway.  Did I mention I
don't like HP lately?

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 3:02 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

On Jan 30, 2008 10:38 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
>> I do know of at least one firewall that will decrypt SSL as it
>> passes through ...
>
> Really? How does this work?
>
>  I dunno about what Kurt's talking about, but here's one possible scenario:
>
>  Create your own, locally-hosted CA (Certificate Authority).  Add
> that CA certificate to the trusted certificate list for all your
> clients (web browsers, etc.).  Tell all the clients to use your
> special HTTP proxy server.  Clients connect to the HTTP proxy, issue
> the CONNECT method, and attempts to start SSL over the TCP pipe.  But
> special proxy server didn't really make the TCP connection that was
> asked for -- it instead just waits for the SSL startup and acts as an
> SSL server.  Proxy claims to be the server asked for in the CONNECT.
> Proxy uses its own SSL certificate, which is made-up, but signed by
> the local CA.  Client has been configured to trust that CA, so as far
> as client is concerned, it thinks it has the real destination site.

But the cn value in the presented certificate will not match the FQDN that the 
client initially connected to. So you'd get a name mismatch warning in the 
client browser.

Cheers
Ken

So it sends the HTTP request over the SSL tunnel like it normally
would.  Proxy then opens an SSL client connection to the real
destination, and passes the HTTP requests from the client on.

  I think that would work, at least for the common cases.  It won't
work if the real destination is using client certificates to
authenticate the client.  The proxy doesn't have the client's secret
key and thus can't impersonate the client.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 11:01 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> >  I don't know why any of that should be relevant.
>
> Because the content needs to be inspected, validated and accepted or
> rejected.

  That's if you can peek inside the SSL tunnel.  Just enforcing that
SSL is being used (and not someone shoving their stuff down TCP/443 in
the hopes of finding an open port) is the SMOP.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 10:38 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
>> I do know of at least one firewall that will decrypt SSL as it
>> passes through ...
>
> Really? How does this work?

  I dunno about what Kurt's talking about, but here's one possible scenario:

  Create your own, locally-hosted CA (Certificate Authority).  Add
that CA certificate to the trusted certificate list for all your
clients (web browsers, etc.).  Tell all the clients to use your
special HTTP proxy server.  Clients connect to the HTTP proxy, issue
the CONNECT method, and attempts to start SSL over the TCP pipe.  But
special proxy server didn't really make the TCP connection that was
asked for -- it instead just waits for the SSL startup and acts as an
SSL server.  Proxy claims to be the server asked for in the CONNECT.
Proxy uses its own SSL certificate, which is made-up, but signed by
the local CA.  Client has been configured to trust that CA, so as far
as client is concerned, it thinks it has the real destination site.
So it sends the HTTP request over the SSL tunnel like it normally
would.  Proxy then opens an SSL client connection to the real
destination, and passes the HTTP requests from the client on.

  I think that would work, at least for the common cases.  It won't
work if the real destination is using client certificates to
authenticate the client.  The proxy doesn't have the client's secret
key and thus can't impersonate the client.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On 1/30/08, Ben Scott <[EMAIL PROTECTED]> wrote:
> On Jan 30, 2008 10:16 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> > Not quite - I don't know of any application proxy that actually
> > does well with all of the verbs, etc., in the HTTP suite, especially
> > when you throw javascript, xml, activeX controls, etc., etc., etc. at
> > it.
>
>  I don't know why any of that should be relevant.

Because the content needs to be inspected, validated and accepted or
rejected. ActiveX controls are mostly just executables, but the rest
could, usually, be considered part of the HTTP protocol suite, in one
sense or another. Even if not part of the protocol suite, it's content
that needs the same scrutiny as anything else.



> > I do know of at least one firewall that will decrypt SSL as it
> > passes through, though, for inspection purposes - of course, that
> > means some tricky work with certs ...
>
>  Hmmm... I'm guessing it has you add a local CA certificate to the
> trusted CA list on all the clients, and then the proxy impersonates
> whatever SSL site the client is requesting?  Wouldn't that break
> client SSL certificates, though?
>
>  Even so, I'm kinda curious -- got a link or product name?

Sidewinder, by Secure Computing.

> > ... you have the underlying protocol that's
> > being tunneled, and if it's not HTTP, then it gets really tricky.
>
>  *Exactly*.  Although, if the goal is just to make sure TCP/443 is
> only being used for HTTP-over-SSL (and not some arbitrary protocol),
> it at least makes that much possible.  Of course, there's still the
> possible use of HTTP as a covert channel.  I think someone has created
> an "IP over HTML" proof-of-concept.
>
> >>   Default deny with whitelisting of SSL sites is one approach, but
> >> that's an obvious hassle.
> >
> > Yes, and I'm nearly ready to go there.
>
>  Wish I could.  Cost/benefit isn't there for us.

Isn't there for me, either, but there are days when I want to do it anyway!

> > I say, let's kill all the users - then we'll have good security, eh? :)
>
>  The DoD still says the best way to secure a classified system is
> with the Air Gap(TM) firewall -- don't connect it to a network and
> you've solved the network attack problem.

Yup, if you have two armed guards, no USB or other ports, etc. Heh.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On 1/30/08, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> Kurt Buff wrote:
> > You don't know what the SSL tunnel is being used to carry.
> >  Could be HTTP.  Could be a backdoor to an attacker.
>
> SMOP? Not quite - I don't know of any application proxy that actually
> does well with all of the verbs, etc., in the HTTP suite,
>
> Who said that the traffic has to be HTTP? Over SSL/TLS you can send whatever
> you like, and the proxy would not know any different.
>
> And that is the problem - if some wants to do something bad (either an inside
> job, or a malicious outside attacker that comprises your machines through
> malware), they can just use the universal firewall bypass port :-)

See my last comment, below. heh.

> > I do know of at least one firewall that will decrypt SSL as it
> > passes through, though, for inspection purposes - of course, that
> > means some tricky work with certs,
>
> Really? How does this work? SSL/TLS is designed to be resistant to exactly 
> this
> form "inspection", otherwise it would be possible to mount MitM attacks 
> against
> SSL/TLS.

I don't know. I do know that it's one we're installing - cutting over
on Friday, but we didn't pay for that option, nor for the add-in board
that would be useful to go with it.

> > but even assuming that, you have
> > the underlying protocol that's being tunneled, and if it's not HTTP,
> > then it gets really tricky. For instance, how about RPC/HTTPS?
> > Basically, it's MAPI over SSL
>
> No - RPC over HTTPS can be any RPC traffic. You can tunnel ADO over HTTP if
> you want. Or almost any other type of RPC traffic. All that's required is 
> that the
> client library support it.
>
> MAPI is just one client that supports such tunnelling.

I see - well, I suppose that makes it all better then, doesn't it? :)

Kurt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 2:53 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

> The DoD still says the best way to secure a classified system is
> with the Air Gap(TM) firewall -- don't connect it to a network and
> you've solved the network attack problem.

I'm sure some enterprising malware writer is working on some kind of software 
that somehow manages to tunnel traffic over even this type of firewall...

Cheers
Ken

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 10:16 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> Not quite - I don't know of any application proxy that actually
> does well with all of the verbs, etc., in the HTTP suite, especially
> when you throw javascript, xml, activeX controls, etc., etc., etc. at
> it.

  I don't know why any of that should be relevant.  When SSL is
tunneled over an HTTP proxy, the client makes the regular connection
to the proxy server, and then submits a CONNECT method.  The proxy
then opens the TCP connection to the specified destination, and gets
out of the way.  The client then starts SSL like it opened the TCP
connection that way from the start.  Everything else is part of the
SSL payload, and thus encrypted.  The proxy can't see any of it, so it
can't screw it up, either.

  The SSL verification just means the proxy watches what is sent over
the TCP connection to make sure it looks like an SSL session setup,
and drops the connection if it isn't.

> I do know of at least one firewall that will decrypt SSL as it
> passes through, though, for inspection purposes - of course, that
> means some tricky work with certs ...

  Hmmm... I'm guessing it has you add a local CA certificate to the
trusted CA list on all the clients, and then the proxy impersonates
whatever SSL site the client is requesting?  Wouldn't that break
client SSL certificates, though?

  Even so, I'm kinda curious -- got a link or product name?

> ... you have the underlying protocol that's
> being tunneled, and if it's not HTTP, then it gets really tricky.

  *Exactly*.  Although, if the goal is just to make sure TCP/443 is
only being used for HTTP-over-SSL (and not some arbitrary protocol),
it at least makes that much possible.  Of course, there's still the
possible use of HTTP as a covert channel.  I think someone has created
an "IP over HTML" proof-of-concept.

>>   Default deny with whitelisting of SSL sites is one approach, but
>> that's an obvious hassle.
>
> Yes, and I'm nearly ready to go there.

  Wish I could.  Cost/benefit isn't there for us.

> I say, let's kill all the users - then we'll have good security, eh? :)

  The DoD still says the best way to secure a classified system is
with the Air Gap(TM) firewall -- don't connect it to a network and
you've solved the network attack problem.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

-Original Message-
From: Kurt Buff [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 2:17 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

> You don't know what the SSL tunnel is being used to carry.
>  Could be HTTP.  Could be a backdoor to an attacker.

SMOP? Not quite - I don't know of any application proxy that actually
does well with all of the verbs, etc., in the HTTP suite,

Who said that the traffic has to be HTTP? Over SSL/TLS you can send whatever 
you like, and the proxy would not know any different.

And that is the problem - if some wants to do something bad (either an inside 
job, or a malicious outside attacker that comprises your machines through 
malware), they can just use the universal firewall bypass port :-)

> I do know of at least one firewall that will decrypt SSL as it
> passes through, though, for inspection purposes - of course, that
> means some tricky work with certs,

Really? How does this work? SSL/TLS is designed to be resistant to exactly this 
form "inspection", otherwise it would be possible to mount MitM attacks against 
SSL/TLS.

> but even assuming that, you have
> the underlying protocol that's being tunneled, and if it's not HTTP,
> then it gets really tricky. For instance, how about RPC/HTTPS?
> Basically, it's MAPI over SSL

No - RPC over HTTPS can be any RPC traffic. You can tunnel ADO over HTTP if you 
want. Or almost any other type of RPC traffic. All that's required is that the 
client library support it.

MAPI is just one client that supports such tunnelling.

Cheers
Ken

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Printer brand recommendations

Yeah, anywhere.
 
FYI Dell has a laser for round $130 right now.
 
Our Dell Printing costs are less than 1cent a page FYI.  Not sure if
that is really good or not, I think it is.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 9:26 PM
To: NT System Admin Issues
Subject: RE: Printer brand recommendations




No you are able to get most cartridges now through Staples.   

 

From: Jonathan Link [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:24 PM
To: NT System Admin Issues
Subject: Re: Printer brand recommendations

 


I'll concur with what Don Ely said, but that being the case, you have to
mitigate the downside.

High end inkjets are oxymoronic.

>From what you describe, in my opinion, you haven't sized your printers
appropriately to the job they are to perform.

Get the bigwigs a personal laser printer, they'll be happier with
improved availability, you'll have less support headaches.

I only ever install the driver for a printer, despite what comes with
it.  Depending on the end user, I'll leave it to them to install the
rest of the crap that comes with the printer.

 

IIRC Dell started making their cartridges proprietary and unavailable
anywhere but from Dell.  Is this still the case?

 

-Jonathan

On Jan 29, 2008 11:25 PM, Ben Scott <[EMAIL PROTECTED]> wrote:

Howdy list,

 So, after some truly abysmal tech support experiences with HP this
month, I've decided it's time to look at other printer brands.  I've
been buying HP's almost exclusively for over a decade, so I'm starting
from scratch.  There are so many brands that even a product field
survey is non-trivial: Dell, Samsung, Canon, Epson, IBM/Lexmark,
Xerox, Ricoh, Sharp, Toshiba, Panasonic, just to name a few.
Recommendations?  Opinions?  Horror stories?

 Relatively small company, roughly 75 workstations.  Mostly
monochrome laser printers serving workgroups of 5-10 people.  Typical
volume might be 1K-3K pages/month.  A couple color laser printers
serving supersets of same.

 A few bigwigs have color inkjets in their office, because of course
they're too important to have to walk out to the printer in the hall,
but they also don't want to clutter up their fancy mahogany office
furniture with a larger laser printer that might actually work.  For
example, the Director of HR.  Since she works with personal/private
stuff, she wanted one of those print/scan/copy/fax jobs (reasonable, I
guess).  The supposedly high-end HP inkjet we bought has been a
disaster, which is why I'm here.

 Almost every printer we have is network-attached (easier to manage,
they roam with the user profile if hardware is changed, enables the
frequent requests to share printers).  As I recall from some
experience a few years ago, that seems to be a common failing with
many brands.  Even if they have a network jack, functionality/features
are severely reduced over the network.

 One thing I really dislike is printers which require special
software installation to the tune of hundreds of megabytes, a few
startup programs, a dozen desktop icons, and their own support,
update, and maintenance hassles.  Windows has APIs for printing and
scanning; if we stick to those, support and training are so much
easier.

 Thoughts?

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

 






 











~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 10:02 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
>> > It's not actually that rare.
>
> ... everything that wants to tunnel over 443 will use SSL/TLS ...

  Yah, that's why I wrote "You don't know what the SSL tunnel is being
used to carry" immediately after that.  ;-)

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Printer brand recommendations

2008-01-30 Thread gsweers

No you are able to get most cartridges now through Staples.   

From: Jonathan Link [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:24 PM
To: NT System Admin Issues
Subject: Re: Printer brand recommendations

I'll concur with what Don Ely said, but that being the case, you have to
mitigate the downside.

High end inkjets are oxymoronic.

>From what you describe, in my opinion, you haven't sized your printers
appropriately to the job they are to perform.

Get the bigwigs a personal laser printer, they'll be happier with
improved availability, you'll have less support headaches.

I only ever install the driver for a printer, despite what comes with
it.  Depending on the end user, I'll leave it to them to install the
rest of the crap that comes with the printer.

IIRC Dell started making their cartridges proprietary and unavailable
anywhere but from Dell.  Is this still the case?

-Jonathan

On Jan 29, 2008 11:25 PM, Ben Scott <[EMAIL PROTECTED]> wrote:

Howdy list,

 So, after some truly abysmal tech support experiences with HP this
month, I've decided it's time to look at other printer brands.  I've
been buying HP's almost exclusively for over a decade, so I'm starting
from scratch.  There are so many brands that even a product field
survey is non-trivial: Dell, Samsung, Canon, Epson, IBM/Lexmark,
Xerox, Ricoh, Sharp, Toshiba, Panasonic, just to name a few.
Recommendations?  Opinions?  Horror stories?

 Relatively small company, roughly 75 workstations.  Mostly
monochrome laser printers serving workgroups of 5-10 people.  Typical
volume might be 1K-3K pages/month.  A couple color laser printers
serving supersets of same.

 A few bigwigs have color inkjets in their office, because of course
they're too important to have to walk out to the printer in the hall,
but they also don't want to clutter up their fancy mahogany office
furniture with a larger laser printer that might actually work.  For
example, the Director of HR.  Since she works with personal/private
stuff, she wanted one of those print/scan/copy/fax jobs (reasonable, I
guess).  The supposedly high-end HP inkjet we bought has been a
disaster, which is why I'm here.

 Almost every printer we have is network-attached (easier to manage,
they roam with the user profile if hardware is changed, enables the
frequent requests to share printers).  As I recall from some
experience a few years ago, that seems to be a common failing with
many brands.  Even if they have a network jack, functionality/features
are severely reduced over the network.

 One thing I really dislike is printers which require special
software installation to the tune of hundreds of megabytes, a few
startup programs, a dozen desktop icons, and their own support,
update, and maintenance hassles.  Windows has APIs for printing and
scanning; if we stick to those, support and training are so much
easier.

 Thoughts?

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

2008-01-30 Thread Jonathan Link

I'll concur with what Don Ely said, but that being the case, you have to
mitigate the downside.
High end inkjets are oxymoronic.
>From what you describe, in my opinion, you haven't sized your printers
appropriately to the job they are to perform.
Get the bigwigs a personal laser printer, they'll be happier with improved
availability, you'll have less support headaches.

I only ever install the driver for a printer, despite what comes with it.
 Depending on the end user, I'll leave it to them to install the rest of the
crap that comes with the printer.

IIRC Dell started making their cartridges proprietary and unavailable
anywhere but from Dell.  Is this still the case?

-Jonathan
On Jan 29, 2008 11:25 PM, Ben Scott <[EMAIL PROTECTED]> wrote:

> Howdy list,
>
>  So, after some truly abysmal tech support experiences with HP this
> month, I've decided it's time to look at other printer brands.  I've
> been buying HP's almost exclusively for over a decade, so I'm starting
> from scratch.  There are so many brands that even a product field
> survey is non-trivial: Dell, Samsung, Canon, Epson, IBM/Lexmark,
> Xerox, Ricoh, Sharp, Toshiba, Panasonic, just to name a few.
> Recommendations?  Opinions?  Horror stories?
>
>  Relatively small company, roughly 75 workstations.  Mostly
> monochrome laser printers serving workgroups of 5-10 people.  Typical
> volume might be 1K-3K pages/month.  A couple color laser printers
> serving supersets of same.
>
>  A few bigwigs have color inkjets in their office, because of course
> they're too important to have to walk out to the printer in the hall,
> but they also don't want to clutter up their fancy mahogany office
> furniture with a larger laser printer that might actually work.  For
> example, the Director of HR.  Since she works with personal/private
> stuff, she wanted one of those print/scan/copy/fax jobs (reasonable, I
> guess).  The supposedly high-end HP inkjet we bought has been a
> disaster, which is why I'm here.
>
>  Almost every printer we have is network-attached (easier to manage,
> they roam with the user profile if hardware is changed, enables the
> frequent requests to share printers).  As I recall from some
> experience a few years ago, that seems to be a common failing with
> many brands.  Even if they have a network jack, functionality/features
> are severely reduced over the network.
>
>  One thing I really dislike is printers which require special
> software installation to the tune of hundreds of megabytes, a few
> startup programs, a dozen desktop icons, and their own support,
> update, and maintenance hassles.  Windows has APIs for printing and
> scanning; if we stick to those, support and training are so much
> easier.
>
>  Thoughts?
>
> -- Ben
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 6:56 PM, Ben Scott <[EMAIL PROTECTED]> wrote:
> On Jan 30, 2008 9:17 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> > The only cure is an application proxy that actually understand the
> > protocols, and enforces them, and that's nearly unobtainable.
>
>   It's not actually that rare.  It's a Simple Matter of Programming to
> confirm that the traffic on TCP/443 actually is SSL.  (As I'm sure Tom
> will point out, ISA Server can do this (I believe)).  The real problem
> is that SSL, by design and intent, prevents you from looking inside
> the secure tunnel.  (If it didn't, it wouldn't be very secure, now
> would it?)  You don't know what the SSL tunnel is being used to carry.
>  Could be HTTP.  Could be a backdoor to an attacker.

SMOP? Not quite - I don't know of any application proxy that actually
does well with all of the verbs, etc., in the HTTP suite, especially
when you throw javascript, xml, activeX controls, etc., etc., etc. at
it. I do know of at least one firewall that will decrypt SSL as it
passes through, though, for inspection purposes - of course, that
means some tricky work with certs, but even assuming that, you have
the underlying protocol that's being tunneled, and if it's not HTTP,
then it gets really tricky. For instance, how about RPC/HTTPS?
Basically, it's MAPI over SSL - know any good application layer
proxies for that, which will robustly interpret and enforce correct
semantics for that protocol? I'll bet even ISA won't do what we really
want it to do for enforcement of MAPI over SSL.

>   Default deny with whitelisting of SSL sites is one approach, but
> that's an obvious hassle.

Yes, and I'm nearly ready to go there.

>   Approaches which explicitly open the payload to trusted inspection
> have been proposed.  The idea is, have the client software create an
> SSL tunnel to the proxy.  Using a special protocol over that
> connection, the client requests an SSL tunnel to the real destination.
>  The proxy creates that SSL tunnel.  The client then sends the payload
> (without further encryption) over the tunnel to the proxy, which can
> inspect it and (if it passes inspection) forward it over its own SSL
> tunnel.

Special protocol - ye gods, another one? Will it have its BNF diagram
ready to go?

>   The problem is there are no standards for this (that I'm aware of),
> and there are cases which are non-trivial to handle.  (What if the
> remote's CA is unknown?  What about client certificates?)  Even if we
> get standards, adoption is going to take some time.  There are also
> obvious security implications with deliberately defeating the
> end-to-end security model.  Presumably one can manage that risk
> internally, but it's still an issue.
>
> -- Ben

I say, let's kill all the users - then we'll have good security, eh? :)

Or maybe just the programmers. Or protocol designers, or ...  :):)

It's terribly frustrating.

Kurt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: VMWARE ESX QUESTION

Youth passes - immaturity is forever...

On Jan 30, 2008 7:03 PM, Tom Strader <[EMAIL PROTECTED]> wrote:
>
> HA, I remember doing that as a kid, I thought you were through that stage
> Shook?
>
>
>
>  
>
>
> From: Andy Shook [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 5:34 PM
>
>  To: NT System Admin Issues
>  Subject: FW: VMWARE ESX QUESTION
>
>
>
>
>
>
>
>
> No it doesn't, I use that to burn ants on my lunch break. J
>
>
>
>
> Andy
>
>  
>
>
> From: Tim Vander Kooi [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 5:20 PM
>
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
>
> That explains the magnifying glass in his desk drawer.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: VMWARE ESX QUESTION

2008-01-30 Thread Tom Strader

HA, I remember doing that as a kid, I thought you were through that
stage Shook?

From: Andy Shook [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 5:34 PM
To: NT System Admin Issues
Subject: FW: VMWARE ESX QUESTION

No it doesn't, I use that to burn ants on my lunch break. :-) 

Andy

From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 5:20 PM
To: NT System Admin Issues
Subject: RE: VMWARE ESX QUESTION

That explains the magnifying glass in his desk drawer.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 1:57 PM
To: NT System Admin Issues
Subject: Re: L2TP vs. SSTP

On Jan 30, 2008 9:17 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
>> The only cure is an application proxy that actually understand the
>> protocols, and enforces them, and that's nearly unobtainable.
>
> It's not actually that rare.  It's a Simple Matter of Programming to
> confirm that the traffic on TCP/443 actually is SSL.

I'm pretty sure just about any decent proxy will do this.

But because it's so trivial to implement TLS/SSL support, just about everything 
that wants to tunnel over 443 will use SSL/TLS, and I think that's what Kurt 
was getting at.

Once the traffic is actually secured using SSL/TLS there really isn't any way, 
at the moment, to work out what is inside that channel. SSL/TLS is designed to 
be resistant to "man-in-the-middle" attacks, so unless the client co-operates, 
you can't look inside the traffic. And when you have 
outsiders/contractors/consultants/etc on your network, you need to find 
alternate ways of protecting your assets - separate networks, or Rights 
Management or whatever.

Cheers
Ken

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

  Apropos to this thread, I can *so* sympathize with this solider:

http://www.youtube.com/watch?v=dodPR7h_ytI

  >:->

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

On Jan 30, 2008 9:17 PM, Kurt Buff <[EMAIL PROTECTED]> wrote:
> The only cure is an application proxy that actually understand the
> protocols, and enforces them, and that's nearly unobtainable.

  It's not actually that rare.  It's a Simple Matter of Programming to
confirm that the traffic on TCP/443 actually is SSL.  (As I'm sure Tom
will point out, ISA Server can do this (I believe)).  The real problem
is that SSL, by design and intent, prevents you from looking inside
the secure tunnel.  (If it didn't, it wouldn't be very secure, now
would it?)  You don't know what the SSL tunnel is being used to carry.
 Could be HTTP.  Could be a backdoor to an attacker.

  Default deny with whitelisting of SSL sites is one approach, but
that's an obvious hassle.

  Approaches which explicitly open the payload to trusted inspection
have been proposed.  The idea is, have the client software create an
SSL tunnel to the proxy.  Using a special protocol over that
connection, the client requests an SSL tunnel to the real destination.
 The proxy creates that SSL tunnel.  The client then sends the payload
(without further encryption) over the tunnel to the proxy, which can
inspect it and (if it passes inspection) forward it over its own SSL
tunnel.

  The problem is there are no standards for this (that I'm aware of),
and there are cases which are non-trivial to handle.  (What if the
remote's CA is unknown?  What about client certificates?)  Even if we
get standards, adoption is going to take some time.  There are also
obvious security implications with deliberately defeating the
end-to-end security model.  Presumably one can manage that risk
internally, but it's still an issue.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP vs. SSTP

This is not a new thought, you know.

If you have subscribed to the Firewall Wizards mailing list over the
past, oh, 8 or 10 years, you'll note that folks like Marcus Ranum, and
a whole host of others, have been bitching about this for a long time.

The only cure is an application proxy that actually understand the
protocols, and enforces them, and that's nearly unobtainable.

It's now down to defense in depth, and protecting every asset on the
network, if you can get away with it. Default deny and least privilege
rule. Wish I could actually implement that at $EMPLOYER as I would
prefer, though we *are* moving in that direction - just too slowly for
my taste.

Kurt

On Jan 30, 2008 5:30 PM, Carl Houseman <[EMAIL PROTECTED]> wrote:
> One starts to wonder, what's the point of outbound firewall security if
> everybody is bypassing it on port 80 or 443 to do whatever they want?
>
> Carl
>
> -Original Message-
> From: Ken Schaefer [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 8:26 PM
> To: NT System Admin Issues
>
> Subject: RE: L2TP vs. SSTP
>
> One operates at the IP layer
> One operates at the TCP layer
>
> Both use certificates for authentication and encryption.
>
> But I suppose that SSL VPN products are popular now because port 443 is seen
> as the "universal firewall bypass" port, and so setting up SSTP (or similar
> SSL VPN product) and having roaming clients be able to access your server
> maybe the easiest to do.
>
> Cheers
> Ken
>
> -Original Message-
> From: Jim Dandy [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 31 January 2008 12:22 PM
> To: NT System Admin Issues
> Subject: L2TP vs. SSTP
>
> Windows Server 2008 is supposed to come out with Secure Socket Tunneling
> Protocol (SSTP).  Does anyone know the advantages/disadvantages of using
> this verses L2TP?  Thanks for your help.
>
> Curt
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: MCP Welcome Kit - Cheap Looking

2008-01-30 Thread Mike Semon

I remember when we used to get beta software and all kinds of goodies. I got
a beta copy of terminal server. Should have 

saved it as a collectors item.

 

Mike

 

  _  

From: Phil Guevara [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 8:03 PM
To: NT System Admin Issues
Subject: MCP Welcome Kit - Cheap Looking

 

 

Anyone else think the MCP welcome kits got kinda cheap looking?

 

When I first got my mcp, I got a pin, a nice certificate and it came in a
secure box.

 

Now when I received my mcse recently, the certificate changed and looks soo
cheap.  The seal of approval looks cheesy and it came in a flimsy carton
that bends easily so the certificate arrives all bent up.

 

I worked really hard for this, despite the many paper mcse's out there, and
I just thought they should improve it instead of make it look worse.  Anyone
else feel the same way??

 

-Phil

 

 







 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

MCP Welcome Kit - Cheap Looking

2008-01-30 Thread Phil Guevara

Anyone else think the MCP welcome kits got kinda cheap looking?
 
When I first got my mcp, I got a pin, a nice certificate and it came in
a secure box.
 
Now when I received my mcse recently, the certificate changed and looks
soo cheap.  The seal of approval looks cheesy and it came in a flimsy
carton that bends easily so the certificate arrives all bent up.
 
I worked really hard for this, despite the many paper mcse's out there,
and I just thought they should improve it instead of make it look worse.
Anyone else feel the same way??
 
-Phil

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: L2TP & Certificate server

On Jan 30, 2008 8:13 PM, Jim Dandy <[EMAIL PROTECTED]> wrote:
> Is there a problem with buying certificates instead of running
> a certificate server?

  "Problem"?  No, VeriSign or whoever will gladly take your money if
you insist on giving it to them.  But setting up a self-hosted CA is
pretty easy, so I'd say it's worth it.

> I'm guessing it would NOT be a good idea to have the VPN server double as
> the certificate server (although that's what I'd like to do).

  Well, like everything in security, it's a risk management decision.
Putting the CA on the VPN gateway means if someone compromises the VPN
gateway they can make new certificates that claim to be you.  On the
other hand, if you're only using certs for VPN access, maybe that
doesn't matter -- maybe compromising one would mean the other is
compromised, too.  (It would depend on the details of the compromise
-- it might be that a certain exposure lets someone steal the private
key but not tamper with the VPN itself).

  The other extreme would be to put the CA on a network-disconnected
machine and only exchange CSRs (certificate signing requests) and
certs via sneakernet.  If you're only doing a small number of certs,
that might even be practical.  Recycle an old computer, and there are
free CA software kits if you don't have the Windows license.

  Somewhere in-between would be putting the CA on another computer in
your organization.  That includes the Active Directory-based
"Enterprise CA" that Tom Shinder mentioned.  (And he didn't even
mention ISA Server.  Way to go Tom!  ;-)  )

  If it's a small, low-profile organization without anything of
particular interest, it's likely that they have much bigger problems
to worry about than the CA getting compromised.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP & Certificate server

Hi Jim,

Consider using an Enterprise CA, then you can use autoenrollment to
assign computer certificates to your domain members so that they can use
L2TP/IPSec. You can also use your CA to assign User Certificates if you
want to further increase your security by using EAP User Certificate
Authentication.

Also, you can use EAP User Certificate Authentication for your SSTP VPN
server, if you're planning on upgrading your VPN server to Windows
Server 2008.

As for securing your Certificate Server, if you're using Win2003, check
out the Security Configuration Wizard for some good suggestions (and
implement those suggestions for you too). If you're using Windows 2008
for your CA, then Server Manager's Role Installation Wizard will
automatically deploy security best practices and there's no need to run
the SCW.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -Original Message-
> From: Jim Dandy [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 30, 2008 7:14 PM
> To: NT System Admin Issues
> Subject: L2TP & Certificate server
> 
> From what I've read about Windows Server 2003, you have to have a
> certificate server to implement L2TP/IPSec.  I don't expect 
> to have many
> VPN clients.  Is there a problem with buying certificates instead of
> running a certificate server?  If I was to run my own certificate
> server, what best practices should I follow to keep it secure?  I'm
> guessing it would NOT be a good idea to have the VPN server double as
> the certificate server (although that's what I'd like to do).  I'm
> looking at implementing L2TP instead of PPTP because of the extra
> security it provides but It wouldn't do much good to have the extra
> security if my certificate server wasn't secure.
> 
> Thanks for your help.
> 
> Curt
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: FYI (vLite)

On Jan 30, 2008 7:37 PM, Ken Schaefer <[EMAIL PROTECTED]> wrote:
> Um - so what happens when you upgrade a Windows NT box to Windows 2000 to
> Windows 2003? It'll still be using winnt.

  Yah, which might make things interesting.  Indeed, I recall seeing
at least one MSKB article about just that.  Some
update/add-on/whatever assumed Windows 2003 meant C:\WINDOWS and so
looked in the wrong place on an upgraded system.  There was a fix,
though I don't recall the details.  Likely either a registry tweak or
reissued update.

> Personally I haven't seen anything major stop working because I didn't use 
> c:\windows.

  Well, for the record, I've never seen anything major (from
Microsoft) stop working because of it, either.  I expect smaller or
more esoteric stuff is more likely to not get well tested, or be given
to less savvy teams inside Microsoft.

  Now, third-party software, that's another thing entirely.
Especially back when original Windows (not the NT line) was more
common; a lot of crappy third party vendors assumed C:\WINDOWS for
everything.  But I'm sure we all know there's no limit to how *bad*
software can get.  :)

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

Hi Carl,

You can control outbound access if you're using a proxy based or
integrated stateful packet inspection and proxy based firewall. That's a
nice thing about the ISA Firewall. The CONNECT request sent by the SSTP
client has a special HTTP header called SSTPVERSION. The value for this
header is 1.0. You can use your Web proxy configuration (like an ISA
Firewall's HTTP Security Filter) to block it. In contrast, if you're not
using a Web proxy enabled firewall, then you're right -- everyone can
bypass your security controls on the SSTP VPN outbound.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -Original Message-
> From: Carl Houseman [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 30, 2008 7:30 PM
> To: NT System Admin Issues
> Subject: RE: L2TP vs. SSTP
> 
> One starts to wonder, what's the point of outbound firewall 
> security if
> everybody is bypassing it on port 80 or 443 to do whatever they want? 
> 
> Carl
> 
> -Original Message-
> From: Ken Schaefer [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 30, 2008 8:26 PM
> To: NT System Admin Issues
> Subject: RE: L2TP vs. SSTP
> 
> One operates at the IP layer
> One operates at the TCP layer
> 
> Both use certificates for authentication and encryption.
> 
> But I suppose that SSL VPN products are popular now because 
> port 443 is seen
> as the "universal firewall bypass" port, and so setting up 
> SSTP (or similar
> SSL VPN product) and having roaming clients be able to access 
> your server
> maybe the easiest to do.
> 
> Cheers
> Ken
> 
> -Original Message-
> From: Jim Dandy [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 31 January 2008 12:22 PM
> To: NT System Admin Issues
> Subject: L2TP vs. SSTP
> 
> Windows Server 2008 is supposed to come out with Secure 
> Socket Tunneling
> Protocol (SSTP).  Does anyone know the 
> advantages/disadvantages of using
> this verses L2TP?  Thanks for your help.
> 
> Curt
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

Hi Jim,

Check out my article series on this topic:

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-R
emote-Access-SSL-VPN-Server-Part1.html

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-R
emote-Access-SSL-VPN-Server-Part2.html

The first article provides the rationale for using SSTP and provides
information about how the protocol works and packet structure.

The second article is the beginning of the step by step configuration
procedure.

SSTP's major advantage is that it works through firewalls that block
L2TP/IPSec and PPTP. Since the SSTP is essentially PPP/SSL, so there's
an HTTP header that capsulates the payload. Why is this good? Because it
enables SSTP to work through both stateful packet inspection firewalls
AND Web Proxy devices. 

I've been really impressed with the work that the RRAS group has done
with this protocol and if you want to find even more information on it,
check out the RRAS blog at http://blogs.technet.com/rrasblog/

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -Original Message-
> From: Jim Dandy [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 30, 2008 7:22 PM
> To: NT System Admin Issues
> Subject: L2TP vs. SSTP
> 
> Windows Server 2008 is supposed to come out with Secure 
> Socket Tunneling
> Protocol (SSTP).  Does anyone know the 
> advantages/disadvantages of using
> this verses L2TP?  Thanks for your help.
> 
> Curt
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

2008-01-30 Thread Carl Houseman

One starts to wonder, what's the point of outbound firewall security if
everybody is bypassing it on port 80 or 443 to do whatever they want? 

Carl

-Original Message-
From: Ken Schaefer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 8:26 PM
To: NT System Admin Issues
Subject: RE: L2TP vs. SSTP

One operates at the IP layer
One operates at the TCP layer

Both use certificates for authentication and encryption.

But I suppose that SSL VPN products are popular now because port 443 is seen
as the "universal firewall bypass" port, and so setting up SSTP (or similar
SSL VPN product) and having roaming clients be able to access your server
maybe the easiest to do.

Cheers
Ken

-Original Message-
From: Jim Dandy [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 12:22 PM
To: NT System Admin Issues
Subject: L2TP vs. SSTP

Windows Server 2008 is supposed to come out with Secure Socket Tunneling
Protocol (SSTP).  Does anyone know the advantages/disadvantages of using
this verses L2TP?  Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP vs. SSTP

One operates at the IP layer
One operates at the TCP layer

Both use certificates for authentication and encryption.

But I suppose that SSL VPN products are popular now because port 443 is seen as 
the "universal firewall bypass" port, and so setting up SSTP (or similar SSL 
VPN product) and having roaming clients be able to access your server maybe the 
easiest to do.

Cheers
Ken

-Original Message-
From: Jim Dandy [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 12:22 PM
To: NT System Admin Issues
Subject: L2TP vs. SSTP

Windows Server 2008 is supposed to come out with Secure Socket Tunneling
Protocol (SSTP).  Does anyone know the advantages/disadvantages of using
this verses L2TP?  Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: L2TP & Certificate server

2008-01-30 Thread Carl Houseman

You do not need certificates nor certificate server.  You can do L2TP/IPSEC
with PSKs. 

That is not a recommendation for/against PSK-based IPSEC VPN, you'll have to
make that judgement based on your own needs.

Carl 

-Original Message-
From: Jim Dandy [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 8:14 PM
To: NT System Admin Issues
Subject: L2TP & Certificate server

>From what I've read about Windows Server 2003, you have to have a
certificate server to implement L2TP/IPSec.  I don't expect to have many
VPN clients.  Is there a problem with buying certificates instead of
running a certificate server?  If I was to run my own certificate
server, what best practices should I follow to keep it secure?  I'm
guessing it would NOT be a good idea to have the VPN server double as
the certificate server (although that's what I'd like to do).  I'm
looking at implementing L2TP instead of PPTP because of the extra
security it provides but It wouldn't do much good to have the extra
security if my certificate server wasn't secure.

Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: IUSR_SERVER

-Original Message-
From: Jim McAtee [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 12:22 PM
To: NT System Admin Issues
Subject: Re: IUSR_SERVER

- Original Message -
From: "Ken Schaefer"
Subject: RE: IUSR_SERVER


> > b) You can manually create this account if you want, but you need to
> > manually > assign the correct permissions, groups etc.
>
> Why not simply rename the account and maintain the permissions?

There's no reason why you can't do that.

But OP asked "is there any reason this account can't be manually created", to 
which the answer is "no, but..."

Cheers
Ken

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

L2TP vs. SSTP

2008-01-30 Thread Jim Dandy

Windows Server 2008 is supposed to come out with Secure Socket Tunneling
Protocol (SSTP).  Does anyone know the advantages/disadvantages of using
this verses L2TP?  Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: IUSR_SERVER

2008-01-30 Thread Jim McAtee

- Original Message - 
From: "Ken Schaefer"

Subject: RE: IUSR_SERVER

b) You can manually create this account if you want, but you need to 
manually > assign the correct permissions, groups etc.

Why not simply rename the account and maintain the permissions? 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

L2TP & Certificate server

2008-01-30 Thread Jim Dandy

>From what I've read about Windows Server 2003, you have to have a
certificate server to implement L2TP/IPSec.  I don't expect to have many
VPN clients.  Is there a problem with buying certificates instead of
running a certificate server?  If I was to run my own certificate
server, what best practices should I follow to keep it secure?  I'm
guessing it would NOT be a good idea to have the VPN server double as
the certificate server (although that's what I'd like to do).  I'm
looking at implementing L2TP instead of PPTP because of the extra
security it provides but It wouldn't do much good to have the extra
security if my certificate server wasn't secure.

Thanks for your help.

Curt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: VMWARE ESX QUESTION

2008-01-30 Thread Joseph L. Casale

Damn!

-Original Message-
From: Steven Peck [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 5:02 PM
To: NT System Admin Issues
Subject: Re: VMWARE ESX QUESTION

We had 7 DL580's but replaced them a month ago with

Two 3 server clusters for production consisting of
HP Blade servers 680c G5.
.. 4 Intel 2.6Ghz quad core,
.. 56 GB ram
.. 12 GB Nic

Running VMWare 3.02 I think.

Our pre-production / various test environments are bigger.

Steven

On Jan 30, 2008 7:15 AM, Andy Shook <[EMAIL PROTECTED]> wrote:
>
>
> 3 Dell PE servers with 16GB of RAM and 8 GB NICs, Three Cisco 3750 PoE
> switches (stacked) in the core, Equallogic iSCSI SAN and ESX 3.5.
>
> ASA 5510 going in today and Cisco Wireless LAN controller with lightweight
> APs being installed in two weeks after we move to our new headquarters
> building.
>
> Andy
>
>  
>
>
> From: René de Haas [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:58 AM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> Joking aside, what is that setup?
>
>
>
>
>
> From: Tom Strader [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 3:27 PM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> I'd love to have the setup that Shook has at his work.
>
>
>
> How do you spell  SWEET? ESX!!
>
>
>  
>
>
> From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:25 AM
>  To: NT System Admin Issues
>  Subject: Re: VMWARE ESX QUESTION
>
>
>  Where do you think Shook got his information
>
>  I've only used MS virtual stuff in a classroom environment.  I'm not
> impressed.  VMWare is years ahead of MS in the virtualization field.
>
>
> On Jan 30, 2008 8:17 AM, Tom Strader <[EMAIL PROTECTED]> wrote:
>
>
>
>
> So Sherry
>
>
>
> Have you tried MS Virtual Server? If so, in your expert opinion, which do
> you prefer and why?
>
>
>
> Shook I know why you like it!!
>
>
>  
>
>
>
>
> From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:02 AM
>  To: NT System Admin Issues
>  Subject: Re: VMWARE ESX QUESTION
>
>
>
>
>  Not ever seen any issues with having a DC on a virtual machine.  I've had
> DC's on GSX/ESX for probably 4 years now.  In production environment, it
> doesn't replace a physical box in my domain, but for redundancy it's great.
> We had to keep an old NT 4 domain around for years because of a legacy app
> and it worked great until we were finally able to shut it down.  I've got an
> entire test domain in ESX VMWare (DC's, Exchange, ISA, SharePoint,
> workstations etc) and it really works great.
>
>  Z, what your looking to do, is very doable, and a very good option for DR.
>
>  The only reason we don't have our DC's on VMWare is because the IT manager
> didn't want it.  I would run it all virtual with absolute confidence that it
> would work just fine.
>
>  I really, really like VMWare ;)
>
>
> On Jan 30, 2008 7:47 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
> Was looking to do Virtual AD controllers and put ESX box at off-site for DR
> purposes.
>
>
>
> Z
>
>
>
>
> Edward E. Ziots
>
> Netwok Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP,Security+,Network+,CCA
>
> Phone: 401-639-3505
>
>
> -Original Message-
>  From: René de Haas [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 8:41 AM
>  To: NT System Admin Issues
>
>
>
>
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
>
>
> Our ADcontroller is virtual as well. No problem.
>
>
>
>
>
> From: Jeff Frantz [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 2:23 PM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> Joe,
>
>
>
> I P2V'd my entire environment two years ago including two DCs, DNS and DHCP
> servers with no issues.
>
>
>
> -Jeff
>
>
>
>
>  
>
>
> From: Haralson, Joe (GE Indust, ES Asset Intelligence, consultant)
> [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 8:09 AM
>  To: NT System Admin Issues
>  Subject: VMWARE ESX QUESTION
>
>
>
>
>
> I currently have my Domain controller running Microsoft 2003 enterprise with
> DNS, and a Second box running microsoft  2003 Enterprise acting as a print
> server and running DHCP. However, I would like to VM those boxes. I've
> Virtualized lots of boxes in the past , just not to a Domain controller
> running DNS or a box running DHCP. Since Domain controllers , DNS and DHCP
> apps are such a big part of Microsoft Infrastructure, I wanted to know if
> anyone has run into any issues or had success doing a VM on a Domain
> controller with DNS or DHCP? Thanks in advance for your responses.
>
>
>
> Thanks'
>  Joe Haralson
>  Network Infrastructure team
>  Phone - 847-598-6737
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

RE: FYI (vLite)

Um - so what happens when you upgrade a Windows NT box to Windows 2000 to 
Windows 2003? It'll still be using winnt.

Personally I haven't seen anything major stop working because I didn't use 
c:\windows.

I suppose you could try a symlink or something if you really got stuck.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 4:06 AM
To: NT System Admin Issues
Subject: Re: FYI (vLite)

On Jan 30, 2008 11:41 AM, Rod Trent <[EMAIL PROTECTED]> wrote:
>>   It's been possible all along, it's just a lot of things (including
>> Microsoft's own stuff) assume C:\WINDOWS or C: and won't work if you
>> change things.
>
> That's not true.

  It is true.  (I can make empty statements, too.)

> The OS uses a %windir% variable that that points to where the OS files are
> no matter what directory it is in.

  I'm aware of %WINDIR% and %SystemDrive%, thanks.  But there's stuff
that wrongly assumes certain locations.  Obviously deficient software,
but there's a lot of that out there, and some of it comes from
Microsoft.

  To pick an example I just saw mention of recently, the docs for the
recent SYSPREP releases say it should be run from C: drive only.
Maybe it might work elsewhere, but Microsoft says C: is the only way
to do it.  So maybe you should tell the people maintaining SYSREP
about %SystemDrive%, eh?

  I've encountered random cases like this plenty of times over the
years.  The MSKB may "confirm that this is a problem in the Microsoft
products listed", but that doesn't really help you if you're stuck.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: IUSR_SERVER

a) You can just rename the server. The old IUSR account will remain, and will 
continue to be used

b) You can manually create this account if you want, but you need to manually 
assign the correct permissions, groups etc.

Cheers
Ken

-Original Message-
From: David Lum [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 4:52 AM
To: NT System Admin Issues
Subject: IUSR_SERVER

This account is created when IIS is installed, right (actually
IUSR_)? Is there any reason this account can't be manually
created? I have a server that some developers want me to rename to quite
literally SERVER, then reload IIS so the IUSR_SERVER account gets
created. Seems asinine to me

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: VMWARE ESX QUESTION

2008-01-30 Thread Steven Peck

We had 7 DL580's but replaced them a month ago with

Two 3 server clusters for production consisting of
HP Blade servers 680c G5.
.. 4 Intel 2.6Ghz quad core,
.. 56 GB ram
.. 12 GB Nic

Running VMWare 3.02 I think.

Our pre-production / various test environments are bigger.

Steven

On Jan 30, 2008 7:15 AM, Andy Shook <[EMAIL PROTECTED]> wrote:
>
>
> 3 Dell PE servers with 16GB of RAM and 8 GB NICs, Three Cisco 3750 PoE
> switches (stacked) in the core, Equallogic iSCSI SAN and ESX 3.5.
>
> ASA 5510 going in today and Cisco Wireless LAN controller with lightweight
> APs being installed in two weeks after we move to our new headquarters
> building.
>
> Andy
>
>  
>
>
> From: René de Haas [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:58 AM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> Joking aside, what is that setup?
>
>
>
>
>
> From: Tom Strader [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 3:27 PM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> I'd love to have the setup that Shook has at his work.
>
>
>
> How do you spell  SWEET? ESX!!
>
>
>  
>
>
> From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:25 AM
>  To: NT System Admin Issues
>  Subject: Re: VMWARE ESX QUESTION
>
>
>  Where do you think Shook got his information
>
>  I've only used MS virtual stuff in a classroom environment.  I'm not
> impressed.  VMWare is years ahead of MS in the virtualization field.
>
>
> On Jan 30, 2008 8:17 AM, Tom Strader <[EMAIL PROTECTED]> wrote:
>
>
>
>
> So Sherry
>
>
>
> Have you tried MS Virtual Server? If so, in your expert opinion, which do
> you prefer and why?
>
>
>
> Shook I know why you like it!!
>
>
>  
>
>
>
>
> From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 9:02 AM
>  To: NT System Admin Issues
>  Subject: Re: VMWARE ESX QUESTION
>
>
>
>
>  Not ever seen any issues with having a DC on a virtual machine.  I've had
> DC's on GSX/ESX for probably 4 years now.  In production environment, it
> doesn't replace a physical box in my domain, but for redundancy it's great.
> We had to keep an old NT 4 domain around for years because of a legacy app
> and it worked great until we were finally able to shut it down.  I've got an
> entire test domain in ESX VMWare (DC's, Exchange, ISA, SharePoint,
> workstations etc) and it really works great.
>
>  Z, what your looking to do, is very doable, and a very good option for DR.
>
>  The only reason we don't have our DC's on VMWare is because the IT manager
> didn't want it.  I would run it all virtual with absolute confidence that it
> would work just fine.
>
>  I really, really like VMWare ;)
>
>
> On Jan 30, 2008 7:47 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
> Was looking to do Virtual AD controllers and put ESX box at off-site for DR
> purposes.
>
>
>
> Z
>
>
>
>
> Edward E. Ziots
>
> Netwok Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP,Security+,Network+,CCA
>
> Phone: 401-639-3505
>
>
> -Original Message-
>  From: René de Haas [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 8:41 AM
>  To: NT System Admin Issues
>
>
>
>
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
>
>
> Our ADcontroller is virtual as well. No problem.
>
>
>
>
>
> From: Jeff Frantz [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 2:23 PM
>  To: NT System Admin Issues
>  Subject: RE: VMWARE ESX QUESTION
>
>
>
>
>
> Joe,
>
>
>
> I P2V'd my entire environment two years ago including two DCs, DNS and DHCP
> servers with no issues.
>
>
>
> -Jeff
>
>
>
>
>  
>
>
> From: Haralson, Joe (GE Indust, ES Asset Intelligence, consultant)
> [mailto:[EMAIL PROTECTED]
>  Sent: Wednesday, January 30, 2008 8:09 AM
>  To: NT System Admin Issues
>  Subject: VMWARE ESX QUESTION
>
>
>
>
>
> I currently have my Domain controller running Microsoft 2003 enterprise with
> DNS, and a Second box running microsoft  2003 Enterprise acting as a print
> server and running DHCP. However, I would like to VM those boxes. I've
> Virtualized lots of boxes in the past , just not to a Domain controller
> running DNS or a box running DHCP. Since Domain controllers , DNS and DHCP
> apps are such a big part of Microsoft Infrastructure, I wanted to know if
> anyone has run into any issues or had success doing a VM on a Domain
> controller with DNS or DHCP? Thanks in advance for your responses.
>
>
>
> Thanks'
>  Joe Haralson
>  Network Infrastructure team
>  Phone - 847-598-6737
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>  ___

Re: OT: FYI - Patriots beat the Giants in the Superbowl (34-14)


   lalalalalalalalala...


*pop!*

I'm sorry, what was that?  ;-)

On 1/30/08, Kent, Larry CTR USA IMCOM <[EMAIL PROTECTED]> wrote:
> It will be even funnier when the Pat lose...
>
> 
>
> From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 4:10 PM
> To: NT System Admin Issues
> Subject: Re: OT: FYI - Patriots beat the Giants in the Superbowl (34-14)
>
>
>
> LOL, that's funny.
>
>
> On Jan 30, 2008 3:01 PM, Micheal Espinola Jr <[EMAIL PROTECTED]>
> wrote:
>
>
>   
> http://www.boston.com/sports/football/patriots/articles/2008/01/30/pats_
> win_super_bowl_xlii__in_madden_nfl_08/
>   
>   --
>   ME2
>   
>   ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
>   ~   ~
>   
>
>
>
>
> --
> Sherry Abercrombie
>
> "Reality is merely an illusion, albeit a persistent one."
> -Albert Einstein
>
>
>
>
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~


-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

FW: Nokia VPN question-SOLVED

Since no one responded, I'll ass-u-me non of you slacker-jacks care but
I just want to let the collective know, that this is fixed; I fat
fingered an isakmp command in my ASA config

Hooray Shook!

Shook
-Original Message-
From: Andy Shook 
Sent: Wednesday, January 30, 2008 3:53 PM
To: 'NT System Admin Issues'
Subject: Nokia VPN question

Anyone out there using a Nokia VPN appliance in production? 

Here's the deal.  Just cutover to a Cisco ASA-5510 from a Sonicwall 2040
(enhanced OS) and this one LAN-to-LAN tunnel will not establish phase 2.
Settings did not change and everything else is groovy.  Is there any
"feature" that is required for these two boxes to swap packets?  

Pullin' my hair out on this one.

Shook

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Question about TCP/IP properties in Terminal Services

2008-01-30 Thread Joseph L. Casale

Ok, I held off mentioning this because I didn't want to state the obvious that 
you already know:), but your server likely has two Nics...
How are they _both_ setup?

jlc

From: Aaron T. Rohyans [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 12:39 PM
To: NT System Admin Issues
Subject: Question about TCP/IP properties in Terminal Services

Hey all,

Just installed a new DC and got it all setup.  I statically set the IP from the 
console, but now when I remote into the box, the IP reverts back to DHCP.

Ipconfig /all still shows the correct static address, but TCP/IP properties on 
the NIC shows that it should be using DHCP (i.e. doesn't show the address I 
entered from the console).  Am I missing something here?  Wouldn't want this 
guy to get a new address without me knowing it :)

Thanks for any help!

Aaron T. Rohyans
Director of Information Systems
IDC-USA
[EMAIL PROTECTED]

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

This can take a couple of cycles /if/ the latest WU/MU client isn't installed 
on your Windows Server 2003 box.

You can always go to the WindowsUpdate site and update the WU client manually 
(or install the Microsoft Update client).

After that, all you should need to do is:

Wuauclt /detectnow

And then look in the Windows Update.log file (note the space) to see what is 
happening. As someone noted, the initial detection can take a while and you 
don't see any icon during the detection process.

For the updates you approved - I assume you approved them for a group or for 
"all computers". The client isn't in the unassigned computers group or similar 
is it?

Cheers
Ken

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 January 2008 8:28 AM
To: NT System Admin Issues
Cc: [EMAIL PROTECTED]
Subject: How to run WindowsUpdate on demand, with WSUS v3?



So I've set up a WSUS v3 server. Following the examples, I have a GPO linked to 
a test OU, and a test machine in the OU. The test machine has the GPO applied, 
and so it knows to get it's updates from the WSUS server ("gpresult" shows my 
GPO being applied). I have the GPO configured for "Notify for download, and 
notify for install", which is how the boss wants it; he wants to pick and 
choose which updates to apply and download, even beyond whatever ones I've 
marked as "Approved".

I've approved a number of the critical updates, and want to have my test server 
go and get them *now*, rather than on the scheduled time of 3AM.

I've tried "wuauclt /resetauthorization /detectnow" on the client machine, to 
no (seeming) affect.

So how can I go and get these updates now? When I do the "normal" way of 
WindowsUpdate (i.e., open a browser and go to 
"http://www.update.microsoft.com/";), it seems to actually go to the real MS 
site, and not just show me my small approved list of updates (for example, that 
way, I see the "Mailicious Software Removal Tool", which I explicitly DECLINED 
as an update). So it doesn't seem to be actually going to my WSUS server. Yet 
the WSUS server knows about the client, and I can run a report from the WSUS 
server, and see the client. 

Any clues and pointers gratefully appreciated

--
Michael Leone
Network Administrator, ISM
Philadelphia Housing Authority
2500 Jackson St
Philadelphia, PA 19145
Tel: 215-684-4180












~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: VMWARE ESX QUESTION

2008-01-30 Thread Tim Vander Kooi

Sadist. :-P

 

From: Andy Shook [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 4:34 PM
To: NT System Admin Issues
Subject: FW: VMWARE ESX QUESTION

 

 

 

No it doesn't, I use that to burn ants on my lunch break. J 

 

Andy



From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 5:20 PM
To: NT System Admin Issues
Subject: RE: VMWARE ESX QUESTION

 

 

That explains the magnifying glass in his desk drawer.

 

   

 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

FW: VMWARE ESX QUESTION

 

No it doesn't, I use that to burn ants on my lunch break. :-) 

 

Andy



From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 5:20 PM
To: NT System Admin Issues
Subject: RE: VMWARE ESX QUESTION

 

 

That explains the magnifying glass in his desk drawer.

 

   

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: duplicate duplicate messages messages

2008-01-30 Thread Tim Vander Kooi

That's not what Tom said. J

 

From: Andy Shook [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:17 AM
To: NT System Admin Issues
Subject: RE: duplicate duplicate messages messages

 

 

It wasn't funny when ME2 did it the first time.

 

Shook

http://www.linkedin.com/in/andyshook  



From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 11:12 AM
To: NT System Admin Issues
Subject: Re: duplicate duplicate messages messages

 


no no duplicate messages here

no no duplicate messages here

On Jan 30, 2008 9:52 AM, Micheal Espinola Jr <[EMAIL PROTECTED]>
wrote:

I think so

I think so


On Jan 30, 2008 9:58 AM, Klint Price - ArizonaITPro

<[EMAIL PROTECTED]> wrote:
>
> Am I the only one getting them?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



--
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~




-- 
Sherry Abercrombie

"Reality is merely an illusion, albeit a persistent one."
-Albert Einstein 











 
 


 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

Note that the first scan for what updates are needed can take some time
(The icon will not show during the scan).
 
If that doesn't work, try this one:
 
rem *** FIXWSUS.CMD
*
net stop wuauserv
 
regsvr32 /s wuapi.dll
 
regsvr32 /s wups.dll
 
regsvr32 /s wuaueng.dll
 
regsvr32 /s wucltui.dll
 
regsvr32 /s msxml3.dll
 
c:
cd %windir%\SoftwareDistribution
rd /s/q DataStore
mkdir DataStore
rd /s/q Download
mkdir Download
 
net start wuauserv
 
rem Fixes problem with client machines not showing up on the server due
to imaging method
 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
/v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
/v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
/v SusClientId /f
cls
@echo Triggering detection after resetting WSUS client identity
net stop "Automatic Updates"
net start "Automatic Updates"
wuauclt /resetauthorization /detectnow
echo susid set to unique>c:\wsusfix.txt
 
 



From: Christopher Boggs [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:49 PM
To: NT System Admin Issues
Subject: RE: How to run WindowsUpdate on demand, with WSUS v3?




 

 

There should be way more in your log than that.

 

Is there a Windows Update.log file as well?  (note the space)  

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:45 PM
To: NT System Admin Issues
Subject: RE: How to run WindowsUpdate on demand, with WSUS v3?

 



"Christopher Boggs" <[EMAIL PROTECTED]> wrote on 01/30/2008 04:38:00
PM:

> If you're still having issues after that, post the WindowsUpdate.log
> file (from your %windir%) 

2008-01-30 10:47:47  15:47:47   Success   IUCTL  Starting 
2008-01-30 10:47:47  15:47:47   Success   IUCTL  Shutting down 

This is after running the script. 

> Is the test system showing up in WSUS 

Yes. 

>, and has it reported its status yet? 

Says "Updates needed 41" on the pie chart, when I click on the computer
name in the group, on the WSUS console. 

Client is Win2003 Standard, if that helps. 






 











~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

2008-01-30 Thread Christopher Boggs

 

 

There should be way more in your log than that.

 

Is there a Windows Update.log file as well?  (note the space)  

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:45 PM
To: NT System Admin Issues
Subject: RE: How to run WindowsUpdate on demand, with WSUS v3?

 



"Christopher Boggs" <[EMAIL PROTECTED]> wrote on 01/30/2008 04:38:00
PM:

> If you're still having issues after that, post the WindowsUpdate.log
> file (from your %windir%) 

2008-01-30 10:47:47  15:47:47   Success   IUCTL  Starting 
2008-01-30 10:47:47  15:47:47   Success   IUCTL  Shutting down 

This is after running the script. 

> Is the test system showing up in WSUS 

Yes. 

>, and has it reported its status yet? 

Says "Updates needed 41" on the pie chart, when I click on the computer
name in the group, on the WSUS console. 

Client is Win2003 Standard, if that helps. 






 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives - Working!

2008-01-30 Thread Roger Wright

CloneZilla is doing the job - and fast!

Thanks for all suggestions.


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


I'd give my right arm to be ambidextrous.


-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 2:54 PM
To: NT System Admin Issues
Subject: RE: Ghosting SATA Drives

Thanks... trying Clonezilla now.


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


"New":  Different color from previous model.


-Original Message-
From: Angus Scott-Fleming [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 2:18 PM
To: NT System Admin Issues
Subject: Re: Ghosting SATA Drives

On 30 Jan 2008 at 14:09, Roger Wright wrote:

> I have several boxes to image.  My old copy of Ghost (8.0 or 2003) 
> doesn't support SATA drives.
> 
> How can I manage to do this when the drives are all SATA drives?  

CloneZilla.sourceforge.net among others.

--
Angus Scott-Fleming
http://www.geoapps.com/

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

2008-01-30 Thread Michael . Leone

"Christopher Boggs" <[EMAIL PROTECTED]> wrote on 01/30/2008 04:38:00 PM:

> If you?re still having issues after that, post the WindowsUpdate.log
> file (from your %windir%)

2008-01-30 10:47:47  15:47:47   Success   IUCTL  Starting
2008-01-30 10:47:47  15:47:47   Success   IUCTL  Shutting down

This is after running the script.

> Is the test system showing up in WSUS

Yes.

>, and has it reported its status yet?

Says "Updates needed 41" on the pie chart, when I click on the computer 
name in the group, on the WSUS console.

Client is Win2003 Standard, if that helps.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

2008-01-30 Thread Michael . Leone

"Sam Cayze" <[EMAIL PROTECTED]> wrote on 01/30/2008 04:31:51 PM:

> try this:
> 
> @echo off
> Echo This batch file will Force the Update Detection from the AU client:
> Echo 1. Stops the Automatic Updates Service (wuauserv)
> Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
> Echo 3. Deletes the DetectionStartTime registry key (if it exists)
> Echo 4. Deletes the NextDetectionTime registry key (if it exists)
> Echo 5. Restart the Automatic Updates Service (wuauserv)
> Echo 6. Force the detection
> Pause
> @echo on
> net stop wuauserv
> REG DELETE 
> "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto 
> Update" /v LastWaitTimeout /f
> REG DELETE 
> "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto 
> Update" /v DetectionStartTime /f
> Reg Delete 
> "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto 
> Update" /v NextDetectionTime /f
> net start wuauserv
> wuauclt /detectnow
> @echo off
> Echo This AU client will now check for the Updates on the Local WSUS 
Server.
> Pause

Thanks. I didn't have the first 2 keys. Otherwise, seems to be no change - 
I have no new icon in the system tray that says that updates are 
available.


> 
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 30, 2008 3:28 PM
> To: NT System Admin Issues
> Cc: [EMAIL PROTECTED]
> Subject: How to run WindowsUpdate on demand, with WSUS v3?

> 
> 
> So I've set up a WSUS v3 server. Following the examples, I have a 
> GPO linked to a test OU, and a test machine in the OU. The test 
> machine has the GPO applied, and so it knows to get it's updates 
> from the WSUS server ("gpresult" shows my GPO being applied). I have
> the GPO configured for "Notify for download, and notify for 
> install", which is how the boss wants it; he wants to pick and 
> choose which updates to apply and download, even beyond whatever 
> ones I've marked as "Approved". 
> 
> I've approved a number of the critical updates, and want to have my 
> test server go and get them *now*, rather than on the scheduled time of 
3AM. 
> 
> I've tried "wuauclt /resetauthorization /detectnow" on the client 
> machine, to no (seeming) affect. 
> 
> So how can I go and get these updates now? When I do the "normal" 
> way of WindowsUpdate (i.e., open a browser and go to "http://www.
> update.microsoft.com/"), it seems to actually go to the real MS 
> site, and not just show me my small approved list of updates (for 
> example, that way, I see the "Mailicious Software Removal Tool", 
> which I explicitly DECLINED as an update). So it doesn't seem to be 
> actually going to my WSUS server. Yet the WSUS server knows about 
> the client, and I can run a report from the WSUS server, and see the 
client. 
> 
> Any clues and pointers gratefully appreciated 
> 
> -- 
> Michael Leone
> Network Administrator, ISM
> Philadelphia Housing Authority
> 2500 Jackson St
> Philadelphia, PA 19145
> Tel: 215-684-4180
> 
> 
> 
> 
> 

> 
> 
> 
> 
> 
> 

> 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

2008-01-30 Thread Christopher Boggs

If you're still having issues after that, post the WindowsUpdate.log
file (from your %windir%)

 

Is the test system showing up in WSUS, and has it reported its status
yet?

 

 



From: Sam Cayze [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:32 PM
To: NT System Admin Issues
Cc: [EMAIL PROTECTED]
Subject: RE: How to run WindowsUpdate on demand, with WSUS v3?

 

 

try this:

 

@echo off
Echo This batch file will Force the Update Detection from the AU client:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)
Echo 6. Force the detection
Pause
@echo on
net stop wuauserv
REG DELETE
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v LastWaitTimeout /f
REG DELETE
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v DetectionStartTime /f
Reg Delete
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v NextDetectionTime /f
net start wuauserv
wuauclt /detectnow
@echo off
Echo This AU client will now check for the Updates on the Local WSUS
Server.
Pause

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:28 PM
To: NT System Admin Issues
Cc: [EMAIL PROTECTED]
Subject: How to run WindowsUpdate on demand, with WSUS v3?



So I've set up a WSUS v3 server. Following the examples, I have a GPO
linked to a test OU, and a test machine in the OU. The test machine has
the GPO applied, and so it knows to get it's updates from the WSUS
server ("gpresult" shows my GPO being applied). I have the GPO
configured for "Notify for download, and notify for install", which is
how the boss wants it; he wants to pick and choose which updates to
apply and download, even beyond whatever ones I've marked as "Approved".


I've approved a number of the critical updates, and want to have my test
server go and get them *now*, rather than on the scheduled time of 3AM. 

I've tried "wuauclt /resetauthorization /detectnow" on the client
machine, to no (seeming) affect. 

So how can I go and get these updates now? When I do the "normal" way of
WindowsUpdate (i.e., open a browser and go to
"http://www.update.microsoft.com/";), it seems to actually go to the real
MS site, and not just show me my small approved list of updates (for
example, that way, I see the "Mailicious Software Removal Tool", which I
explicitly DECLINED as an update). So it doesn't seem to be actually
going to my WSUS server. Yet the WSUS server knows about the client, and
I can run a report from the WSUS server, and see the client.
 

Any clues and pointers gratefully appreciated 

-- 
Michael Leone
Network Administrator, ISM
Philadelphia Housing Authority
2500 Jackson St
Philadelphia, PA 19145
Tel: 215-684-4180

 






 


 

 





 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: How to run WindowsUpdate on demand, with WSUS v3?

try this:
 
@echo off
Echo This batch file will Force the Update Detection from the AU client:
Echo 1. Stops the Automatic Updates Service (wuauserv)
Echo 2. Deletes the LastWaitTimeout registry key (if it exists)
Echo 3. Deletes the DetectionStartTime registry key (if it exists)
Echo 4. Deletes the NextDetectionTime registry key (if it exists)
Echo 5. Restart the Automatic Updates Service (wuauserv)
Echo 6. Force the detection
Pause
@echo on
net stop wuauserv
REG DELETE
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v LastWaitTimeout /f
REG DELETE
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v DetectionStartTime /f
Reg Delete
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update" /v NextDetectionTime /f
net start wuauserv
wuauclt /detectnow
@echo off
Echo This AU client will now check for the Updates on the Local WSUS
Server.
Pause



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 3:28 PM
To: NT System Admin Issues
Cc: [EMAIL PROTECTED]
Subject: How to run WindowsUpdate on demand, with WSUS v3?




So I've set up a WSUS v3 server. Following the examples, I have a GPO
linked to a test OU, and a test machine in the OU. The test machine has
the GPO applied, and so it knows to get it's updates from the WSUS
server ("gpresult" shows my GPO being applied). I have the GPO
configured for "Notify for download, and notify for install", which is
how the boss wants it; he wants to pick and choose which updates to
apply and download, even beyond whatever ones I've marked as "Approved".


I've approved a number of the critical updates, and want to have my test
server go and get them *now*, rather than on the scheduled time of 3AM. 

I've tried "wuauclt /resetauthorization /detectnow" on the client
machine, to no (seeming) affect. 

So how can I go and get these updates now? When I do the "normal" way of
WindowsUpdate (i.e., open a browser and go to
"http://www.update.microsoft.com/";), it seems to actually go to the real
MS site, and not just show me my small approved list of updates (for
example, that way, I see the "Mailicious Software Removal Tool", which I
explicitly DECLINED as an update). So it doesn't seem to be actually
going to my WSUS server. Yet the WSUS server knows about the client, and
I can run a report from the WSUS server, and see the client.
 

Any clues and pointers gratefully appreciated 

-- 
Michael Leone
Network Administrator, ISM
Philadelphia Housing Authority
2500 Jackson St
Philadelphia, PA 19145
Tel: 215-684-4180

 






~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

How to run WindowsUpdate on demand, with WSUS v3?

2008-01-30 Thread Michael . Leone

So I've set up a WSUS v3 server. Following the examples, I have a GPO 
linked to a test OU, and a test machine in the OU. The test machine has 
the GPO applied, and so it knows to get it's updates from the WSUS server 
("gpresult" shows my GPO being applied). I have the GPO configured for 
"Notify for download, and notify for install", which is how the boss wants 
it; he wants to pick and choose which updates to apply and download, even 
beyond whatever ones I've marked as "Approved".

I've approved a number of the critical updates, and want to have my test 
server go and get them *now*, rather than on the scheduled time of 3AM.

I've tried "wuauclt /resetauthorization /detectnow" on the client machine, 
to no (seeming) affect.

So how can I go and get these updates now? When I do the "normal" way of 
WindowsUpdate (i.e., open a browser and go to "
http://www.update.microsoft.com/";), it seems to actually go to the real MS 
site, and not just show me my small approved list of updates (for example, 
that way, I see the "Mailicious Software Removal Tool", which I explicitly 
DECLINED as an update). So it doesn't seem to be actually going to my WSUS 
server. Yet the WSUS server knows about the client, and I can run a report 
from the WSUS server, and see the client. 

Any clues and pointers gratefully appreciated

-- 
Michael Leone
Network Administrator, ISM
Philadelphia Housing Authority
2500 Jackson St
Philadelphia, PA 19145
Tel: 215-684-4180


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: OT: FYI - Patriots beat the Giants in the Superbowl (34-14)

2008-01-30 Thread Kent, Larry CTR USA IMCOM

It will be even funnier when the Pat lose...



From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 4:10 PM
To: NT System Admin Issues
Subject: Re: OT: FYI - Patriots beat the Giants in the Superbowl (34-14)



LOL, that's funny.  


On Jan 30, 2008 3:01 PM, Micheal Espinola Jr <[EMAIL PROTECTED]>
wrote:



http://www.boston.com/sports/football/patriots/articles/2008/01/30/pats_
win_super_bowl_xlii__in_madden_nfl_08/

--
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~





-- 
Sherry Abercrombie

"Reality is merely an illusion, albeit a persistent one."
-Albert Einstein 






~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: VMWARE ESX QUESTION

2008-01-30 Thread Benjamin Zachary

I have a few entire infrastructures on esx, exchange, dc's, sql etc . Even
had one of the esx boxes die (no vmotion at the time) and was able to copy
it over and restart it all without error.

You don't need to push the vm's you could do realtime replication or
snapshot replication depending on your requirements. In house can be done
with some free apps, or inexpensively with datacore for those not faint of
heart :)

-Original Message-
From: Kurt Buff [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 2:11 PM
To: NT System Admin Issues
Subject: Re: VMWARE ESX QUESTION

On Jan 30, 2008 6:12 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote:
>
> Yep,
>
> We are pushing that at our organization, its easier to set 3+ ESX servers
at
> a Hotsite, setup a B2B VPN and push the VM's down to the offsite, or have
> the hotsite as a Lag site for AD ( say 2-3 DC"s about 12 hr replication
> apart, in case main site gets hit, we have DCs/DNS/WINS/ that can take
over
> at offsite cease the roles and only be 12 hrs behind in changes from main
> site) ( Use ESX Ranger, etc etc)

Why the lag?

> I have done WINS/DNS/WEB/SQL/Apps on VM's without issues, but not DC's. I
> wouldn't P2V a DC but I would say its probable that you can spin up a DC
> from VM via DCPromo without issues.

It's not merely probable - I've done it.

However, I was cautioned that the holder of the FSMO roles shouldn't
be virtualized. Can't remember why at the moment - something to do
with Exchange, IIRC - but that's why one of our DCs is not on ESX.

Kurt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

On Jan 30, 2008 3:20 PM, Eric E Eskam <[EMAIL PROTECTED]> wrote:
> Dell printers are rebadged Lexmark's ...

  At least some of them are, for sure.  I suspect some of them might
be other OEMs, though.  For example, the Dell 1110 we got sent as a
freebie is a dead ringer for the Samsung ML-2510 I saw in Staples the
other day.  Same overall layout, lights, buttons, toner cartridge
design, port locations.  The only thing different is the labeling and
the color of the trim.

> I'm pretty happy with our Lexmarks.

  Thanks for the detailed report -- very useful.  That does sound
pretty good.  I will have to check them out, independently of Dell as
you say.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

2008-01-30 Thread Benjamin Zachary

Drop ghost 8.0 on BartPE with the drivers preinstalled (ubcd4win) or install
them on boot up and you will be good to go. I still use ghost8 in this
fashion with sas controllers, dell perc cards etc etc. 

-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 2:10 PM
To: NT System Admin Issues
Subject: Ghosting SATA Drives

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388

Man belongs wherever he wants to go.  --Wernher von Braun

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: OT: FYI - Patriots beat the Giants in the Superbowl (34-14)

2008-01-30 Thread Sherry Abercrombie

LOL, that's funny.

On Jan 30, 2008 3:01 PM, Micheal Espinola Jr <[EMAIL PROTECTED]>
wrote:

>
> http://www.boston.com/sports/football/patriots/articles/2008/01/30/pats_win_super_bowl_xlii__in_madden_nfl_08/
>
> --
> ME2
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
Sherry Abercrombie

"Reality is merely an illusion, albeit a persistent one."
-Albert Einstein

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Ghosting SATA Drives

On Jan 30, 2008 2:09 PM, Roger Wright <[EMAIL PROTECTED]> wrote:
> I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
> doesn't support SATA drives.
> How can I manage to do this when the drives are all SATA drives?

  I guess newer versions of Ghost support SATA.  Myself, I've been
experimenting with the free, Linux-based "partimage" tool.  Seems to
work well so far, and is NTFS aware.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

OT: FYI - Patriots beat the Giants in the Superbowl (34-14)

http://www.boston.com/sports/football/patriots/articles/2008/01/30/pats_win_super_bowl_xlii__in_madden_nfl_08/

-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Nokia VPN question

Anyone out there using a Nokia VPN appliance in production? 

Here's the deal.  Just cutover to a Cisco ASA-5510 from a Sonicwall 2040
(enhanced OS) and this one LAN-to-LAN tunnel will not establish phase 2.
Settings did not change and everything else is groovy.  Is there any
"feature" that is required for these two boxes to swap packets?  

Pullin' my hair out on this one.

Shook

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Printer brand recommendations

2008-01-30 Thread Eric E Eskam

Dell printers are rebadged Lexmark's - I think it's been mentioned before, 
but thought I would mention it again.  Dunno if the Dell's have all of 
what I am going to talk about below - might be a disadvantage of getting 
them from Dell since Dell does ship different drivers.

Lexmark is very strong on security - all firmware updates are signed, they 
can utilize smart cards for authentication (i.e. have printer hold job 
until user authenticates to printer with smartcard or PIN and then print 
while user is standing there for sensitive documents), if a printer has a 
hard drive for caching of jobs it's encrypted, etc.  Lexmark has been, so 
far, the only vendor to also provide me a whitepaper explaining why having 
one of their multifunction machines with a fax modem on my network is not 
a risk.  It's quite detailed and specific.  I had been trying for years to 
get such a whitepaper from HP, Canon and other vendors and had come up 
with nothing.  One mention to our Lexmark rep and I had a whitepaper 
within 24 hours.  As an aside, if your vender supports PS Fax, I wouldn't 
have the printer plugged into my network and the phone at the same time...

Heck, it's a 260K PDF - if anyone is interested in it send me an email off 
list and I'll forward you a copy.

The only issues we have had with some Lexmark printers is they have been 
fussy on paper, and most of that has been from users not paying attention 
to the printers specs and requirements.  A few we have had to have 
replaced, but they have been pretty responsive in working with us.  In my 
immediate office we ordered a scanner/printer combo and replaced our 
photocopier.  I hesitate to call it an all-in one since the scanner is 
separate from the printer, although it comes with a stand that integrates 
the two.  The entire cost of the scanner/printer setup was less then 
maintenance for one year on the photocopier - and it even staples!  Bigger 
printers also collate and bind, just like larger photocopiers.  The 
scanner supports emailing a PDF - I use that feature all the time to 
capture documents electronically and when duplex scanning, it scans both 
sides of the paper at the same time.  Also, every one of their scanners is 
color - even though I ordered it as a kit with a B&W printer.  If I need a 
color copier, all I have to do is order a Lexmark color printer and now I 
have a color copier and B&W copier from the same scanner (pretty slick!). 
the scanner has a touchscreen interface - there is a complete SDK 
available, so if I was so inclined (and actually had a developer) I could 
integrate the scanner directly into a workflow with our Lotus Note or 
Sharepoint servers.  I'm pretty happy with our Lexmarks.

Oh, they have a true universal driver and it doesn't litter your system 
tray and hard drive with gobs of utilities either.  Much friendlier in a 
networked printing environment...

Eric Eskam
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The contents of this message are mine personally and do not reflect any 
position of the U.S. Government
"The human mind treats a new idea the same way the body treats a strange 
protein; it rejects it."
-  P. B. Medawar
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

On Jan 30, 2008 12:55 PM, Za Vue <[EMAIL PROTECTED]> wrote:
> I have never call HP for any support on printers. There is no more than 7-8
> major components with most LJ printers.

  If it's a mechanical breakdown, sure.  Not all problems are like
that.  This month it's been:

  1. Ghosting on a color laser printer.  It turned out to be a bad
toner cartridge, but HP was no help in figuring that out, and neither
was the local service shop.  (They recommended replacing the fuser,
for $250.)  And then HP wouldn't honor the supposed warranty on their
Genuine HP better-because-they-say-so printer cartridge.  Why am I
buying Genuine HP if HP won't stand behind it any more than they stand
by somebody's knock-off?

  2. Truncated pages.  Turned out to be Microsoft Word was not
honoring the printable area metric from the driver for page borders.
It only showed up on this one new printer model, so I thought it was
the printer at first.  So it ended up being more of an MS Word problem
then an HP problem, but I had to figure that out on my own.  The HP
support was just an exercise in frustration.  (This was the case where
they sent me a link to the same MSKB article I had already referred
them to, among other stupidities.)

  3. On that AIO I mentioned, the scanner software keeps insisting the
scanner cannot be found.  Ticket is still open from yesterday.  The
battery in the phone I was using went dead after 30 minutes on hold
waiting for a rep who knew what a network was.

  It's just chance that I had three issues like this in one month, but
each support case has been absolutely horrible.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

2008-01-30 Thread Roger Wright

Thanks... trying Clonezilla now.


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


"New":  Different color from previous model.


-Original Message-
From: Angus Scott-Fleming [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 2:18 PM
To: NT System Admin Issues
Subject: Re: Ghosting SATA Drives

On 30 Jan 2008 at 14:09, Roger Wright wrote:

> I have several boxes to image.  My old copy of Ghost (8.0 or 2003) 
> doesn't support SATA drives.
> 
> How can I manage to do this when the drives are all SATA drives?  

CloneZilla.sourceforge.net among others.

--
Angus Scott-Fleming
http://www.geoapps.com/

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Installing a Terminal Server

;-)  I couldn't resist.  This should have went along with it:

http://whmfp.ytmnd.com/


On Jan 30, 2008 2:41 PM, Jim Majorowicz <[EMAIL PROTECTED]> wrote:
> LOL...
>
> -Original Message-
> From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 3:02 PM
> To: NT System Admin Issues
> Subject: Re: Installing a Terminal Server
>
> Bonjour monsieur haute pantalons!  :-)
>
>
> On Jan 29, 2008 5:36 PM, Jim Majorowicz <[EMAIL PROTECTED]> wrote:
> > I'm well aware of the licensing requirements, actually.  I don't overly
> > abuse my signature file with my certifications, one of which is Microsoft
> > Licensing Advisor.  I know my way around Gear Up pretty well, which is why
> > they have Professional Plus.
> >
> >
> > -Original Message-
> > From: Michael B. Smith [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 2:12 PM
> > To: NT System Admin Issues
> > Subject: RE: Installing a Terminal Server
> >
> > You just need a VL version as opposed to a retail version.
> >
> > Regards,
> >
> > Michael B. Smith
> > MCSE/Exchange MVP
> > http://TheEssentialExchange.com
> >
> >
> > -Original Message-
> > From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 5:06 PM
> > To: NT System Admin Issues
> > Subject: RE: Installing a Terminal Server
> >
> > Seems to be working just fine.  Office Ent is just Office Pro Plus with
> > Grove and One Note.  There is nothing in the deployment notes that say
> that
> > only Enterprise can be installed on a Terminal Server.
> >
>
> > -Original Message-
> > From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin
> > Sent: Tuesday, January 29, 2008 1:28 PM
> > To: NT System Admin Issues
> > Subject: RE: Installing a Terminal Server
> >
> > I may be wrong but I think Office 2007 Pro won't workneeds to be
> Office
> > 2007 Enterprise.
> >
> > S
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 2:55 PM
> > To: NT System Admin Issues
> > Subject: RE: Installing a Terminal Server
> >
> > I second the motion. Unless you know all drivers and apps work with x64.
> >
> > Mike
> >
> > Original Message:
> > -
> > From: Tom Strader [EMAIL PROTECTED]
> > Date: Tue, 29 Jan 2008 13:28:46 -0500
> > To: ntsysadmin@lyris.sunbelt-software.com
> > Subject: RE: Installing a Terminal Server
> >
> >
> > I would stay with x32 Jim.
> >
> > My 2 cents,
> > Tom
> >
> > 
> >
> > From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, January 29, 2008 1:26 PM
> > To: NT System Admin Issues
> > Subject: Installing a Terminal Server
> >
> >
> >
> >
> > I'm installing a new Terminal Server for a client and I'm wondering if
> > it would be better to install x32 or the x64 version of 2003 R2 as the
> > base operating system.  It will be hosting Office 2007 Pro and an
> > Accounting Ap. That is currently only 32 bit.  (The database is still on
> > an SQL 2000 server, and won't be upgraded to SQL 2003 until June.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
> > 
> > mail2web LIVE - Free email based on Microsoft(r) Exchange technology -
> > http://link.mail2web.com/LIVE
> >
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
>
>
>
> --
> ME2
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Installing a Terminal Server

2008-01-30 Thread Jim Majorowicz

It really only makes sense if you spend time on SBS forums...

-Original Message-
From: Joseph L. Casale [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 29, 2008 7:30 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

OK, I was busy, What'd I miss here?? :) ?? Where did that come from?

-Original Message-
From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 3:37 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

I'm well aware of the licensing requirements, actually.  I don't overly
abuse my signature file with my certifications, one of which is Microsoft
Licensing Advisor.  I know my way around Gear Up pretty well, which is why
they have Professional Plus.

-Original Message-
From: Michael B. Smith [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 2:12 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

You just need a VL version as opposed to a retail version.

Regards,

Michael B. Smith
MCSE/Exchange MVP
http://TheEssentialExchange.com

-Original Message-
From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 5:06 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

Seems to be working just fine.  Office Ent is just Office Pro Plus with
Grove and One Note.  There is nothing in the deployment notes that say that
only Enterprise can be installed on a Terminal Server.

-Original Message-
From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin
Sent: Tuesday, January 29, 2008 1:28 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

I may be wrong but I think Office 2007 Pro won't workneeds to be Office
2007 Enterprise.

S

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 2:55 PM
To: NT System Admin Issues
Subject: RE: Installing a Terminal Server

I second the motion. Unless you know all drivers and apps work with x64.

Mike

Original Message:
-
From: Tom Strader [EMAIL PROTECTED]
Date: Tue, 29 Jan 2008 13:28:46 -0500
To: ntsysadmin@lyris.sunbelt-software.com
Subject: RE: Installing a Terminal Server

I would stay with x32 Jim.

My 2 cents,
Tom

From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 1:26 PM
To: NT System Admin Issues
Subject: Installing a Terminal Server

I'm installing a new Terminal Server for a client and I'm wondering if
it would be better to install x32 or the x64 version of 2003 R2 as the
base operating system.  It will be hosting Office 2007 Pro and an
Accounting Ap. That is currently only 32 bit.  (The database is still on
an SQL 2000 server, and won't be upgraded to SQL 2003 until June.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

mail2web LIVE - Free email based on Microsoft(r) Exchange technology -
http://link.mail2web.com/LIVE

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Installing a Terminal Server

2008-01-30 Thread Jim Majorowicz

LOL...

-Original Message-
From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 29, 2008 3:02 PM
To: NT System Admin Issues
Subject: Re: Installing a Terminal Server

Bonjour monsieur haute pantalons!  :-)


On Jan 29, 2008 5:36 PM, Jim Majorowicz <[EMAIL PROTECTED]> wrote:
> I'm well aware of the licensing requirements, actually.  I don't overly
> abuse my signature file with my certifications, one of which is Microsoft
> Licensing Advisor.  I know my way around Gear Up pretty well, which is why
> they have Professional Plus.
>
>
> -Original Message-
> From: Michael B. Smith [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 2:12 PM
> To: NT System Admin Issues
> Subject: RE: Installing a Terminal Server
>
> You just need a VL version as opposed to a retail version.
>
> Regards,
>
> Michael B. Smith
> MCSE/Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 5:06 PM
> To: NT System Admin Issues
> Subject: RE: Installing a Terminal Server
>
> Seems to be working just fine.  Office Ent is just Office Pro Plus with
> Grove and One Note.  There is nothing in the deployment notes that say
that
> only Enterprise can be installed on a Terminal Server.
>
> -Original Message-
> From: Steve Moffat [mailto:[EMAIL PROTECTED] On Behalf Of NTSysAdmin
> Sent: Tuesday, January 29, 2008 1:28 PM
> To: NT System Admin Issues
> Subject: RE: Installing a Terminal Server
>
> I may be wrong but I think Office 2007 Pro won't workneeds to be
Office
> 2007 Enterprise.
>
> S
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 2:55 PM
> To: NT System Admin Issues
> Subject: RE: Installing a Terminal Server
>
> I second the motion. Unless you know all drivers and apps work with x64.
>
> Mike
>
> Original Message:
> -
> From: Tom Strader [EMAIL PROTECTED]
> Date: Tue, 29 Jan 2008 13:28:46 -0500
> To: ntsysadmin@lyris.sunbelt-software.com
> Subject: RE: Installing a Terminal Server
>
>
> I would stay with x32 Jim.
>
> My 2 cents,
> Tom
>
> 
>
> From: Jim Majorowicz [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 1:26 PM
> To: NT System Admin Issues
> Subject: Installing a Terminal Server
>
>
>
>
> I'm installing a new Terminal Server for a client and I'm wondering if
> it would be better to install x32 or the x64 version of 2003 R2 as the
> base operating system.  It will be hosting Office 2007 Pro and an
> Accounting Ap. That is currently only 32 bit.  (The database is still on
> an SQL 2000 server, and won't be upgraded to SQL 2003 until June.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
> 
> mail2web LIVE - Free email based on Microsoft(r) Exchange technology -
> http://link.mail2web.com/LIVE
>
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Question about TCP/IP properties in Terminal Services

2008-01-30 Thread Aaron T. Rohyans

Hey all,

 

Just installed a new DC and got it all setup.  I statically set the IP
from the console, but now when I remote into the box, the IP reverts
back to DHCP.

 

Ipconfig /all still shows the correct static address, but TCP/IP
properties on the NIC shows that it should be using DHCP (i.e. doesn't
show the address I entered from the console).  Am I missing something
here?  Wouldn't want this guy to get a new address without me knowing it
J

 

Thanks for any help!

 

Aaron T. Rohyans

Director of Information Systems

IDC-USA

[EMAIL PROTECTED]

 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

2008-01-30 Thread Terry Dickson

Roger, I seem to remember that Ghost 7.5 started supporting SATA Drives,
I have a computer around with an old version of Ghost on it that I know
I have used in the past for SATA Drives and I think it was 8, it was
purchased in 2003 anyway.  

-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 1:10 PM
To: NT System Admin Issues
Subject: Ghosting SATA Drives

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388

Man belongs wherever he wants to go.  --Wernher von Braun

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: IUSR_SERVER

2008-01-30 Thread Christopher Boggs

Don't quote me on this, but I think as long as you specify it in IIS
Manager, then you're fine.  Same goes for renaming it - just rename the
account in Users and Groups and then update it in IIS Manager...

I noticed this: http://support.microsoft.com/?id=822165

If the accounts are not present, it will recreate them when you restart
the IIS Admin Serviceit mentions making custom IUSR and IWAM
accounts, so I see no reason you can't do it - you just might have to
tweak things.

cb

-Original Message-
From: David Lum [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 11:52 AM
To: NT System Admin Issues
Subject: IUSR_SERVER

This account is created when IIS is installed, right (actually
IUSR_)? Is there any reason this account can't be manually
created? I have a server that some developers want me to rename to quite
literally SERVER, then reload IIS so the IUSR_SERVER account gets
created. Seems asinine to me

Dave Lum  - Systems Engineer 
[EMAIL PROTECTED] - (971)-222-1025
"When you step on the brakes your life is in your foot's hands" 




~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Ghosting SATA Drives

2008-01-30 Thread Angus Scott-Fleming

On 30 Jan 2008 at 14:09, Roger Wright wrote:

> I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
> doesn't support SATA drives.  
> 
> How can I manage to do this when the drives are all SATA drives?  

CloneZilla.sourceforge.net among others.

--
Angus Scott-Fleming
http://www.geoapps.com/

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

2008-01-30 Thread Joe Heaton

I googled "Ghosting SATA drives"  and the first link seemed to have some useful 
info, about halfway down the conversation.  There's also a link to another 
site, that supposedly has instructions on setting Ghost up to do SATA drives.

HTH,

Joe Heaton


-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 11:10 AM
To: NT System Admin Issues
Subject: Ghosting SATA Drives

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


Man belongs wherever he wants to go.  --Wernher von Braun


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

Does your Ghost have a GUI Install? (Actually installing the program,
not booting from the CD).
Then slave the drive and try to image.

-Original Message-
From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 1:11 PM
To: NT System Admin Issues
Subject: RE: Ghosting SATA Drives

Upgrade your Ghost?

Sorry, not useful, I know, but had to do it... ;)

Joe Heaton

-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 30, 2008 11:10 AM
To: NT System Admin Issues
Subject: Ghosting SATA Drives

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388

Man belongs wherever he wants to go.  --Wernher von Braun

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date:
1/30/2008 9:29 AM

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date:
1/30/2008 9:29 AM

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: VMWARE ESX QUESTION

On Jan 30, 2008 6:12 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote:
>
> Yep,
>
> We are pushing that at our organization, its easier to set 3+ ESX servers at
> a Hotsite, setup a B2B VPN and push the VM's down to the offsite, or have
> the hotsite as a Lag site for AD ( say 2-3 DC"s about 12 hr replication
> apart, in case main site gets hit, we have DCs/DNS/WINS/ that can take over
> at offsite cease the roles and only be 12 hrs behind in changes from main
> site) ( Use ESX Ranger, etc etc)

Why the lag?

> I have done WINS/DNS/WEB/SQL/Apps on VM's without issues, but not DC's. I
> wouldn't P2V a DC but I would say its probable that you can spin up a DC
> from VM via DCPromo without issues.

It's not merely probable - I've done it.

However, I was cautioned that the holder of the FSMO roles shouldn't
be virtualized. Can't remember why at the moment - something to do
with Exchange, IIRC - but that's why one of our DCs is not on ESX.

Kurt

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Ghosting SATA Drives

2008-01-30 Thread Joe Heaton

Upgrade your Ghost?

Sorry, not useful, I know, but had to do it... ;)

Joe Heaton


-Original Message-
From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 11:10 AM
To: NT System Admin Issues
Subject: Ghosting SATA Drives

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


Man belongs wherever he wants to go.  --Wernher von Braun


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Ghosting SATA Drives

2008-01-30 Thread Roger Wright

I have several boxes to image.  My old copy of Ghost (8.0 or 2003)
doesn't support SATA drives.  

How can I manage to do this when the drives are all SATA drives?  


Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388


Man belongs wherever he wants to go.  --Wernher von Braun


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Terminal Services Warning - huh?

2008-01-30 Thread Greg Farber

I had this problem last month, googled the error message, found this fix
which worked for me.
It is the "registry fix" alluded to earlier here.
cheers! greg

from microsoft tech net -
http://technet2.microsoft.com/windowsserver/en/library/449930f4-85ed-47b4-a159-760eebcc3e881033.mspx?mfr=true

Remove the MSLicensing Registry Key on the Client and Verify Permissions on
the Rebuilt Key

If all of the previous troubleshooting procedures fail, create a backup of
the* MSLicensing*registry key and its subkeys on the client, and then remove
the original key and subkeys.

Caution:

Incorrectly editing the registry may severely damage your system. Before
making changes to the registry, you should back up any valued data on the
computer.

*To remove the MSLicensing registry key on the client and verify permissions
on the rebuilt key*

On the client, open Registry Editor. To open Registry Editor, click* Start*,
click *Run*, type *regedit*, and then click *OK*.
2.

Locate, and then click, the following key in the registry:

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing *
3.

On the *Registry *menu, click *Export Registry File*.
4.

In the *File name* box, type *mslicensingbackup*, and then click *Save*.
5.

If you need to restore this registry key in the future, double-click *
mslicensingbackup.reg*.
6.

On the* Edit* menu, click *Delete*, and then click *Yes* to confirm the
deletion of the *MSLicensing*registry subkey.
7.

Close Registry Editor, and then restart the computer (when the client is
restarted, the missing registry key is rebuilt).
8.

On the client, open Registry Editor.
9.

Locate, and then click, the following key in the registry:

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing *
10.

On the *Edit* menu, click *Permissions*. Users must have at least Read
permissions.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ ~

RE: FYI (vLite)

2008-01-30 Thread Angus Scott-Fleming

On 29 Jan 2008 at 20:48, Sam Cayze wrote:

> Similar to nLite for XP and 2003. I usethis along with an answer
> file cause it allows me to install a base OS in less than 10 minutes. 

Care to share your answer file?  


--
Angus Scott-Fleming
http://www.geoapps.com/

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Terminal Services Warning - huh?

2008-01-30 Thread Greg Farber

I had this problem last month, googled the error message, found this fix
which worked for me.
It is the "registry fix" alluded to earlier here.
cheers! greg

from microsoft tech net -
http://technet2.microsoft.com/windowsserver/en/library/449930f4-85ed-47b4-a159-760eebcc3e881033.mspx?mfr=true

Remove the MSLicensing Registry Key on the Client and Verify Permissions on
the Rebuilt Key

If all of the previous troubleshooting procedures fail, create a backup of
the* MSLicensing*registry key and its subkeys on the client, and then remove
the original key and subkeys.

Caution:

Incorrectly editing the registry may severely damage your system. Before
making changes to the registry, you should back up any valued data on the
computer.

*To remove the MSLicensing registry key on the client and verify permissions
on the rebuilt key*

On the client, open Registry Editor. To open Registry Editor, click* Start*,
click *Run*, type *regedit*, and then click *OK*.
2.

Locate, and then click, the following key in the registry:

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing *
3.

On the *Registry *menu, click *Export Registry File*.
4.

In the *File name* box, type *mslicensingbackup*, and then click *Save*.
5.

If you need to restore this registry key in the future, double-click *
mslicensingbackup.reg*.
6.

On the* Edit* menu, click *Delete*, and then click *Yes* to confirm the
deletion of the *MSLicensing*registry subkey.
7.

Close Registry Editor, and then restart the computer (when the client is
restarted, the missing registry key is rebuilt).
8.

On the client, open Registry Editor.
9.

Locate, and then click, the following key in the registry:

*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing *
10.

On the *Edit* menu, click *Permissions*. Users must have at least Read
permissions.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ ~

RE: Printer brand recommendations

2008-01-30 Thread Za Vue

I have never call HP for any support on printers. There is no more than 7-8
major components with most LJ printers. I always thought they would tell me
to take back to where I purchased it. Here is one site I rely on for a lot
of issues I have encountered with printers in my work place or at home. 

www.fixyourownprinter.com

-Z.V.

-Original Message-
From: Ben Scott [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 12:47 PM
To: NT System Admin Issues
Subject: Re: Printer brand recommendations

Aggregate reply to multiple people.

On Jan 30, 2008 12:10 AM, Martin Blackstone <[EMAIL PROTECTED]> wrote:
> I still like HP cause it's easy to find local service and you can get
parts
> and toner pretty much anywhere.

  HP's hardware quality is still good.  Local repair isn't the issue.
It's that technical support has been absolutely horrible.  And I mean
*horrible*.  By far the worst in recent memory.  And I spend a lot of
time on tech calls.  They can't communicate in English, they don't
listen to what I say, they tell me brand new products are
out-of-warranty, they put me on hold for an hour plus, they read
scripted answers that don't apply, they tell me the product can't do
what the manual says it can do, they need me to look up information on
their own web site for them, they send me copies of MSKB articles I
originally referred them to, I could go on and on.  I don't know
whether to laugh or cry.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

IUSR_SERVER

2008-01-30 Thread David Lum

This account is created when IIS is installed, right (actually
IUSR_)? Is there any reason this account can't be manually
created? I have a server that some developers want me to rename to quite
literally SERVER, then reload IIS so the IUSR_SERVER account gets
created. Seems asinine to me

Dave Lum  - Systems Engineer 
[EMAIL PROTECTED] - (971)-222-1025
"When you step on the brakes your life is in your foot's hands" 




~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Switch Purchase Question...

nonono, in proper "Yankee" it's, GO TAKE A BATH!

On Jan 30, 2008 12:35 PM, Andy Shook <[EMAIL PROTECTED]> wrote:
>
>
>
> You're such a Yankee; its GIT-R-DONE
>
>
>
>
> Andy
> 
>
>
> From: Ziots, Edward [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 12:05 PM
>
> To: NT System Admin Issues
> Subject: RE: Switch Purchase Question...
>
> To: NT System Admin Issues
> Subject: RE: Switch Purchase Question...
>
>
>
>
>
>
>
>
> Shook,
>
> The Ever-Loving Spoonful, Distant Cousin of Larry the Cable Guy.
>
>
>
> GETTER DONE!
>
>
>
> Z
>
>
>
>
> Edward E. Ziots
>
> Netwok Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP,Security+,Network+,CCA
>
> Phone: 401-639-3505
>
> -Original Message-
> From: Andy Shook [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 10:52 AM
> To: NT System Admin Issues
> Subject: RE: Switch Purchase Question...
>
>
>
>
>
> Don't fight over me, there's plenty of Shook for all….
>
>
>
>
> Andy
>
> 
>
>
> From: Don Ely [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 10:51 AM
> To: NT System Admin Issues
> Subject: Re: Switch Purchase Question...
>
>
>
>
> Envious, are we?
>
>
> On Jan 30, 2008 7:47 AM, Tim Vander Kooi <[EMAIL PROTECTED]> wrote:
>
>
>
>
>
> Cisco = Shook
>
> Bread = bend
>
> Butter = over
>
>
>
>
>
>
> From: Don Ely [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, January 29, 2008 10:08 PM
>
>
>
> To: NT System Admin Issues
>
> Subject: Re: Switch Purchase Question...
>
>
>
>
>
> Yeah, I'm getting the company away from 3COM and since Cisco has been my
> bread and butter for the last 8 years, it's just simpler...  Don't get me
> wrong, HP does make some nice equipment, but it's just not for me...
>
>
> On Jan 29, 2008 7:42 PM, Ben Scott <[EMAIL PROTECTED]> wrote:
>
>
> On Jan 29, 2008 4:41 PM, Don Ely <[EMAIL PROTECTED]> wrote:
> > I'm getting a 4507 with dual Sup V 10GE engines, 48 port gig
> > blade and a 24 port fiber blade for 30k...
>
>  Wow.  Nice.  That's way bigger than anything I usually work with.
> But I was curious, so I did a little web browsing.  It looks like the
> roughly equivalent ProCurve model would be the 8108fl.  8 slots
> instead of 7 for the Cisco.
>
> http://www.hp.com/rnd/products/switches/ProCurve_Switch_8100fl_Series
>
>  Pricing in this space is hard to find and harder to compare (since
> you have to order all the modules separately), but it looks like the
> two are roughly comparable, price-wise.
>
>  Obviously, your experience is with Cisco, and I'm not trying to
> suggest you switch to HP.  It's very likely your existing investment
> (equipment, training, experience, etc.) in Cisco is far more valuable
> than anything HP could bring to the table.  This is more for my own
> curiosity.
>
>
>
> On Jan 29, 2008 9:25 PM, Don Ely <[EMAIL PROTECTED]> wrote:
> >  Redundant Sup Engines for one...  Full Netflow feature set...  Policy
> based
> > routing...
>
>  The 8108 does appear to have those sorts of features.  HP uses
> "management module" for what Cisco calls a "supervisor".  Policy
> routing is listed in the data sheet.  "NetFlow" is a Cisco brand name.
>  So of course the HP doesn't have that.  HP has various monitoring and
> management tools; dunno if they do what you need.
>
>  Given that the above is all based on about 20 minutes of work with
> Google, it's not worth very much, but maybe it's food for thought.
>
> -- Ben
>
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Printer brand recommendations

Aggregate reply to multiple people.

On Jan 30, 2008 12:10 AM, Martin Blackstone <[EMAIL PROTECTED]> wrote:
> I still like HP cause it's easy to find local service and you can get parts
> and toner pretty much anywhere.

  HP's hardware quality is still good.  Local repair isn't the issue.
It's that technical support has been absolutely horrible.  And I mean
*horrible*.  By far the worst in recent memory.  And I spend a lot of
time on tech calls.  They can't communicate in English, they don't
listen to what I say, they tell me brand new products are
out-of-warranty, they put me on hold for an hour plus, they read
scripted answers that don't apply, they tell me the product can't do
what the manual says it can do, they need me to look up information on
their own web site for them, they send me copies of MSKB articles I
originally referred them to, I could go on and on.  I don't know
whether to laugh or cry.

On Jan 30, 2008 12:10 AM, Martin Blackstone <[EMAIL PROTECTED]> wrote:
> As for AIO and Ink Jets, I think they are all crap in the workplace. People
> overuse them way too much.

  I largely agree, but at the same time, there's a demand from the
bigwigs for such.  And ignoring the ego issues, it's not even all that
unreasonable.  So they want their own device.  It's going to be very
light use -- not an overuse situation.  Their priority is small size.
They don't care about price so much, they just don't want a giant
Konica copy machine in their office.  Or three different machines that
each get used twice a month.

On Jan 30, 2008 12:25 AM, Sam Cayze <[EMAIL PROTECTED]> wrote:
> Been using them [Dell printers] for 4+ years.
> Never had a software issue.

  I actually have evaluated a Dell 1720dn about six months ago.  We
had an issue where printing preference defaults would not propagate
properly from the server to the clients.  This was an issue since the
whole reason we bought that model was for multiple trays for different
media.  Dell tech support said the only fix was to manually tweak the
settings for every user on every workstation using the printer.  No
fix available or planned.  (Service tag BKDSTB1; tech support case
167931218.)   So we returned that model to Dell and bought an HP
P2015x.

  Still, at this point, I might be willing to give Dell another shot.

On Jan 30, 2008 10:07 AM, Za Vue <[EMAIL PROTECTED]> wrote:
> Dell printers may be cheaper but they will get you on toner prices and I do
> not know who will service them where we are.

  For the Dell 1720dn vs the HP P2015x, the cost-per-page was actually
cheaper for Dell vs the HP (assuming the yield specs are honest).

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Broadcom NIC problems?

Broadcom NICs - the 3Com of the 21st century.


-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: Nod32 2.7 vs 3.0

Smart Security is different package that contains NOD32, but also
includes a firewall client.

Yes, there is a seperate NOD32 3.0 client that is seperate from Smart
Security.  Also with 3.0, there is a differentiation between Home and
Business NOD32.

Business NOD32 (for servers) requires a different installer - although
the licensing appears to be the same.  At least for updates it is.


On Jan 30, 2008 12:27 PM, Sam Cayze <[EMAIL PROTECTED]> wrote:
> Finally setting this up in my test lab.
>
> Does NOD32 3 = Smart Security?
>
> Are they the same?  Is there just an 3.0 AntiVirus client that does not
> have the Spam Filter and Personal Firewall?  (I don't want those
> installed, although I do know that I could just disable them...)
>
>
>
>
>
> -Original Message-
> From: Rod Trent [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 11:16 AM
> To: NT System Admin Issues
> Subject: RE: FYI (vLite)
>
> Uh, it's sysprep.  There are no environment variables available when
> preparing the system for imaging, unless you generate a boot device with
> the variables you define.
>
> -Original Message-
> From: Ben Scott [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 30, 2008 12:06 PM
> To: NT System Admin Issues
> Subject: Re: FYI (vLite)
>
> On Jan 30, 2008 11:41 AM, Rod Trent <[EMAIL PROTECTED]> wrote:
> >>   It's been possible all along, it's just a lot of things (including
> >> Microsoft's own stuff) assume C:\WINDOWS or C: and won't work if you
> >> change things.
> >
> > That's not true.
>
>  It is true.  (I can make empty statements, too.)
>
> > The OS uses a %windir% variable that that points to where the OS files
>
> > are no matter what directory it is in.
>
>  I'm aware of %WINDIR% and %SystemDrive%, thanks.  But there's stuff
> that wrongly assumes certain locations.  Obviously deficient software,
> but there's a lot of that out there, and some of it comes from
> Microsoft.
>
>  To pick an example I just saw mention of recently, the docs for the
> recent SYSPREP releases say it should be run from C: drive only.
> Maybe it might work elsewhere, but Microsoft says C: is the only way to
> do it.  So maybe you should tell the people maintaining SYSREP about
> %SystemDrive%, eh?
>
>  I've encountered random cases like this plenty of times over the
> years.  The MSKB may "confirm that this is a problem in the Microsoft
> products listed", but that doesn't really help you if you're stuck.
>
> -- Ben
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Switch Purchase Question...

You're such a Yankee; its GIT-R-DONE

Andy

From: Ziots, Edward [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 12:05 PM
To: NT System Admin Issues
Subject: RE: Switch Purchase Question...

Shook, 

The Ever-Loving Spoonful, Distant Cousin of Larry the Cable Guy. 

GETTER DONE!

Z

Edward E. Ziots

Netwok Engineer

Lifespan Organization

MCSE,MCSA,MCP,Security+,Network+,CCA

Phone: 401-639-3505

-Original Message-
From: Andy Shook [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:52 AM
To: NT System Admin Issues
Subject: RE: Switch Purchase Question...

Don't fight over me, there's plenty of Shook for all

Andy

From: Don Ely [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 30, 2008 10:51 AM
To: NT System Admin Issues
Subject: Re: Switch Purchase Question...

Envious, are we?

On Jan 30, 2008 7:47 AM, Tim Vander Kooi <[EMAIL PROTECTED]> wrote:

Cisco = Shook

Bread = bend

Butter = over

From: Don Ely [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 29, 2008 10:08 PM 

To: NT System Admin Issues

Subject: Re: Switch Purchase Question... 

Yeah, I'm getting the company away from 3COM and since Cisco has been my
bread and butter for the last 8 years, it's just simpler...  Don't get
me wrong, HP does make some nice equipment, but it's just not for me...

On Jan 29, 2008 7:42 PM, Ben Scott <[EMAIL PROTECTED]> wrote:

On Jan 29, 2008 4:41 PM, Don Ely <[EMAIL PROTECTED]> wrote:
> I'm getting a 4507 with dual Sup V 10GE engines, 48 port gig
> blade and a 24 port fiber blade for 30k...

 Wow.  Nice.  That's way bigger than anything I usually work with.
But I was curious, so I did a little web browsing.  It looks like the
roughly equivalent ProCurve model would be the 8108fl.  8 slots
instead of 7 for the Cisco.

http://www.hp.com/rnd/products/switches/ProCurve_Switch_8100fl_Series

 Pricing in this space is hard to find and harder to compare (since
you have to order all the modules separately), but it looks like the
two are roughly comparable, price-wise.

 Obviously, your experience is with Cisco, and I'm not trying to
suggest you switch to HP.  It's very likely your existing investment
(equipment, training, experience, etc.) in Cisco is far more valuable
than anything HP could bring to the table.  This is more for my own
curiosity.

On Jan 29, 2008 9:25 PM, Don Ely <[EMAIL PROTECTED]> wrote:
>  Redundant Sup Engines for one...  Full Netflow feature set...  Policy
based
> routing...

 The 8108 does appear to have those sorts of features.  HP uses
"management module" for what Cisco calls a "supervisor".  Policy
routing is listed in the data sheet.  "NetFlow" is a Cisco brand name.
 So of course the HP doesn't have that.  HP has various monitoring and
management tools; dunno if they do what you need.

 Given that the above is all based on about 20 minutes of work with
Google, it's not worth very much, but maybe it's food for thought.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: duplicate duplicate messages messages

Lyris is indeed a naughty step-child.

On Jan 30, 2008 12:30 PM, Ben Scott <[EMAIL PROTECTED]> wrote:
> On Jan 30, 2008 12:23 PM, Micheal Espinola Jr <[EMAIL PROTECTED]> wrote:
> > But, do you receive copies of your own posts on all those lists?  I'm
> > hazarding a guess: no - but on Sunbelt, yes.
>
>  Many of the other lists I'm on are configured to do so, and they
> send multiple copies to other addresses I have subscribed them on.
> I'm the listmaster on one of them, so if Gmail was bouncing them I'd
> get the bounces.  Gmail appears to have automatic duplicate
> suppression.
>
>  You made me look.  Yes, Sunbelt's list server is apparently
> stripping the original Message-ID header and replacing it with a new
> one.  That is likely foiling Gmail's duplicate suppression system.
> Most of the other lists I'm on are hosted by Mailman or Majordomo,
> which doesn't do that.  One more thing to dislike about Lyris, I
> guess.
>
>
> -- Ben
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: FYI (vLite)

On Jan 30, 2008 12:16 PM, Rod Trent <[EMAIL PROTECTED]> wrote:
> Uh, it's sysprep.  There are no environment variables available when
> preparing the system for imaging, unless you generate a boot device with the
> variables you define.

  I would argue that they *are* there when SYSPREP itself runs, so it
should be aware of them, but that's missing the real point: There
*are* things that care about the Windows directory or drive, including
things from Microsoft.

-- Ben

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: IE7 coming through WSUS

2008-01-30 Thread Joe Heaton

ME2 did:
>But in the end, being forced to upgrade to IE7 is a good thing:  Its a current 
>product, and gets the security related attention that we all need.

But I do agree that they're not actually forcing the upgrade.  As you've said, 
and I said in another post, as long as you don't have Rollups auto-approved, 
you should be fine.  Or, as long as you don't have your personal updates being 
automatically installed... I always choose Custom Install on my home machines, 
so I can see exactly what they're trying to push.  And if IE7 is the only 
update, you can deselect it, and tell the system to not show it again.

Joe Heaton


-Original Message-
From: Ken Schaefer [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 29, 2008 4:43 PM
To: NT System Admin Issues
Subject: RE: IE7 coming through WSUS

Who says anyone is being forced to install anything?

It'll just show up now, and you select the "I don't want this option"

It's only a problem if you have things set to auto-approve (or 
autodownload/install). In that case, the reg keys etc will no longer do the 
work for you.

Cheers
Ken

-Original Message-
From: Joe Heaton [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 30 January 2008 2:38 AM
To: NT System Admin Issues
Subject: RE: IE7 coming through WSUS

Sorry, but I feel being forced to install anything is never a good
thing.  But that's just my personal opinion...

Joe Heaton

-Original Message-
From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 29, 2008 7:36 AM
To: NT System Admin Issues
Subject: Re: IE7 coming through WSUS

IE7 is an improvement over IE6 in many regards, although its still
light years away from standards compatibility you will get with other
browsers.

But, and this has always been the great thing about IE 6-7, they
ignore these compatibility errors and still give you a "good enough"
viewing experience.

IE8 promises to be able to pass the infamous Acid2 test, which its
predecessors have never been able to do.

   http://www.webstandards.org/action/acid2/

But in the end, being forced to upgrade to IE7 is a good thing:  Its a
current product, and gets the security related attention that we all
need.


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.19.16/1251 - Release Date: 1/30/2008 
9:29 AM
 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: duplicate duplicate messages messages

2008-01-30 Thread Sherry Abercrombie

Actually, I've never really noticed whether or not I doit's just not a
big deal to me.

On Jan 30, 2008 11:23 AM, Micheal Espinola Jr <[EMAIL PROTECTED]>
wrote:

> But, do you receive copies of your own posts on all those lists?  I'm
> hazarding a guess: no - but on Sunbelt, yes.
>
>
> On Jan 30, 2008 12:07 PM, Ben Scott <[EMAIL PROTECTED]> wrote:
> > On Jan 30, 2008 12:02 PM, Micheal Espinola Jr <[EMAIL PROTECTED]>
> wrote:
> > > You see two in Gmail because you see what you sent as well as what you
> > > received.  Its how Gmail displays "conversations".
> >
> >  Except that it only happens on these Sunbelt hosted lists, not any
> > of the other 20 or so lists I'm subscribed to.
> >
> >
> > -- Ben
> >
> > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> > ~   ~
> >
>
>
>
> --
> ME2
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
Sherry Abercrombie

"Reality is merely an illusion, albeit a persistent one."
-Albert Einstein

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Re: duplicate duplicate messages messages