RE: Remote Control PC Software

[Jason Gauthier]

Join.me crashes, reproducibly, in my environment with win7x64.

 

PASS.

 

From: Cameron [mailto:cameron.orl...@gmail.com] 
Sent: Tuesday, September 28, 2010 9:59 AM
To: NT System Admin Issues
Subject: Re: Remote Control PC Software

 

YES!! 

Thanks Richard! It was https://join.me https://join.me/  that I was
trying to remember!

 

Cheers!

Cameron



 

On Tue, Sep 28, 2010 at 9:42 AM, Richard Stovall rich...@gmail.com
wrote:

https://join.me https://join.me/ ?

 

On Tue, Sep 28, 2010 at 9:41 AM, Cameron cameron.orl...@gmail.com
wrote:

Good morning all!

 

I recall a while back that there was a discussion about remote control
software (free ones) and there was one that I tried and liked (for
accessing my sisters PC across the internet) and now I can't remember
what the heck it was called. I've checked ShowMyPC and LogMeIn but
neither of those are the one I'm thinking of.

 

Apparently I need more coffee!

 

TIA

 

Cameron

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: VNC for Windows 7?

[Jason Gauthier]

I use UltraVNC, but my biggest complaint is lack of IPv6 support. If
anyone knows of a truly free VNC type system that supports IPv6 that
wou;ld be great.

 

Someone mentioned Teamviewer.  Unless you pay for it, you cannot use it
for commercial use.  I recommend it for personal use, and it works
really well.

 

 

From: Todd Lemmiksoo [mailto:tlemmik...@all-mode.com] 
Sent: Monday, September 27, 2010 2:12 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

Still using UltraVNC on Win7 and XP.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, September 27, 2010 12:08 PM
To: NT System Admin Issues
Subject: VNC for Windows 7?

 

I am curious - what VNC (or other remote desktop utilities) do you guys
like for Win7 machines? 


.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: VNC for Windows 7?

[Jason Gauthier]

A suggestion by someone who doesn't do end user support all day.. =)

 

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Monday, September 27, 2010 3:00 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

What about plain ole' RDP? Unless you need it to be interactive while
the user is still logged on as themselves. GPO it and you're all set.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Monday, September 27, 2010 2:58 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

I use UltraVNC, but my biggest complaint is lack of IPv6 support. If
anyone knows of a truly free VNC type system that supports IPv6 that
wou;ld be great.

 

Someone mentioned Teamviewer.  Unless you pay for it, you cannot use it
for commercial use.  I recommend it for personal use, and it works
really well.

 

 

From: Todd Lemmiksoo [mailto:tlemmik...@all-mode.com] 
Sent: Monday, September 27, 2010 2:12 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

Still using UltraVNC on Win7 and XP.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, September 27, 2010 12:08 PM
To: NT System Admin Issues
Subject: VNC for Windows 7?

 

I am curious - what VNC (or other remote desktop utilities) do you guys
like for Win7 machines? 


.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: VNC for Windows 7?

[Jason Gauthier]

Doesn't RA require someone to initiate the assistance?

 

That doesn't work for working on someone's computer during their
scheduled lunch time, or when they're at a meeting.

 

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Monday, September 27, 2010 4:01 PM
To: NT System Admin Issues
Subject: Re: VNC for Windows 7?

 

Isn't that what RemoteAssistance is for?

On Mon, Sep 27, 2010 at 3:46 PM, Jason Gauthier jgauth...@lastar.com
wrote:

A suggestion by someone who doesn't do end user support all day.. =)

 

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Monday, September 27, 2010 3:00 PM 


To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

What about plain ole' RDP? Unless you need it to be interactive while
the user is still logged on as themselves. GPO it and you're all set.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 

Sent: Monday, September 27, 2010 2:58 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

I use UltraVNC, but my biggest complaint is lack of IPv6 support. If
anyone knows of a truly free VNC type system that supports IPv6 that
wou;ld be great.

 

Someone mentioned Teamviewer.  Unless you pay for it, you cannot use it
for commercial use.  I recommend it for personal use, and it works
really well.

 

 

From: Todd Lemmiksoo [mailto:tlemmik...@all-mode.com] 
Sent: Monday, September 27, 2010 2:12 PM
To: NT System Admin Issues
Subject: RE: VNC for Windows 7?

 

Still using UltraVNC on Win7 and XP.

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Monday, September 27, 2010 12:08 PM
To: NT System Admin Issues
Subject: VNC for Windows 7?

 

I am curious - what VNC (or other remote desktop utilities) do you guys
like for Win7 machines? 


.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Cheap/Free POP3/SMTP Server?

[Jason Gauthier]

I love the sense of humor.

 

From: Doug Hampshire [mailto:dhampsh...@gmail.com] 
Sent: Tuesday, September 21, 2010 9:41 AM
To: NT System Admin Issues
Subject: Re: Cheap/Free POP3/SMTP Server?

 

Do any of these solutions have an option to insert excessively large
eMails signatures into them automatically? I'm still looking for a
solution that will attach a Flash based video to every eMail we send. 

On Mon, Sep 20, 2010 at 12:32 PM, John Aldrich 
jaldr...@blueridgecarpet.com wrote:

How about HotPop.com? Or Google? Google will host your domain emails for
you, I believe. Also, SpamCop.Net (webmail.spamcop.net) will host your
email for about $25/year/mailbox, I think... including spam / virus
filtering and spam reporting, if you like.

 

  

 

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] 
Sent: Monday, September 20, 2010 11:04 AM


To: NT System Admin Issues

Subject: Cheap/Free POP3/SMTP Server?

 

We have a few dozen domains that are non-critical that I don't want to
host on our internal Exchange system (mostly political some technical
reasons i.e. I don't want some of the users anywhere near my LAN).

 

Most of them only have the need for abuse@ and postmaster@ to be
configured, but a few of the domains have some aliases setup and a
couple of them have some POP3 mailboxes.

 

I've tried hmailserver and mailenable on one of our DMZ boxes and each
does the job whilst each has its quirks (I'm leaning towards hmailserver
right now).

 

Any suggestions on anything else that is cheap/free and easy to
configure?

 



MIRA Ltd

 

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England

Registered in England and Wales No. 402570

VAT Registration  GB 114 5409 96

 

The contents of this e-mail are confidential and are solely for the use
of the intended recipient.  If you receive this e-mail in error, please
delete it and notify us either by e-mail, telephone or fax.  You should
not copy, forward or otherwise disclose the content of the e-mail as
this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~


~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadminimage001.jpgimage002.jpg

RE: Cheap/Free POP3/SMTP Server?

[Jason Gauthier]

Xmail:

http://www.xmailserver.org/

hmailServer

http://www.hmailserver.com/



-Original Message-
From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] 
Sent: Monday, September 20, 2010 12:13 PM
To: NT System Admin Issues
Subject: RE: Cheap/Free POP3/SMTP Server?

Thanks Ben and sorry, I should have been more detailed in my post -
right now we manage these on a CentOS/Postfix box, which works great but
we have little to no combination of linux/postfix/general smtp/pop3
knowledge in our company beyond me, so if I'm not about, whilst it
shouldn't need any messing with, we're kind of stuck if it does whereas
most people could probably fumble their way around hmail/mailenable once
logged into the server it's running on.

Paul

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: 20 September 2010 16:08
To: NT System Admin Issues
Subject: Re: Cheap/Free POP3/SMTP Server?

On Mon, Sep 20, 2010 at 11:03 AM, Paul Hutchings
paul.hutchi...@mira.co.uk wrote:
 Any suggestions on anything else that is cheap/free and easy to
configure?

  Linux?  :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in
England and Wales No. 402570 VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use
of the intended recipient.  If you receive this e-mail in error, please
delete it and notify us either by e-mail, telephone or fax.  You should
not copy, forward or otherwise disclose the content of the e-mail as
this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Trouble with Windows firewall

[Jason Gauthier]

All,

 

I'm troubleshooting a problem with Windows Firewall.  In short, a
client connected via DirectAccess is not able to ping a client on the
inside running Windows Firewall configured via GPO.   The GPO is
actually deployed on both clients.  I'll try to be brief, but specific.

The settings are wide open for domain and private.  Public blocks
unknown.  DA clients are considered public as far as I can tell, and
internal hosts are considered public to DA clients.

 

I've created an entry that allows ICMPv6 echo on all profiles for all
networks.  This is required for Teredo.

Additionally, I've created an anything is allowed on all profiles if
it comes from the following addresses:

*192.168.0.0/16

*10.0.0.0/8

*   2001::/32

*   2002::/16

*   internal IPv6 ranges

 

However, when my DA client pings an internal host, I receive this:

 

2010-08-30 09:31:08 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec
fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 80 - - - - 128 0 - RECEIVE

2010-08-30 09:31:08 ALLOW ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec
fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 0 - - - - 128 0 - RECEIVE

2010-08-30 09:31:13 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec
fdd2:b9ae:1ccf:feca:49b3:67d3:4726:2ad1 - - 80 - - - - 128 0 - RECEIVE

 

When my internal client pings the DA client I get responses.  However,
every 10 (or so) there are 1-2 packets drops.

2010-08-30 09:48:25 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 135 0 - SEND

2010-08-30 09:48:25 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:26 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:27 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:28 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:29 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:30 DROP ICMP 2001:0:4081:7510:84d:2fda:bf7e:8aec
2001:0:4081:7510:4a2:3d4f:bf7e:8a26 - - 80 - - - - 135 0 - RECEIVE

2010-08-30 09:48:30 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

2010-08-30 09:48:31 ALLOW ICMP 2001:0:4081:7510:4a2:3d4f:bf7e:8a26
2001:0:4081:7510:84d:2fda:bf7e:8aec - - 0 - - - - 128 0 - SEND

 

What is curious, is that it looks like it's using the Teredo interface
on my local machine when I ping the DA client.

 

Considering I've allowed these network addresses on all profiles, I'm
confused why there are any drops at all.  

 

Any suggestions on what is happening would be appreciated.

 

Thanks!

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

---
You are currently subscribed to ntsysadmin as: arch...@mail-archive.com.
To unsubscribe click here: 
http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079313
or send a blank email to 
leave-9079313-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com

RE: Anyone Using Nagios?

[Jason Gauthier]

I use both Nagios and Cacti.  The only area about Nagios that I would
like more is trap management.  Currently, you need to implement that
process yourself and glue it together.

 

I like Nagois.  Over the years,  (I've used it for half a dozen years -
maybe more), I've looked at other software.  Nothing beats the
price/functionality/ease of use combination.

 

 

From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Sent: Thursday, August 05, 2010 2:00 AM
To: NT System Admin Issues
Subject: Anyone Using Nagios?

 

I'm looking at setting up a Solaris 10 (x86) Nagios server. The purpose
is to monitoring server, services and networking information. My problem
is I can't decide on a graphing solution that will allow me to view
trending information. Anyone have any ideas for the best graphing
solution for Nagios?

TIA.




The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it
by anyone else is unauthorised. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
Walker Martyn Ltd or any of its affiliates. If you are not the intended
recipient please contact administra...@walkermartyn.co.uk.

Walker Martyn Ltd, company number SC197533. Company is registered in
Scotland and has its registered office at 1 Park Circus Place, Glasgow
G3 6AH, UK.

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Anyone using Forefront UAG and Direct Access

[Jason Gauthier]

A few question on this topic:

Applications that don't work across a DirectAccess link are those which won't 
work over IPv6. The first one I came across was the Communicator IM client. I 
think VoIP apps that rely on the SIP protocol fall in to this category as well.

Are you using ForeFront UAG?  My understanding what that the NAT64/DNS64 and 
Forefront UAG product complimented this so that you could access IPv4 only 
systems.

In reviewing my email with Tom Shinder, over at the DA team, he mentions that 
an IPv6 only network can be used with only DA.  However, IPv4 resources need 
the UAG to be reachable.   This doesn't specifically contradict  what you are 
saying, but I'd say it's doable.

Also, internal applications that you access by IP address only will be a 
problem. This is because DirectAccess makes it routing decisions based on name 
resolution, not IP destination. Say your corporate network is using the 
10.x.x.x IPv4 address space and a domain name of internal.mycorp.com.

DNS works by IP.  How can you reach the DNS servers if what you are saying 
above is true?

Thanks!

Jason

-Original Message-
From: Malcolm Reitz [mailto:malcolm.re...@live.com] 
Sent: Monday, July 26, 2010 10:13 AM
To: NT System Admin Issues
Subject: RE: Anyone using Forefront UAG and Direct Access

Smart cards are optional for DirectAccess, not required. What I was trying 
(poorly) to say was that Microsoft's internal implementation of DirectAccess is 
set up to require smart card authentication (e.g. MSFT employees must use smart 
cards). Our DirectAccess implementation currently does not require the users to 
have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor 
in the market) are a quite useful security tool, but they require a 
distribution/maintenance infrastructure that complicates their use.

Applications that don't work across a DirectAccess link are those which won't 
work over IPv6. The first one I came across was the Communicator IM client. I 
think VoIP apps that rely on the SIP protocol fall in to this category as well.

Also, internal applications that you access by IP address only will be a 
problem. This is because DirectAccess makes it routing decisions based on name 
resolution, not IP destination. Say your corporate network is using the 
10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can 
tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel 
to your corporate network, but you can't tell it to route all traffic to any 
10.x.x.x address across the tunnel. The only way around this is to force all 
communications across the tunnel (that is, disable split-tunneling). 
Unfortunately, this has performance implications, as it makes DirectAccess use 
a less-efficient protocol and increases the load on the DirectAccess servers, 
not to mention it sends all Internet-bound traffic from the client the long 
way through the corporate network and out the corporate Internet connection.

Hope that makes sense...

-Malcolm
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Friday, July 23, 2010 17:43
To: NT System Admin Issues
Subject: Re: Anyone using Forefront UAG and Direct Access

O...

Actual field experience!

Did not know about the smart card requirement. That's good to know.
What smart card technology are you using, if you can say?

What kind of apps have you run into that don't play nice with it?

Kurt

On Fri, Jul 23, 2010 at 13:29, Malcolm Reitz malcolm.re...@live.com wrote:
 I won’t say DirectAccess is just another VPN, because it isn’t, but it 
 is a VPN technology with pretty robust security. It isn’t an easy 
 setup, as it requires working with IPv6 and certificates, however, 
 once it is running, it is really slick in operation. Just connecting 
 your laptop to the Internet and being instantly able to map corporate 
 file shares and open intranet web apps or RDP sessions is great.
 Downsides to it are that not everything works with it, as not 
 everything plays nice with IPv6, and the hardware requirements are 
 more significant than for a traditional IPsec VPN. It also only works with 
 Windows 7 clients.



 Microsoft has enhanced security on their DirectAccess implementation 
 by requiring their people to use smart cards for DirectAccess authentication.
 We may do that as well.



 I can say that everyone using my DirectAccess POC setup is liking it so far.
 Because of its “always on” nature, I think it will be a great boon to 
 our management of remote computers (they always be connected for 
 patching, AV updates, inventory, etc.).



 -Malcolm



 From: Brumbaugh, Luke [mailto:luke.brumba...@butlerschein.com]
 Sent: Friday, July 23, 2010 14:51
 To: NT System Admin Issues
 Subject: Anyone using Forefront UAG and Direct Access



 Thoughts?

 Is it a big security hole?





 Luke L. Brumbaugh

 Network Engineer

 Butler Animal Health Supply

 Ph:(614) 659-1736



 

RE: Anyone using Forefront UAG and Direct Access

[Jason Gauthier]

Awesome! Great information and thanks for the elaboration.

Are you using Forefront TMG?  I'm kind of irked right now about the fact I 
can't get IPv6 traffic to flow through it.
It doesn't even allow me to put IPv6 addresses on the Internal/Trusted 
network.



-Original Message-
From: Malcolm Reitz [mailto:malcolm.re...@live.com] 
Sent: Tuesday, July 27, 2010 11:02 AM
To: NT System Admin Issues
Subject: RE: Anyone using Forefront UAG and Direct Access

First - There's more to it than just translating IPv4 addresses to IPv6 and 
back. Let me rephrase my statement and see if this works any better: 
Applications that depend on protocols implementations (such as the version of 
SIP used in MS Communicator) which don't work over IPv6 will not work over 
DirectAccess.  In this case, you could have a completely IPv6-only local area 
network, with no DirectAccess involved, and Communicator will still not work.

Second - DirectAccess clients are supplied with a Name Resolution Policy Table. 
In the NRPT, you tell the client if you are looking to resolve an 
*.internal.mycorp.com name, use these (internal) DNS servers and, by extension, 
route the traffic to that address across the secure intranet tunnel. So, by 
supplying the client with an name, you've given DirectAccess the information it 
needs to determine if the destination desired is through the intranet tunnel or 
to the outside world. If you only supply your client with an IP address, the 
lack of a name to resolve means the NRPT isn't consulted and DirectAccess 
assumes the destination to be in the outside world.

The Cable Guy blog on TechNet has a lot of good discussion on these topics and 
DirectAccess in general.
http://technet.microsoft.com/en-us/library/ff576611.aspx 

-Malcolm

-Original Message-
From: Jason Gauthier [mailto:jgauth...@lastar.com]
Sent: Tuesday, July 27, 2010 07:58
To: NT System Admin Issues
Subject: RE: Anyone using Forefront UAG and Direct Access

A few question on this topic:

Applications that don't work across a DirectAccess link are those which won't 
work over IPv6. The first one I came across was the Communicator IM client. I 
think VoIP apps that rely on the SIP protocol fall in to this category as well.

Are you using ForeFront UAG?  My understanding what that the NAT64/DNS64 and 
Forefront UAG product complimented this so that you could access IPv4 only 
systems.

In reviewing my email with Tom Shinder, over at the DA team, he mentions that 
an IPv6 only network can be used with only DA.  However, IPv4 resources need 
the UAG to be reachable.   This doesn't specifically contradict  what you are 
saying, but I'd say it's doable.

Also, internal applications that you access by IP address only will be a 
problem. This is because DirectAccess makes it routing decisions based on name 
resolution, not IP destination. Say your corporate network is using the 
10.x.x.x IPv4 address space and a domain name of internal.mycorp.com.

DNS works by IP.  How can you reach the DNS servers if what you are saying 
above is true?

Thanks!

Jason

-Original Message-
From: Malcolm Reitz [mailto:malcolm.re...@live.com]
Sent: Monday, July 26, 2010 10:13 AM
To: NT System Admin Issues
Subject: RE: Anyone using Forefront UAG and Direct Access

Smart cards are optional for DirectAccess, not required. What I was trying 
(poorly) to say was that Microsoft's internal implementation of DirectAccess is 
set up to require smart card authentication (e.g. MSFT employees must use smart 
cards). Our DirectAccess implementation currently does not require the users to 
have a smart card. Smart cards (we use .NET cards - Gemalto is the major vendor 
in the market) are a quite useful security tool, but they require a 
distribution/maintenance infrastructure that complicates their use.

Applications that don't work across a DirectAccess link are those which won't 
work over IPv6. The first one I came across was the Communicator IM client. I 
think VoIP apps that rely on the SIP protocol fall in to this category as well.

Also, internal applications that you access by IP address only will be a 
problem. This is because DirectAccess makes it routing decisions based on name 
resolution, not IP destination. Say your corporate network is using the 
10.x.x.x IPv4 address space and a domain name of internal.mycorp.com. You can 
tell DirectAccess to send all traffic to *.internal.mycorp.com over the tunnel 
to your corporate network, but you can't tell it to route all traffic to any 
10.x.x.x address across the tunnel. The only way around this is to force all 
communications across the tunnel (that is, disable split-tunneling). 
Unfortunately, this has performance implications, as it makes DirectAccess use 
a less-efficient protocol and increases the load on the DirectAccess servers, 
not to mention it sends all Internet-bound traffic from the client the long 
way through the corporate network and out the corporate Internet connection.

Hope

RE: DHCPv6

[Jason Gauthier]

I need to assign a static address to the server.  As far as I can tell, that is 
against SLAAC, and everything else IPv6 is supposed to make easy.
There might be a reason.  I haven't uncovered it.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, July 12, 2010 10:29 PM
To: NT System Admin Issues
Subject: Re: DHCPv6

No familiarity with DHCPv6, so an ignorant question...

What needs the static address assigned? Is it the machine handing out 
addresses, or the machine receiving the assignment?

And, if the former, why would that be an issue? I would think it pretty much a 
requirement.

I *did* just go to a computer user group in Seattle that had a presentation on 
IPv6, but aside from the fact that it allows for more addresses than we can 
count, and a few other tidbits like getting started with tunneling, it wasn't 
all that informative.

For instance, he did not deal with issues like whether segmenting networks as 
we do now inside the enterprise at the layer2 and layer3 boundaries is still an 
issue in a pure IPv6 environment - I think that was beyond his experience.

Kurt

On Mon, Jul 12, 2010 at 19:18, Jason Gauthier jgauth...@lastar.com wrote:
 Well, after diligence and testing… I’ve solved this.  Windows 2008 
 DHPCv6 will not work reliably without having a static IPv6 address assigned 
 to it.

 I have not decided how I feel about that yet.



 From: Jason Gauthier
 Sent: Friday, July 09, 2010 3:12 PM
 To: NT System Admin Issues
 Subject: DHCPv6



 Greetings,



 I’m struggling with an issue with DHCPv6.   I’m using this, 
 effectively, as stateless.   I have a Cisco router set up to multicast 
 router advertisements.  It is doing so successfully, setting the options 
 “Managed”
 to false, and “Other” to true.



 I have confirmed through network traces and Windows 7 DHCPv6 event 
 logs that it is receiving the announcements, and setting the options 
 correctly.



 This is working good!



 Now, here comes the part that I’m struggling with.  Once the options 
 are set, the client machine should (and does) poll for DHCPv6 options only.

 Again, I’ve confirmed though network traces that this is happening 
 successfully.



 15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
 fe80::188b:8ff9:305c:71a3.546  ff02::1:2.547: [udp sum ok] dhcp6 
 solicit
 (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1 time 
 316484303
 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client FQDN) (vendor 
 class) (option request DNS name DNS vendor-specific info Client FQDN).



 My DHPCv6 server (running netmon) can definitely see the multicast 
 requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn’t respond, 
 acknowledge, or otherwise seem to care.



 Options 23 (DNS Recursive Name) and options 24 (Domain Search List) 
 are set.



 I have done this on two different networks, two different DHCPv6 servers.
 Neither of them responds. Even the statistics do not count up that 
 there was a solicit message.



 I am intending to open a ticket with MS, but sasupport seems to be 
 non-functional for me at the moment.



 So, I thought I would ask here.   All my clients are Windows 7/2008R2, 
 and my two servers are 2008 R2.



 Thanks for reading.



 Jason





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: DHCPv6

[Jason Gauthier]

SLAAC can operate under two models.  1) It will generate based on the
hardware MAC address. 2) It will generate based on some other token.

Microsoft uses Some other token.  So, there shouldn't be a conflict
with MAC addresses under that platform.


-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, July 13, 2010 12:06 AM
To: NT System Admin Issues
Subject: RE: DHCPv6

So SLAAC will only work if you have unique MAC addresses?

If you use Hyper-V, then the pool of MAC addresses assigned to the
guests is based off a pool generated from the host's IP address. If you
build servers in a build factory, then you'll end up with duplicate MAC
addresses for your guests.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, 13 July 2010 11:00 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

On Mon, Jul 12, 2010 at 10:29 PM, Kurt Buff kurt.b...@gmail.com wrote:
 No familiarity with DHCPv6, so an ignorant question...

  This is currently the subject of holy wars on forums such as NANOG.

  An IPv6 node can discover the network number, network mask, and local
routers by using router solicitation.  This is part of the core IP
protocol, and in theory should be part of every implementation.
The IPv6 node can then use its MAC address to generate a unique address
on the local network (this is called SLAAC (StateLess Address
Auto-Configuration)).  So an IPv6 node can get a working network layer
on any network, without DHCPv6.

  However, you still need DHCPv6 to find out things like DNS servers.
So SLAAC is only good for layer 3, not for higher layer stuff.

  This has lead to a feud between those who think IPv6 address
assignment should work just like IPv4 -- via DHCP -- since that's what
everyone's infrastructure is built around, and thus SLAAC is just a
waste of resources, vs those who think addresses should come from SLAAC
and DHCPv6 should only be used to discover higher layer stuff.
Implementations behave according to which armed camp they align with.

  Things haven't shaken out yet.  Until they do, I expect IPv6
client-vs-network interoperability (i.e., How do I configure my pee sea
for your net work?) to be a clusterfsck.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: DHCPv6

[Jason Gauthier]

Yes, but DHCP doesn't auto assign itself a useable network address, so
it's not very comparative.

 

From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Tuesday, July 13, 2010 12:50 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

 

DHCP v4 needed the same thing as well did it not???  Only issue I had
was getting former work place higher up the ladder to issue us IP v6
ranges.  They did not want to issue any due to security issues.

 

Jon

On Mon, Jul 12, 2010 at 10:18 PM, Jason Gauthier jgauth...@lastar.com
wrote:

Well, after diligence and testing... I've solved this.  Windows 2008
DHPCv6 will not work reliably without having a static IPv6 address
assigned to it.

I have not decided how I feel about that yet.  

 

From: Jason Gauthier 
Sent: Friday, July 09, 2010 3:12 PM 


To: NT System Admin Issues

Subject: DHCPv6 

 

Greetings,

 

I'm struggling with an issue with DHCPv6.   I'm using this, effectively,
as stateless.   I have a Cisco router set up to multicast router
advertisements.  It is doing so successfully, setting the options
Managed to false, and Other to true.

 

I have confirmed through network traces and Windows 7 DHCPv6 event logs
that it is receiving the announcements, and setting the options
correctly.

 

This is working good!

 

Now, here comes the part that I'm struggling with.  Once the options are
set, the client machine should (and does) poll for DHCPv6 options only.

Again, I've confirmed though network traces that this is happening
successfully.

 

15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
fe80::188b:8ff9:305c:71a3.546  ff02::1:2.547: [udp sum ok] dhcp6
solicit (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1
time 316484303 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client
FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN).

 

My DHPCv6 server (running netmon) can definitely see the multicast
requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn't respond,
acknowledge, or otherwise seem to care.

 

Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
set.  

 

I have done this on two different networks, two different DHCPv6
servers.  Neither of them responds. Even the statistics do not count up
that there was a solicit message.

 

I am intending to open a ticket with MS, but sasupport seems to be
non-functional for me at the moment.

 

So, I thought I would ask here.   All my clients are Windows 7/2008R2,
and my two servers are 2008 R2.

 

Thanks for reading.

 

Jason

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: DHCPv6

[Jason Gauthier]

It just seems counter intuitive that I do not need to assign static
addresses on my routers, but I do on a DHCP server.  It receives
multicast addresses, and it should respond to multicast addresses...
it's assigned address shouldn't matter (to me)

-Original Message-
From: Phil Brutsche [mailto:p...@optimumdata.com] 
Sent: Tuesday, July 13, 2010 1:51 AM
To: NT System Admin Issues
Subject: Re: DHCPv6

Why? It's not any different from the static IP requirements in IPv4
networks.

On 7/12/2010 9:18 PM, Jason Gauthier wrote:
 Well, after diligence and testing... I've solved this.  Windows 2008
 DHPCv6 will not work reliably without having a */_static_/* IPv6 
 address assigned to it.
 
 I have not decided how I feel about that yet. 

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: DHCPv6

[Jason Gauthier]

Well, after diligence and testing... I've solved this.  Windows 2008
DHPCv6 will not work reliably without having a static IPv6 address
assigned to it.

I have not decided how I feel about that yet.  

 

From: Jason Gauthier 
Sent: Friday, July 09, 2010 3:12 PM
To: NT System Admin Issues
Subject: DHCPv6

 

Greetings,

 

I'm struggling with an issue with DHCPv6.   I'm using this, effectively,
as stateless.   I have a Cisco router set up to multicast router
advertisements.  It is doing so successfully, setting the options
Managed to false, and Other to true.

 

I have confirmed through network traces and Windows 7 DHCPv6 event logs
that it is receiving the announcements, and setting the options
correctly.

 

This is working good!

 

Now, here comes the part that I'm struggling with.  Once the options are
set, the client machine should (and does) poll for DHCPv6 options only.

Again, I've confirmed though network traces that this is happening
successfully.

 

15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
fe80::188b:8ff9:305c:71a3.546  ff02::1:2.547: [udp sum ok] dhcp6
solicit (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1
time 316484303 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client
FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN).

 

My DHPCv6 server (running netmon) can definitely see the multicast
requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn't respond,
acknowledge, or otherwise seem to care.

 

Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
set.  

 

I have done this on two different networks, two different DHCPv6
servers.  Neither of them responds. Even the statistics do not count up
that there was a solicit message.

 

I am intending to open a ticket with MS, but sasupport seems to be
non-functional for me at the moment.

 

So, I thought I would ask here.   All my clients are Windows 7/2008R2,
and my two servers are 2008 R2.

 

Thanks for reading.

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

DHCPv6

[Jason Gauthier]

Greetings,

 

I'm struggling with an issue with DHCPv6.   I'm using this, effectively,
as stateless.   I have a Cisco router set up to multicast router
advertisements.  It is doing so successfully, setting the options
Managed to false, and Other to true.

 

I have confirmed through network traces and Windows 7 DHCPv6 event logs
that it is receiving the announcements, and setting the options
correctly.

 

This is working good!

 

Now, here comes the part that I'm struggling with.  Once the options are
set, the client machine should (and does) poll for DHCPv6 options only.

Again, I've confirmed though network traces that this is happening
successfully.

 

15:03:45.012474 IP6 (hlim 1, next-header UDP (17) payload length: 110)
fe80::188b:8ff9:305c:71a3.546  ff02::1:2.547: [udp sum ok] dhcp6
solicit (xid=fd9725 (elapsed time 3100) (client ID hwaddr/time type 1
time 316484303 00155d320606) (IA_NA IAID:369104221 T1:0 T2:0) (Client
FQDN) (vendor class) (option request DNS name DNS vendor-specific info
Client FQDN).

 

My DHPCv6 server (running netmon) can definitely see the multicast
requests sent to FF02:0:0:0:0:0:2:1.  However, it doesn't respond,
acknowledge, or otherwise seem to care.

 

Options 23 (DNS Recursive Name) and options 24 (Domain Search List) are
set.  

 

I have done this on two different networks, two different DHCPv6
servers.  Neither of them responds. Even the statistics do not count up
that there was a solicit message.

 

I am intending to open a ticket with MS, but sasupport seems to be
non-functional for me at the moment.

 

So, I thought I would ask here.   All my clients are Windows 7/2008R2,
and my two servers are 2008 R2.

 

Thanks for reading.

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Patch Management - again

[Jason Gauthier]

Except that doesn't upgrade the kernel or any other OS libraries.  It's not 
full patch management.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Saturday, June 12, 2010 8:58 PM
To: NT System Admin Issues
Subject: Re: Patch Management - again

'portupgrade -a'

FreeBSD is ridiculously easy to maintain.

And, for monitoring programs installed from ports, there's portaudit, which 
sends a daily email.

Kurt

On Fri, Jun 11, 2010 at 12:59, Alex Eckelberry al...@sunbelt-software.com 
wrote:
  WSUS.

 What do you do about non-Windows patching?

 Alex


 -Original Message-
 From: Ben Scott [mailto:mailvor...@gmail.com]
 Sent: Thursday, June 10, 2010 11:30 AM
 To: NT System Admin Issues
 Subject: Re: Patch Management - again

 On Thu, Jun 10, 2010 at 11:17 AM, Joseph Heaton jhea...@dfg.ca.gov wrote:
 What are you guys using for automating patch management for your servers?

  WSUS.

 -- Ben

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: OTish: Wireless network configuration

[Jason Gauthier]

You use NMAP to do network scans to determine what is accessible and what isn't.


-Original Message-
From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Wednesday, June 09, 2010 3:04 PM
To: NT System Admin Issues
Subject: RE: OTish: Wireless network configuration

I wasn't involved in the implementation, so I really couldn't say how it was 
done here. I know that I can't get to any of our 'protected' network segments 
but I haven't done any scientific pen testing.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Wednesday, June 09, 2010 2:18 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

Understand that - how do you verify it that it works as designed?

On Wed, Jun 9, 2010 at 06:33, Joe Tinney jtin...@lastar.com wrote:
 Access control and routing is done by our core firewall and router for all of 
 our networks. This is the configuration that Phil is referring to.

 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Sent: Tuesday, June 08, 2010 10:34 PM
 To: NT System Admin Issues
 Subject: Re: OTish: Wireless network configuration

 I wonder how you verify the security of such an arrangement?

 On Tue, Jun 8, 2010 at 19:20, Joe Tinney jtin...@lastar.com wrote:
 While I'm not the one that configured them, our Cisco wireless access points 
 are configured with two SSID's: one on a VLAN that goes to our transparent 
 proxy and without access to our other networks and the other on a VLAN that 
 functions just like our client wired network segment. The first one is an 
 open Guest network and the latter is WPA2 secured.

 I'm not sure what your network devices would enable you to do but this has 
 been rock solid configuration for us.

 -Original Message-
 From: Kurt Buff [mailto:kurt.b...@gmail.com]
 Sent: Tuesday, June 08, 2010 7:29 PM
 To: NT System Admin Issues
 Subject: OTish: Wireless network configuration

 All,

 We've got a decent wireless network at $WORK, but I'm dissatisified with it, 
 because it lacks good guest access.

 We have 18 Cisco 1240ag WAPs talking with 3 HP POE switches, which currently 
 are in our HP 3400cl layer 3 switch on our production network. There's a 
 single SSID across all of them, and I've got them all configured on a single 
 VLAN. Works great, but as mentioned there is no guest access.

 I could just stick them all physically outside our firewall, and give the 
 wireless users an IPSec VPN client, but I really would prefer not to do that.

 I've been doing some reading, but don't have a good handle on how to move to 
 a configuration that would work well - without the VPN, that is.

 I'm casting about for ideas - anyone have a solution they like?
 Preferably without spending tons of money, of course.

 Kurt

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: OTish: Wireless network configuration

[Jason Gauthier]

You should provide specifics, instead of ambiguity.
Ambiguity helps no one, last I checked.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, June 09, 2010 4:50 PM
To: NT System Admin Issues
Subject: Re: OTish: Wireless network configuration

And more than that will be needed, as well.

On Wed, Jun 9, 2010 at 13:44, Phil Brutsche p...@optimumdata.com wrote:
 Or use Wireshark to make sure you don't see traffic you shouldn't.

 On 6/9/2010 3:41 PM, Jason Gauthier wrote:
 You use NMAP to do network scans to determine what is accessible and what 
 isn't.

 --

 Phil Brutsche
 p...@optimumdata.com

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
 http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 2008 - Page file

[Jason Gauthier]

To consolidate all questions:

 

How large is the volume? Is it Basic, Dynamic, or GPT?

34G, Basic.

Windows x64

 

Is this a physical machine or a Hyper-V VM?

It's a VM.

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

Nope, I cannot. I tried several volumes, even a 1G file does not create.

 

B -- What are the permissions on the root of D:\  ?

 

The Same as C: (without printing them here) - SYSTEM has full access.

 

Thanks!

 

 

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Wednesday, February 03, 2010 7:11 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

B -- What are the permissions on the root of D:\  ?


-ASB: http://XeeSM.com/AndrewBaker



On Tue, Feb 2, 2010 at 4:29 PM, Jason Gauthier jgauth...@lastar.com
wrote:

All,

 

I've hit a road block.  I'm trying to set Windows 2008 (x64) to use
a page file on the D: drive. However, it just does not seem to want to
comply.

 

First, I used the built in GUI tools.  I set the C: drive to 800-1024,
and the D: drive to 34000.  I committed my settings with Set and
rebooted.

After reboot, C: was set to 800, but nothing was changed on D:.

 

I verified in the registry, and the settings are accurate. (Also in the
GUI still)

I've check drive permissions, but they seem to be in order.

 

So, I removed the page file on D: and I attempted to set it with wmic:

 

wmic.exe pagefileset create name=D:\pagefile.sys 

wmic pagefileset where name=D:\\pagefile.sys set
InitialSize=17000,MaximumSize=17000

 

Both commands came back successful. I rebooted.   Nothing on D:, but the
GUI and registry setting complement each other.

 

I removed the page file from C: and tried to set it on D: only.  After
rebooting windows reports that a temporary page file was created.  Sure
enough. On my C: drive is a page file that is 16G (the equivalent of
physical memory)

 

I've tried other drives that I attached as well.  Same situation.  

 

What is going on here?  I appreciate the help.

 

Thanks,

 

Jason

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 2008 - Page file

[Jason Gauthier]

No, there isn't.. but it does not work on any volume other than C:!  I
have 4 other volumes attached.

But, what the heck. It's something to try!

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Wednesday, February 03, 2010 9:09 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

Is there anything else on D: ?  If not, you could always delete the
volume and start over.

On Wed, Feb 3, 2010 at 8:51 AM, Jason Gauthier jgauth...@lastar.com
wrote:

To consolidate all questions:

 

How large is the volume? Is it Basic, Dynamic, or GPT?

34G, Basic.

Windows x64

 

Is this a physical machine or a Hyper-V VM?

It's a VM.

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

Nope, I cannot. I tried several volumes, even a 1G file does not create.

 

B -- What are the permissions on the root of D:\  ?

 

The Same as C: (without printing them here) - SYSTEM has full access.

 

Thanks!

 

 

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Wednesday, February 03, 2010 7:11 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

B -- What are the permissions on the root of D:\  ?


-ASB: http://XeeSM.com/AndrewBaker

On Tue, Feb 2, 2010 at 4:29 PM, Jason Gauthier jgauth...@lastar.com
wrote:

All,

 

I've hit a road block.  I'm trying to set Windows 2008 (x64) to use
a page file on the D: drive. However, it just does not seem to want to
comply.

 

First, I used the built in GUI tools.  I set the C: drive to 800-1024,
and the D: drive to 34000.  I committed my settings with Set and
rebooted.

After reboot, C: was set to 800, but nothing was changed on D:.

 

I verified in the registry, and the settings are accurate. (Also in the
GUI still)

I've check drive permissions, but they seem to be in order.

 

So, I removed the page file on D: and I attempted to set it with wmic:

 

wmic.exe pagefileset create name=D:\pagefile.sys 

wmic pagefileset where name=D:\\pagefile.sys set
InitialSize=17000,MaximumSize=17000

 

Both commands came back successful. I rebooted.   Nothing on D:, but the
GUI and registry setting complement each other.

 

I removed the page file from C: and tried to set it on D: only.  After
rebooting windows reports that a temporary page file was created.  Sure
enough. On my C: drive is a page file that is 16G (the equivalent of
physical memory)

 

I've tried other drives that I attached as well.  Same situation.  

 

What is going on here?  I appreciate the help.

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 2008 - Page file

[Jason Gauthier]

Wow. That was it! Had to be IDE.  Amazing.

 

Thanks!

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Wednesday, February 03, 2010 9:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

Related?

 

http://social.technet.microsoft.com/Forums/en/windowsserver2008r2virtual
ization/thread/5f2e9099-907d-4d84-8736-ed99f66f8328

On Wed, Feb 3, 2010 at 9:25 AM, Jason Gauthier jgauth...@lastar.com
wrote:

No, there isn't.. but it does not work on any volume other than C:!  I
have 4 other volumes attached.

But, what the heck. It's something to try!

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Wednesday, February 03, 2010 9:09 AM


To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

Is there anything else on D: ?  If not, you could always delete the
volume and start over.

On Wed, Feb 3, 2010 at 8:51 AM, Jason Gauthier jgauth...@lastar.com
wrote:

To consolidate all questions:

 

How large is the volume? Is it Basic, Dynamic, or GPT?

34G, Basic.

Windows x64

 

Is this a physical machine or a Hyper-V VM?

It's a VM.

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

Nope, I cannot. I tried several volumes, even a 1G file does not create.

 

B -- What are the permissions on the root of D:\  ?

 

The Same as C: (without printing them here) - SYSTEM has full access.

 

Thanks!

 

 

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Wednesday, February 03, 2010 7:11 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 - Page file

 

A -- Can you make it a smaller number?  Say, 2GB or 4GB?

 

B -- What are the permissions on the root of D:\  ?


-ASB: http://XeeSM.com/AndrewBaker

On Tue, Feb 2, 2010 at 4:29 PM, Jason Gauthier jgauth...@lastar.com
wrote:

All,

 

I've hit a road block.  I'm trying to set Windows 2008 (x64) to use
a page file on the D: drive. However, it just does not seem to want to
comply.

 

First, I used the built in GUI tools.  I set the C: drive to 800-1024,
and the D: drive to 34000.  I committed my settings with Set and
rebooted.

After reboot, C: was set to 800, but nothing was changed on D:.

 

I verified in the registry, and the settings are accurate. (Also in the
GUI still)

I've check drive permissions, but they seem to be in order.

 

So, I removed the page file on D: and I attempted to set it with wmic:

 

wmic.exe pagefileset create name=D:\pagefile.sys 

wmic pagefileset where name=D:\\pagefile.sys set
InitialSize=17000,MaximumSize=17000

 

Both commands came back successful. I rebooted.   Nothing on D:, but the
GUI and registry setting complement each other.

 

I removed the page file from C: and tried to set it on D: only.  After
rebooting windows reports that a temporary page file was created.  Sure
enough. On my C: drive is a page file that is 16G (the equivalent of
physical memory)

 

I've tried other drives that I attached as well.  Same situation.  

 

What is going on here?  I appreciate the help.

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Windows 2008 - Page file

[Jason Gauthier]

All,

 

I've hit a road block.  I'm trying to set Windows 2008 (x64) to use
a page file on the D: drive. However, it just does not seem to want to
comply.

 

First, I used the built in GUI tools.  I set the C: drive to 800-1024,
and the D: drive to 34000.  I committed my settings with Set and
rebooted.

After reboot, C: was set to 800, but nothing was changed on D:.

 

I verified in the registry, and the settings are accurate. (Also in the
GUI still)

I've check drive permissions, but they seem to be in order.

 

So, I removed the page file on D: and I attempted to set it with wmic:

 

wmic.exe pagefileset create name=D:\pagefile.sys 

wmic pagefileset where name=D:\\pagefile.sys set
InitialSize=17000,MaximumSize=17000

 

Both commands came back successful. I rebooted.   Nothing on D:, but the
GUI and registry setting complement each other.

 

I removed the page file from C: and tried to set it on D: only.  After
rebooting windows reports that a temporary page file was created.  Sure
enough. On my C: drive is a page file that is 16G (the equivalent of
physical memory)

 

I've tried other drives that I attached as well.  Same situation.  

 

What is going on here?  I appreciate the help.

 

Thanks,

 

Jason

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 2008 - Page file

[Jason Gauthier]

Yes, NTFS.. and SQUAT in the event log!

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Tuesday, February 02, 2010 4:55 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 - Page file

 

Nothing in the Event Logs? 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Infrastructure Service Delivery
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003



From: james.h...@superamart.com.au [mailto:james.h...@superamart.com.au]

Sent: Tuesday, February 02, 2010 4:39 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 - Page file

 

Haven't seen that one.  I know this isn't any help but I have changed
the page file to a different drive on and 08 box via the gui and it
worked.

 

So as you already know, it should work.

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, 3 February 2010 7:30 AM
To: NT System Admin Issues
Subject: Windows 2008 - Page file

 

All,

 

I've hit a road block.  I'm trying to set Windows 2008 (x64) to use
a page file on the D: drive. However, it just does not seem to want to
comply.

 

First, I used the built in GUI tools.  I set the C: drive to 800-1024,
and the D: drive to 34000.  I committed my settings with Set and
rebooted.

After reboot, C: was set to 800, but nothing was changed on D:.

 

I verified in the registry, and the settings are accurate. (Also in the
GUI still)

I've check drive permissions, but they seem to be in order.

 

So, I removed the page file on D: and I attempted to set it with wmic:

 

wmic.exe pagefileset create name=D:\pagefile.sys 

wmic pagefileset where name=D:\\pagefile.sys set
InitialSize=17000,MaximumSize=17000

 

Both commands came back successful. I rebooted.   Nothing on D:, but the
GUI and registry setting complement each other.

 

I removed the page file from C: and tried to set it on D: only.  After
rebooting windows reports that a temporary page file was created.  Sure
enough. On my C: drive is a page file that is 16G (the equivalent of
physical memory)

 

I've tried other drives that I attached as well.  Same situation.  

 

What is going on here?  I appreciate the help.

 

Thanks,

 

Jason

 

 

 

 

 

 

 



This message, and any attachments to it, may contain information that is
privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Microsoft 24x7 Problem Resolution

[Jason Gauthier]

All,

 

  I am looking for a little help.  As many of you are aware MS changed
their Software Assurance site.   It just so happens, that I am a new EA
customer.  I wanted to use the unlimited web tickets resource.  In order
to do that, I need to activate my benefits.

 

However, due to a system failure on their end, I cannot.

 

Is there any way to use the web ticket functionality without going
through this process?

 

Thanks,

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Symlinks.. UNC... Possibilities

[Jason Gauthier]

All,

 

Using Windows 2008's ability to create symlinks I would like to
achieve the following goal:

 

  Using SCVMM's library features, create a symlink in the directory that
points to my storage of ISOs on another server.  (I do not want to
duplicate ISOs).

 

 

What I have done:

  * I have created symlinking ability with fsutil.  I've enabled all the
policies.

 * I have changed the system service accounts of VMM, and given the
paths the appropriate permissions

 * I have verified the user can browse locally.

 

What doesn't work, but I expect it should:

* Browsing to the library.  When I select the Symlink I get The
symbolic link cannot be followed because its type is disallowed

   I read this is solved by enabling the policies with
fsutil..  I did that (L2L, R2L, L2R, and R2R all set to 1)

* When refreshing the SCVMM library, I receive an error:

VMM could not find the specified path
\\VM-SysCen-01.ctg.com\MSSCVMMLibrary\VLK ISOs\Windows
2008\Windows_Svr_2008R2_64-bit.ISO on the VM-SysCen-01.ctg.com server.

 

Ensure that you have specified a valid file name parameter, and then try
the operation again.

 

ID: 2904

Details: The system cannot find the path specified (0x80070003)

 

This is not a specific file issue.  I've tried to put a different one
there.

Additionally, when refreshing, procmon gives a few interesting things:

 

 

5:13:18.9492881 PM   vmmAgent.exe  1924   CreateFile\\itnas\it\VLK
ISOs\Windows 2008  REPARSE   Desired Access: Read Data/List
Directory, Synchronize, Disposition: Open, Options: Directory,
Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
Delete, AllocationSize: n/a, OpenResult: unknown

5:13:18.9577624 PM   vmmAgent.exe  1924   CreateFile\\itnas\it\VLK
ISOs\Windows 2008  SUCCESS   Desired Access: Read Data/List
Directory, Synchronize, Disposition: Open, Options: Directory,
Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
Delete, AllocationSize: n/a, OpenResult: Opened

5:13:18.9600948 PM   vmmAgent.exe  1924   QueryDirectory
\\itnas\it\VLK ISOs\Windows 2008\* SUCCESS   Filter: *, 1: .

5:13:18.9615475 PM   vmmAgent.exe  1924   QueryDirectory
\\itnas\it\VLK ISOs\Windows 2008  SUCCESS   0: .., 1:
Windows_Svr_2008R2_64-bit.ISO, 2: VLK.txt

5:13:18.9652212 PM   vmmAgent.exe  1924   QueryDirectory
\\itnas\it\VLK ISOs\Windows 2008  NO MORE FILES  

5:13:18.9652664 PM   vmmAgent.exe  1924   CloseFile \\itnas\it\VLK
ISOs\Windows 2008  SUCCESS   

 

 

Any assistance in this would be greatly appreciated.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: RSAT For windows 7 RC

[Jason Gauthier]

Stephen,

 

I downloaded the file from there, but it tells me that it is not
applicable to my system!

 

Don, 

 

   x64!  I would appreciate it! And since my zip scanner is aggressive,
would you rename the file extension to something like .txt? ;)

 

Much appreciated!

 

Jason

 

From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Tuesday, October 06, 2009 9:34 AM
To: NT System Admin Issues
Subject: Re: RSAT For windows 7 RC

 

Try this:

http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=
7d2f6ad7-656b-4313-a005-4e344e43997d

I saved this from my windows 7 x64 install and it's working just fine!




On Tue, Oct 6, 2009 at 8:33 AM, Don Guyer don.gu...@prufoxroach.com
wrote:

Jason,

 

X86 or 64-bit? I'll Zip it and send offline.

 

Thx,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Monday, October 05, 2009 7:00 PM
To: NT System Admin Issues
Subject: RSAT For windows 7 RC

 

All,

 

  MS has pulled the RC RSAT tools since the RTM.   Anyone have it or a
link?   I had to reinstall my RC, and alas.. no tools!

 

Thanks,

 

Jason

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: RSAT For windows 7 RC

[Jason Gauthier]

I wonder if I am missing something?  I realized it was too large as
well.. just a moment too late.  It's like 220M!

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 12:02 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Too large to e-mail.

 

I got the file from that same website originally.

 

Sorry,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 11:50 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Will do.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 11:49 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Stephen,

 

I downloaded the file from there, but it tells me that it is not
applicable to my system!

 

Don, 

 

   x64!  I would appreciate it! And since my zip scanner is aggressive,
would you rename the file extension to something like .txt? ;)

 

Much appreciated!

 

Jason

 

From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Tuesday, October 06, 2009 9:34 AM
To: NT System Admin Issues
Subject: Re: RSAT For windows 7 RC

 

Try this:

http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=
7d2f6ad7-656b-4313-a005-4e344e43997d

I saved this from my windows 7 x64 install and it's working just fine!

On Tue, Oct 6, 2009 at 8:33 AM, Don Guyer don.gu...@prufoxroach.com
wrote:

Jason,

 

X86 or 64-bit? I'll Zip it and send offline.

 

Thx,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Monday, October 05, 2009 7:00 PM
To: NT System Admin Issues
Subject: RSAT For windows 7 RC

 

All,

 

  MS has pulled the RC RSAT tools since the RTM.   Anyone have it or a
link?   I had to reinstall my RC, and alas.. no tools!

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: RSAT For windows 7 RC

[Jason Gauthier]

I  have a 64 and 32 bit Win7 RC.

 

I've downloaded both, and both give the same results on both systems.
The actual file in those downloads must now be for the RTM.

They definitely do not work on the RC.

 

 

From: Richard Stovall [mailto:richard.stov...@researchdata.com] 
Sent: Tuesday, October 06, 2009 12:06 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Did you download the one for 64 bit systems?

 

amd64fre_GRMRSATX_MSU.msu

 

 

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 12:05 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

I wonder if I am missing something?  I realized it was too large as
well.. just a moment too late.  It's like 220M!

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 12:02 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Too large to e-mail.

 

I got the file from that same website originally.

 

Sorry,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 11:50 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Will do.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 11:49 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Stephen,

 

I downloaded the file from there, but it tells me that it is not
applicable to my system!

 

Don, 

 

   x64!  I would appreciate it! And since my zip scanner is aggressive,
would you rename the file extension to something like .txt? ;)

 

Much appreciated!

 

Jason

 

From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Tuesday, October 06, 2009 9:34 AM
To: NT System Admin Issues
Subject: Re: RSAT For windows 7 RC

 

Try this:

http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=
7d2f6ad7-656b-4313-a005-4e344e43997d

I saved this from my windows 7 x64 install and it's working just fine!

On Tue, Oct 6, 2009 at 8:33 AM, Don Guyer don.gu...@prufoxroach.com
wrote:

Jason,

 

X86 or 64-bit? I'll Zip it and send offline.

 

Thx,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Monday, October 05, 2009 7:00 PM
To: NT System Admin Issues
Subject: RSAT For windows 7 RC

 

All,

 

  MS has pulled the RC RSAT tools since the RTM.   Anyone have it or a
link?   I had to reinstall my RC, and alas.. no tools!

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: RSAT For windows 7 RC

[Jason Gauthier]

In the subject and the email body :P

 

From: Richard Stovall [mailto:richard.stov...@researchdata.com] 
Sent: Tuesday, October 06, 2009 12:13 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Ah.  Sorry.  I missed the part about it being installed on RC1.

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 12:11 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

I  have a 64 and 32 bit Win7 RC.

 

I've downloaded both, and both give the same results on both systems.
The actual file in those downloads must now be for the RTM.

They definitely do not work on the RC.

 

 

From: Richard Stovall [mailto:richard.stov...@researchdata.com] 
Sent: Tuesday, October 06, 2009 12:06 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Did you download the one for 64 bit systems?

 

amd64fre_GRMRSATX_MSU.msu

 

 

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 12:05 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

I wonder if I am missing something?  I realized it was too large as
well.. just a moment too late.  It's like 220M!

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 12:02 PM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Too large to e-mail.

 

I got the file from that same website originally.

 

Sorry,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Don Guyer [mailto:don.gu...@prufoxroach.com] 
Sent: Tuesday, October 06, 2009 11:50 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Will do.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Tuesday, October 06, 2009 11:49 AM
To: NT System Admin Issues
Subject: RE: RSAT For windows 7 RC

 

Stephen,

 

I downloaded the file from there, but it tells me that it is not
applicable to my system!

 

Don, 

 

   x64!  I would appreciate it! And since my zip scanner is aggressive,
would you rename the file extension to something like .txt? ;)

 

Much appreciated!

 

Jason

 

From: Stephen Wimberly [mailto:riverside...@gmail.com] 
Sent: Tuesday, October 06, 2009 9:34 AM
To: NT System Admin Issues
Subject: Re: RSAT For windows 7 RC

 

Try this:

http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=
7d2f6ad7-656b-4313-a005-4e344e43997d

I saved this from my windows 7 x64 install and it's working just fine!

On Tue, Oct 6, 2009 at 8:33 AM, Don Guyer don.gu...@prufoxroach.com
wrote:

Jason,

 

X86 or 64-bit? I'll Zip it and send offline.

 

Thx,

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox  Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Monday, October 05, 2009 7:00 PM
To: NT System Admin Issues
Subject: RSAT For windows 7 RC

 

All,

 

  MS has pulled the RC RSAT tools since the RTM.   Anyone have it or a
link?   I had to reinstall my RC, and alas.. no tools!

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RSAT For windows 7 RC

[Jason Gauthier]

All,

 

  MS has pulled the RC RSAT tools since the RTM.   Anyone have it or a
link?   I had to reinstall my RC, and alas.. no tools!

 

Thanks,

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Windows 7 RC

[Jason Gauthier]

All,

 

  I've been waiting to see if any one reported.  Will the beta keys work
with the RC?

 

Thanks!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Error authenticating to exchange

[Jason Gauthier]

Hey all,

 

   I'm having a strange authentication problem.   I created a DC, and moved it 
into a lab. I removed all other DCs from it, and secluded it.  I did a system 
state restore of my exchange server and restored the exchange database.  This 
seemed to go well, except the exchange server did not quite negotiate the 
secure channel properly.   I'm not sure why, I do not usually have that problem 
with this process.  I used net to remove it and rejoin it to the domain.

 

It *appears* to work fine.  I can log in, and the services run.   I installed 
Office onto the DC so I can do some tests with outlook.

When my MAPI profile attempts to connect to exchange, I am prompted for a 
password.  I enter my credentials, my exchange service account credentials, and 
anything that will work.  however, none do :(

 

I see the event log below.   Things of interest to note.  The Logon Process 
text is high ascii.  The status code 0xC06D usually means bad 
username/password.  That is definitely not the case here.

 

Any suggestions?  Dcdiag, netdiag all pass basic tests.  All servers are win2k3 
with SP2.   Exchange is also 2003 with SP2.

 

Thanks for any help!

 

Logon Failure:

  Reason:   An error occurred during logon

  User Name:  jgauthier

  Domain:   CTG

  Logon Type: 3

  Logon Process:�0

  Authentication Package: NTLM

  Workstation Name: LABDC

  Status code:  0xC06D

  Substatus code:   0x0

  Caller User Name: -

  Caller Domain:-

  Caller Logon ID:  -

  Caller Process ID:  -

  Transited Services: -

  Source Network Address: 192.168.50.10

  Source Port:  4086

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Error authenticating to exchange

[Jason Gauthier]

Slap me silly and hand me a Barbi but I can never get netdom resetpwd to 
work. EVER.

 

The machine account password for the local machine could not be reset.

 

The specified domain either does not exist or could not be contacted.

 

The command failed to complete successfully.

 

How would you approach it?  This process is usually perfect for me to get a lab 
instance of my domain and exchange.

m open to alternatives.

 

From: Michael B. Smith [mailto:mich...@owa.smithcons.com] 
Sent: Tuesday, April 21, 2009 4:18 PM
To: NT System Admin Issues
Subject: RE: Error authenticating to exchange

 

There are SO many potential problems here, it isn't even funny.

 

Try a netdom resetpwd. If that doesn't work - I'd probably approach this 
problem differently.

 



From: Jason Gauthier [jgauth...@lastar.com]
Sent: Tuesday, April 21, 2009 4:15 PM
To: NT System Admin Issues
Subject: Error authenticating to exchange

Hey all,

 

 

It *appears* to work f  I can log in, and the services ru I installed Office 
onto the DC so I can do some tests with outlook.

When my MAPI profile attempts to connect to exchange, I am prompted for a passw 
 I enter my credentials, my exchange service account credentials, and anything 
that will work. however, none do :(

 

I see the event log below Things of interest to note The Logon Process text 
is high asc  The status code 0xC06D usually means bad username/passwor 
That is definitely not the case here.

 

Any suggestion Dcdiag, netdiag all pass basic tes  All servers are win2k3 with 
Exchange is also 2003 with SP2.

 

Thanks for any help!

 

Logon Failure:

  Workstation Name: LABDC

  Status c 0xC06D

  Transited Service -

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Error authenticating to exchange

[Jason Gauthier]

Huh.  I thought it was concerned with the GUID.  Alright. I will give that a 
try. Thanks.

 

From: Michael B. Smith [mailto:mich...@owa.smithcons.com] 
Sent: Tuesday, April 21, 2009 4:32 PM
To: NT System Admin Issues
Subject: RE: Error authenticating to exchange

 

Database portability works fine.

 

So...you are fine with your DC process (as long as you make it a GC first 
before disconnecting it from the domain).

 

Then delete the exchange server from the lab ad. build a new server, name it 
the same thing, join it to the lab ad, and then restore the database.

 

Exchange doesn't care about the server GUID. Only it's name.

 

 



From: Jason Gauthier [jgauth...@lastar.com]
Sent: Tuesday, April 21, 2009 4:25 PM
To: NT System Admin Issues
Subject: RE: Error authenticating to exchange

Slap me silly and hand me a Ba but I can never get netdom resetpwd to work. 
EVER.

 

The machine account password for the local machine could not be reset.

 

The specified domain either does not exist or could not be contacted.

 

The command failed to complete successfully.

 

How would you approach it This process is usually perfect for me to get a lab 
instance of my domain and exchange.

Im open to alternatives.

 

From: Michael B. Smith [mailto:mich...@owa.smithcons.com] 
Sent: Tuesday, April 21, 2009 4:18 PM
To: NT System Admin Issues
Subject: RE: Error authenticating to exchange

 

There are SO many potential problems here, it isn't even funny.

 

Try a netdom resetpwd. If that doesn't work - I'd probably approach this 
problem differently.

 



From: Jason Gauthier [jgauth...@lastar.com]
Sent: Tuesday, April 21, 2009 4:15 PM
To: NT System Admin Issues
Subject: Error authenticating to exchange

Hey all,

 

 

It *appears* to work f  I can log in, and the services ru I installed Office 
onto the DC so I can do some tests with outlook.

When my MAPI profile attempts to connect to exchange, I am prompted for a passw 
 I enter my credentials, my exchange service account credentials, and anything 
that will work. however, none do :(

 

I see the event log below Things of interest to note The Logon Process text 
is high asc  The status code 0xC06D usually means bad username/passwor 
That is definitely not the case here.

 

Any suggestion Dcdiag, netdiag all pass basic tes  All servers are win2k3 with 
Exchange is also 2003 with SP2.

 

Thanks for any help!

 

Logon Failure:

  Workstation Name: LABDC

  Status c 0xC06D

  Transited Service -

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Bind Errors

[Jason Gauthier]

Hey all,

 

  I have a system that stopped being able to bind to domain controllers
recently.I was thinking initially the problem was the domain
controllers. Both had gone through a few patches.  But even removing the
patches did not seem to resolve the problem.

 

Since the server itself was a simple IAS system (remote access - no
firewall), I went ahead and just reinstalled it on a different server.

I exported and imported the Remote Access and DHCP Server configs and
was up and running in no time.

 

Immediately, the same problem started to occur.  I believe now, it's a
specific problem with IAS.

 

Using ntdsutil for simple binding I am seeing this:

 

H:\ntdsutil

ntdsutil: meta clean

metadata cleanup: connect

server connections: connect to server serverx1

Binding to serverx1...

DsBindW error 0x6d9(There are no more endpoints available from the
endpoint mapp

er.)

server connections: connect to server serverx2

Binding to serverx2...

DsBindW error 0x6d9(There are no more endpoints available from the
endpoint mapp

er.)

server connections: connect to server serverx3

Binding to serverx3 ...

Connected to serverx3 using credentials of locally logged on user.

server connections:

 

 

As you can see, the third server worked!

Does anyone have any suggestions?  My x1 and x2 are the primaries at
this site.

 

Thanks,

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

SAML Tokens

[Jason Gauthier]

All,

 

  Any there any versions of Windows server that can issue SAML tokens?

 

Thanks!

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

OOO responsibility

[Jason Gauthier]

All,

 

 Wanted to take a poll.

 

  How many of you in IT positions are responsible for setting other
people's OOO when they forget?

This has been a recent point of irritation for me.

 

Thanks!

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: OOO responsibility

[Jason Gauthier]

My users can too.. but not when they go on vacation and forget.


 -Original Message-
 From: Cameron Cooper [mailto:ccoo...@aurico.com]
 Sent: Monday, February 23, 2009 9:57 AM
 To: NT System Admin Issues
 Subject: RE: OOO responsibility
 
 All our users can set this themselves.  Being a small company it
allows
 us to go around and teach everyone on new policies/technologies.
 
 ___
 Cameron Cooper
 IT Director - CompTIA A+ Certified
 Aurico Reports, Inc
 Phone: 847-890-4021Fax: 847-255-1896
 ccoo...@aurico.com
 
 
 
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: And now for something completely different... Apple's Revolutionary New Product

[Jason Gauthier]

It's the onion.

-Original Message-
From: Brumbaugh, Luke [mailto:luke.brumba...@butlerahs.com] 
Sent: Tuesday, January 13, 2009 11:13 AM
To: NT System Admin Issues
Subject: RE: And now for something completely different... Apple's
Revolutionary New Product

Is this a joke, 'a few hundred turns of wheel', 'hummingbird lasts a
full 18 min before a recharge', 'for people who do work and not just
dicking around'

-Original Message-
From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Tuesday, January 13, 2009 10:46 AM
To: NT System Admin Issues
Subject: RE: And now for something completely different... Apple's
Revolutionary New Product

WAY back in the mid-50's (yeah, some of us truly ARE grouchy old men!),
a 
neighbor had a toy typewriter like this.  It was cased in lithographed 
tin, had a wheel with the letters on it, and a button which would move

the head between the ink pad and the paper.  (Sort-of like the old Dyno 
tape lable makers.)  Slow, messy, and we cut ourselves frequently on the

exposed tin edges, but hey, we were pre-schoolers and couldn't read 
anyway!

It'd be ironic if someone representing Hasboro or Marx went after Apple 
claiming intellectual property rights!
--
Richard McClary, Systems Administrator
ASPCA Knowledge Management
1717 S Philo Rd, Ste 36, Urbana, IL  61802
217-337-9761
http://www.aspca.org


Todd Lemmiksoo tlemmik...@all-mode.com wrote on 01/12/2009 04:27:10 
PM:

 45 minutes for one e-mail! Did write a book in the email?
 
 From: Michael B. Smith [mailto:mich...@theessentialexchange.com] 
 Sent: Monday, January 12, 2009 5:17 PM
 To: NT System Admin Issues
 Subject: And now for something completely different... Apple's 
 Revolutionary New Product

 http://www.theonion.com/content/video/apple_introduces_revolutionary
 
 Regards,
 
 Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
 My blog: http://TheEssentialExchange.com/blogs/michael
 I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php
 
 
 
 
 
 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

**
CONFIDENTIALITY NOTICE:  The information transmitted in this message is
intended only for the person or entity to which it is addressed and may
contain confidential and/or privileged material.  Any review,
retransmission, dissemination or other use of this information by
persons or entities other than the intended recipient is prohibited.  If
you received this in error, please contact the sender and destroy all
copies of this document.  Thank you.  
Butler Animal Health Supply
**



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 7 On TechNet Now

[Jason Gauthier]

I've watched that stupid site all day.  I have the ISO.

Where/how do I get myself a key?  And so far, a lot of apps I've tested
work.
It seems to completely stop working on this Dimension 3000 when it goes
into standby.  I disabled powersave.

-Original Message-
From: Free, Bob [mailto:r...@pge.com] 
Sent: Friday, January 09, 2009 6:45 PM
To: NT System Admin Issues
Subject: RE: Windows 7 On TechNet Now

The workaround I've used for a long time is a little program called
UrlRunAddIn, it adds itself to the right-click menu in Outlook and works
like a champ. I'm sure I heard about it here years ago. 
Seems there are numerous utilities with the name  urlrun kicking around
that do variations on the theme involving the clipboard if you aren't
using Outlook.

http://www.cheztabor.com/UrlRunAddIn/




-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, January 09, 2009 2:09 PM
To: NT System Admin Issues
Subject: Re: Windows 7 On TechNet Now

On Fri, Jan 9, 2009 at 4:59 PM, Murray Freeman mfree...@alanet.org
wrote:
 BTW, what is the trick to making wrap-around links work?

  Most versions of Outlook insert hard line breaks to wrap lines in
all plain text messages you send.  It tries to do this at spaces, but
if there aren't any spaces (like in a URL), it will just chop up the
line.  (Most other mail programs will leave long lines intact if there
aren't any spaces to wrap on.)

  Workarounds include:

* Use another mail program (always, or just for that message)
* Use HTML format in Outlook (always, or just for that message)
* Adjust Outlook's line wrap width (location of the setting varies)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Windows 7 On TechNet Now

[Jason Gauthier]

What version is the beta? Is it 7000, or whatever was leaked a week or
two ago?

 

From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] 
Sent: Friday, January 09, 2009 11:59 AM
To: NT System Admin Issues
Subject: RE: Windows 7 On TechNet Now

 

I haven't, nor have I heard of any. Because Win7 isn't fundamentally
different from Vista, I'd be surprised if it broke apps that were
Vista-compatible.

 

Which is why people who are skipping Vista to wait for Win7 aren't going
to see huge advantages to waiting, as far as I can tell. Although I
suppose that those who have avoided Vista this long might as well wait a
few more months.

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

318 North Clark Street

Perry, FL 32347

 

www.taylor.k12.fl.us

 

 

 

 

 

 

From: Tim Vander Kooi [mailto:tvanderk...@expl.com] 
Sent: Friday, January 09, 2009 11:45 AM
To: NT System Admin Issues
Subject: RE: Windows 7 On TechNet Now

 

Has anyone found any apps that don't run on Win7 yet? Everything I have
tried so far runs great as long as it was Vista-capable to begin with.

TVK

 
 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: WPAD Proxy Config

[Jason Gauthier]

I don't prefer the DHCP method.  Visitors also receive this setting, and
if you use any kind of authentication it just causes pain and additional
support.

We moved strictly to GPO configuration with some issues, that we've
pretty much worked out.
I will admit, I have a few system where IE just completely ignores the
settings even when entered manually.

Also, for those visitors, we implemented a transparent proxy using
squid, wccp, and a cisco ASA.
I'll be honest, it was actually a very tricky networking situation
(because it's used for ALL networks, not just visitors).
After ironing out issues with it, it seems pretty solid.  It's used
mostly to protect, not cache, though.

The ASA has several known WCCP issues, and it did not actually work
until I moved to 7.2.3 some time ago.

Jason

-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Sent: Thursday, January 08, 2009 4:45 PM
To: NT System Admin Issues
Subject: RE: WPAD Proxy Config

Well, my firefox clients pick up the settings but not ie7.
I am using the dns (cname) / dhcp option 252 method.

How are you doing it, and do you have it working with ie7?

Thanks!
jlc

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, January 08, 2009 2:38 PM
To: NT System Admin Issues
Subject: Re: WPAD Proxy Config

On Thu, Jan 8, 2009 at 4:08 PM, Joseph L. Casale
jcas...@activenetwerx.com wrote:
 Anyone here doing wpad in their org for configuring a proxy for
borwsers?

  Yes.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: WPAD Proxy Config

[Jason Gauthier]

jlc,

 A simple echo N | gpupdate /force /target:whatever will allow it to
process what it can and forces a N.
But, if you do a gpupdate /force  without a target you will get two
prompts, and the simple echo N | isn't going to cut it.

Doing the /force and then a single reboot seems to work every time.  
Sometimes people would complain the applying  process would take time,
but not always. Now it always seems to take some time.  Personally, I
feel that the trade off of a guaranteed applied policy is worth it.

Also, some settings *are* immediate. Some are 3 reboots away.. some are
a reboot after a /force.

I would *love* to see a detailed document of the policy settings and
under what circumstance it would decide to apply it.

Jason


-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Sent: Thursday, January 08, 2009 6:19 PM
To: NT System Admin Issues
Subject: RE: WPAD Proxy Config

Priceless,
I just got off the phone with someone regarding increased boot and
loading times with the computers displaying 'Applying Computer
Settings...' :)

I noticed the /force target:computer got the sttings in immediately but
never
waited a full 3 reboots to see.

Did you *only* notice the lengthy times once you applied the script
changes?
How does that work as a /force has an interactive prompt for a y/n? Is
that
the reason for the timeout? I don't have any of that in my login/startup
scripts.
Yet I still have these delays now...

jlc


-Original Message-
From: Joe Tinney [mailto:jtin...@lastar.com] 
Sent: Thursday, January 08, 2009 4:02 PM
To: NT System Admin Issues
Subject: RE: WPAD Proxy Config

We use WPAD, also. We've found that it takes at least 3 reboots for the
GPO to take over in IE7. See thread gpupdate/GPO from Jason Gauthier
(jgauth...@lastar.com) regarding the issues we were seeing with that.

We had found that when we manually changed our proxy settings that it
was not resetting itself in a timely fashion. After some testing it was
found that it was taking (for us) at least 3 reboots for them to kick
in. There were many possible reasons given as to why. 

We ended up putting a gpupdate /force /target:computer in an hourly
script that runs on all of our workstations and gpupdate /force
/target:user in the login script. The changes to the proxy settings
required a reboot to take effect, but only one this time and not 3.

The downside, we've discovered, is increased boot and loading times with
the computers displaying 'Applying Computer Settings...' for several
minutes on every boot now.

HTH.

-Original Message-
From: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Sent: Thursday, January 08, 2009 5:51 PM
To: NT System Admin Issues
Subject: RE: WPAD Proxy Config

Ok,
Theoretically I have covered both since my dns has the cname wpad
redirecting to my webserver which dishes out wpad.dat from its root and
my dhcp server has option 252 referencing that complete url.:)
My wpad file looks similar to yours as well.

I see some issues searching the net on ie7 though, I just found that the
GPO setting for it is rather flaky, sigh...

Thanks!
jlc

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, January 08, 2009 3:37 PM
To: NT System Admin Issues
Subject: Re: WPAD Proxy Config

On Thu, Jan 8, 2009 at 4:45 PM, Joseph L. Casale
jcas...@activenetwerx.com wrote:
 Well, my firefox clients pick up the settings but not ie7.
 I am using the dns (cname) / dhcp option 252 method.

 How are you doing it, and do you have it working with ie7?

  We haven't deployed MSIE 7 here yet.  I'll see if I can get a
sandbox VM running with it to test.  MSIE 6 and Firefox 3.x on Win XP
Pro SP2 both work fine.

  Here's what we did:

  We implemented the DNS method of WPAD.  We didn't even bother with
DHCP; the DNS method has worked fine for us for everything.  I seem to
recall reading that the DHCP method isn't as widely implemented in
clients, but I could be wrong on that.

  We created a CNAME record named wpad.corp.example.com., where
corp.example.com. is our Active Directory domain name, and the
default DNS suffix for our LAN.  Thus, clients attempting to do WPAD
via DNS end up requesting http://wpad.corp.example.com/wpad.dat.
The right-hand-side of the CNAME record specifies
foo.corp.example.com., where foo is our proxy server.

  Our proxy server also runs an Apache web server, which is configured
with an alias such that /wpad.dat redirects to /proxy.pac.  That's
our proxy auto-config script.  Apache also knows that a *.pac file is
of MIME type application/x-ns-proxy-autoconfig.  To do that, the
following was added to the Apache config file:

AddType application/x-ns-proxy-autoconfig .pac
Redirect /wpad.dat http://foo/proxy.pac

  Our proxy auto-config script looks like this:

function FindProxyForURL(url, host) {
if (isPlainHostName(host)
|| dnsDomainIs(host

RE: gpupdate/GPO

[Jason Gauthier]

The GPO kicked in after 3 reboots.  Funny, this is NOT a new GPO at all.
it's at least a year old.   I guess that's the beat of the GPO drum.

I went ahead and put a gpupdate /target:user /force in my login
script.

I also have an hourly task that runs at the administrative level and
am executing gpupdate /target:computer /force in it.

This should help get it down  to the 'next' reboot, as I discovered in
my testing.

 

Thanks a lot, all.

 

Jason

 

From: MarvinC [mailto:marv...@gmail.com] 
Sent: Thursday, January 01, 2009 5:32 PM
To: NT System Admin Issues
Subject: Re: gpupdate/GPO

 

Test a workstation by running gpupdate /force /sync and continue with
the reboot. 

 

If the policy still doesn't apply then make sure that pc is
communicating with its local DC.

 

Run gpresult to see what policies, if any are being applied on a test
workstation.

 

Download the GPOTool and install it to perform a test to see where
policies are failing. 

 

Are the PC assigned to an OU and the policy being applied to that OU or
do you have a flat structure where all PC's sit in the same OU?

 

Open the GPMC and make sure the PC is sitting in the correct OU. 

 

and the beat goes on...

 

gl...

On Wed, Dec 31, 2008 at 4:20 PM, Ben Scott mailvor...@gmail.com wrote:

On Wed, Dec 31, 2008 at 3:07 PM, Jason Gauthier jgauth...@lastar.com
wrote:
 I have one, or many, GPOs that are not apparently being applied on
 workstations.   Through some testing, I have specifically found that
IE
 settings are not really taking effect.  That is, until, I manually run
a
 gpupdate /force, and the reboot or logoff.

 GPO application can be tricky.

 Some[1] computer settings can only get applied during startup
processing.If a GPO update comes in while the computer is running,
it won't take affect until the next boot, when startup processing runs
again.

 If you make a GPO modification, it will get posted to one DC by
{DSA,GPMC,GPEDIT,.MSC}.  You may then have to wait various amounts of
time for that change to get replicated to all your other DCs.  If a
workstation happens to pick one of those other DCs during its boot,
before replication is finished, the startup processing won't even see
the change until the next reboot.

 Normal startup processing frequently needs multiple passes for a GPO
to work, i.e., two (re)boots.  The first time, it sees the update GPO,
and gets the settings, but can't apply them until the next (re)boot
for some reason.  (Microsoft sure does love 'dem reboots.)

 You can help reduce the need for multiple reboots by setting the
various GPO startup options for synchronous and foreground
policy/script processing.  This serializes everything during the boot
process, instead of the fire-and-forget scenario Windows defaults to.
Makes debugging easier, too.  I suggest this as a best practice.

 There is some GPO stuff which only gets processed the first time a
GPO is applied on a computer.  You have to do a GPUPDATE /FORCE for it
to be re-processed.  For example, we get some service control
permissions in one of our GPOs.  If the service in question doesn't
exist when the GPO is first applied, too bad.  If the service later
gets installed, it won't get the custom control permissions until we
GPUPDATE /FORCE it.

== Footnotes ==
[1] Or maybe it's actually all computer settings.  I forget.  I've
been assuming all for years, since all you need is the one you care
about, and the details were not well-documented when AD came out.
Maybe things have become clearer since then.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

gpupdate/GPO

[Jason Gauthier]

All,

 

   I have one, or many, GPOs that are not apparently being applied on
workstations.   Through some testing, I have specifically found that IE
settings are not really taking effect.  That is, until, I manually run a
gpupdate /force, and the reboot or logoff.

 

Obviously, this is not really desired.  Does anyone know why this would
be happening, and how I can solve it?

A GPO should be applied appropriately, without me mandating a forced
update and reboot.

 

Thanks,

 

Jason


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: gpupdate/GPO

[Jason Gauthier]

Wouldn't that group policy not get applied under that theory though? Or
any new GP at all?

Furthermore, the GPO should be reset every 15 minutes, however some
settings are not actually applied until the force+reboot.

 

 

From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] 
Sent: Wednesday, December 31, 2008 3:16 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

On occasion it takes 2 reboot cycles for GPO's to be applied.  You can
help mitigate that by making the computer wait for network on startup
under the computer section, System/Group Policy ADM's.

 

Some computers do not get the NIC started before GP settings would be
applied hence requiring a 2nd reboot to get the gp settings to take
effect.

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 3:07 PM
To: NT System Admin Issues
Subject: gpupdate/GPO

 

All,

 

   I have one, or many, GPOs that are not apparently being applied on
workstations.   Through some testing, I have specifically found that IE
settings are not really taking effect.  That is, until, I manually run a
gpupdate /force, and the reboot or logoff.

 

Obviously, this is not really desired.  Does anyone know why this would
be happening, and how I can solve it?

A GPO should be applied appropriately, without me mandating a forced
update and reboot.

 

Thanks,

 

Jason

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: gpupdate/GPO

[Jason Gauthier]

When you say the NIC has not come active are you talking about the
PC/drivers, etc.. or are you talking about the time it might take the
switch to bring the link up?  I know some switches take longer than XP
to boot due to STP.

 

If it's the latter, it can be mitigated with switch config changes.  If
it's the prior, then you're right.   I will need to employ some other
trickiness.. which I should have ready to go anyway.

 

Thanks!

 

From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] 
Sent: Wednesday, December 31, 2008 3:26 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

Not all GPO's are applied in a background refresh.  Many do require a
reboot to take effect, Offline files being one for example.  

The GPO would not apply in the initial reboot because the computer does
not get the update since the NIC has not come active yet.  Then it pulls
down the update and it requires a 2nd reboot to actually make the
changes happen.

 

We pretty much now only require a reboot to make all our GPO's take
effect when enabling the Wait on Network option. 

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 3:19 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

Wouldn't that group policy not get applied under that theory though? Or
any new GP at all?

Furthermore, the GPO should be reset every 15 minutes, however some
settings are not actually applied until the force+reboot.

 

 

From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] 
Sent: Wednesday, December 31, 2008 3:16 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

On occasion it takes 2 reboot cycles for GPO's to be applied.  You can
help mitigate that by making the computer wait for network on startup
under the computer section, System/Group Policy ADM's.

 

Some computers do not get the NIC started before GP settings would be
applied hence requiring a 2nd reboot to get the gp settings to take
effect.

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 3:07 PM
To: NT System Admin Issues
Subject: gpupdate/GPO

 

All,

 

   I have one, or many, GPOs that are not apparently being applied on
workstations.   Through some testing, I have specifically found that IE
settings are not really taking effect.  That is, until, I manually run a
gpupdate /force, and the reboot or logoff.

 

Obviously, this is not really desired.  Does anyone know why this would
be happening, and how I can solve it?

A GPO should be applied appropriately, without me mandating a forced
update and reboot.

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: gpupdate/GPO

[Jason Gauthier]

I can't say no.. but I don't know what would.

I can open the registry editor, run a gpupdate /force and the changes
are not there.

So, I base it off that fact alone.

 

This is just proxy/autoconfig settings too.. nothing fancy at all.

 

 

From: Sam Cayze [mailto:sam.ca...@rollouts.com] 
Sent: Wednesday, December 31, 2008 4:13 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

I would think IE settings wouldn't need a reboot...  Many programs can
try to adjust IE settings.  AV programs, Spybot, Desktop Search, etc...
could anything be overwriting the settings you are trying to adjust?

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 2:29 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

When you say the NIC has not come active are you talking about the
PC/drivers, etc.. or are you talking about the time it might take the
switch to bring the link up?  I know some switches take longer than XP
to boot due to STP.

 

If it's the latter, it can be mitigated with switch config changes.  If
it's the prior, then you're right.   I will need to employ some other
trickiness.. which I should have ready to go anyway.

 

Thanks!

 

From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] 
Sent: Wednesday, December 31, 2008 3:26 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

Not all GPO's are applied in a background refresh.  Many do require a
reboot to take effect, Offline files being one for example.  

The GPO would not apply in the initial reboot because the computer does
not get the update since the NIC has not come active yet.  Then it pulls
down the update and it requires a 2nd reboot to actually make the
changes happen.

 

We pretty much now only require a reboot to make all our GPO's take
effect when enabling the Wait on Network option. 

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 3:19 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

Wouldn't that group policy not get applied under that theory though? Or
any new GP at all?

Furthermore, the GPO should be reset every 15 minutes, however some
settings are not actually applied until the force+reboot.

 

 

From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] 
Sent: Wednesday, December 31, 2008 3:16 PM
To: NT System Admin Issues
Subject: RE: gpupdate/GPO

 

On occasion it takes 2 reboot cycles for GPO's to be applied.  You can
help mitigate that by making the computer wait for network on startup
under the computer section, System/Group Policy ADM's.

 

Some computers do not get the NIC started before GP settings would be
applied hence requiring a 2nd reboot to get the gp settings to take
effect.

 

From: Jason Gauthier [mailto:jgauth...@lastar.com] 
Sent: Wednesday, December 31, 2008 3:07 PM
To: NT System Admin Issues
Subject: gpupdate/GPO

 

All,

 

   I have one, or many, GPOs that are not apparently being applied on
workstations.   Through some testing, I have specifically found that IE
settings are not really taking effect.  That is, until, I manually run a
gpupdate /force, and the reboot or logoff.

 

Obviously, this is not really desired.  Does anyone know why this would
be happening, and how I can solve it?

A GPO should be applied appropriately, without me mandating a forced
update and reboot.

 

Thanks,

 

Jason

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Replicating WINS

[Jason Gauthier]

Hey 
all-

 I'm trying to set up a secondary WINS 
server to ues as replication. The two databases will be replicating back 
and forth. Sounds Pretty easy so far. We've had one for quite 
awhile. So I installed WINS on a second server. Added the primary WINS server. I 
then selected each WINS servers and made it a push and pull partner to the other 
WINS server. I made the replication start time 1:00am with 15 minute 
intervals, and set the trigger count to 20. (The default) 


They 
are not replicating. I've forced replication, I've waited several hours, 
overnight. Nothing.
The 
second server still doesn't have the first ones database.

The 
eventlog, on either system, has no messages in it regarding 
WINS.

Any 
ideas?
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Replicating WINS

[Jason Gauthier]

After enabling it I forced replication of my primary 
WINS. I see this on the secondary:

The 
WINS got an update notification from WINS with address (192.168.1.23). The 
WINS accepted it. 

And 
then:
WINS 
has pulled records from a WINS while doing Pull replication. The partner's 
address and the address of the owner whose records were pulled are given 
below in the data section (2 and 3rd DWORD respectively). The number of 
records pulled is in the 4th DWORD below. 

However, selecting the Secondary and showing it's 
database... It's not there.. at all.

Thanks!


  -Original Message-From: Scott Erwin 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 9:59 
  AMTo: NT System Admin IssuesSubject: RE: Replicating 
  WINS
  Do 
  you have logging and detailed logging enabled under Server / Configuration / 
  Advanced?
  
  Scott
  
  -Original 
  Message-From: Jason Gauthier 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 8:34 
  AMTo: NT System Admin IssuesSubject: Replicating 
  WINS
  
Hey all-

 I'm trying to set up a secondary WINS 
server to ues as replication. The two databases will be replicating 
back and forth. Sounds Pretty easy so far. We've had one for 
quite awhile. So I installed WINS on a second server. Added the primary WINS 
server. I then selected each WINS servers and made it a push and pull 
partner to the other WINS server. I made the replication start time 
1:00am with 15 minute intervals, and set the trigger count to 20. (The 
default) 

They are not replicating. I've forced replication, I've waited 
several hours, overnight. Nothing.
The second server still doesn't have the first ones 
database.

The eventlog, on either system, has no messages in it regarding 
WINS.

Any ideas?Want to unsub? Do that 
here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a good FAQ? Try 
this one first:http://www.ultratech-llc.com/KB/Want to 
  unsub? Do that here:http://www.w2knews.com/rd/rd.cfm?id=unsubNeed a 
  good FAQ? Try this one 
first:http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Anyone know of a linux VPN server that will allow Windows cli nts to connect ?

[Jason Gauthier]

FreeS/wan

http://www.freeswan.org/

BTW, it's not the client that matters it's the protocol.

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Friday, September 28, 2001 9:34 AM
 To: NT System Admin Issues
 Subject: RE: Anyone know of a linux VPN server that will allow Windows
 cli nts to connect ?
 
 
 anyone know of an ipsec based vpn server package for linux 
 that will work
 with the ipsec client of win2k?
 
 -Original Message-
 From: Don Collier (Intermap Denver) [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, September 26, 2001 12:52 PM
 To: NT System Admin Issues
 Subject: RE: Anyone know of a linux VPN server that will allow Windows
 cli nts to connect ?
 
 
 Poptop.
 
 http://poptop.lineo.com/download_pptp.html
 
 
 _
 Don Collier
 Network Administrator
 Intermap Technologies Inc.
 Voice:  303-708-0955 x-207
 Fax:303-708-0952
 [EMAIL PROTECTED]
 www.intermaptechnologies.com
 
 -Original Message-
 From: Scott Wilson [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, September 26, 2001 10:14 AM
 To: NT System Admin Issues
 Subject: Anyone know of a linux VPN server that will allow Windows
 clints to connect ?
 
 
 Anyone know of a linux VPN server that will allow Windows clints to
 connect.?
 Thanks
 
 Want to unsub? Do that here:
 http://www.w2knews.com/rd/rd.cfm?id=unsub
 Need a good FAQ? Try this one first:
 http://www.ultratech-llc.com/KB/
 
 Want to unsub? Do that here:
 http://www.w2knews.com/rd/rd.cfm?id=unsub
 Need a good FAQ? Try this one first:
 http://www.ultratech-llc.com/KB/
 
 
 
 Want to unsub? Do that here:
 http://www.w2knews.com/rd/rd.cfm?id=unsub
 Need a good FAQ? Try this one first:
 http://www.ultratech-llc.com/KB/
 

Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

RE: Anyone know of a linux VPN server that will allow Windows cli nts to connect ?

[Jason Gauthier]

That sight is about IP masquerading with Linux. Not a VPN server solution.


 -Original Message-
 From: Kent Spencer [mailto:[EMAIL PROTECTED]]
 Sent: Friday, September 28, 2001 11:50 AM
 To: NT System Admin Issues
 Subject: RE: Anyone know of a linux VPN server that will allow Windows
 cli nts to connect ?
 
 
 I posted yesterday http://www.e-infomax.com/ipmasq/  It is supposed
 to work with PPTP and IPSEC.
 
 Kent
 
 --- [EMAIL PROTECTED] wrote:
  anyone know of an ipsec based vpn server package for linux that will
  work
  with the ipsec client of win2k?
  
  -Original Message-
  From: Don Collier (Intermap Denver) [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, September 26, 2001 12:52 PM
  To: NT System Admin Issues
  Subject: RE: Anyone know of a linux VPN server that will allow
  Windows
  cli nts to connect ?
  
  
  Poptop.
  
  http://poptop.lineo.com/download_pptp.html
  
  
  _
  Don Collier
  Network Administrator
  Intermap Technologies Inc.
  Voice:  303-708-0955 x-207
  Fax:303-708-0952
  [EMAIL PROTECTED]
  www.intermaptechnologies.com
  
  -Original Message-
  From: Scott Wilson [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, September 26, 2001 10:14 AM
  To: NT System Admin Issues
  Subject: Anyone know of a linux VPN server that will allow Windows
  clints to connect ?
  
  
  Anyone know of a linux VPN server that will allow Windows clints to
  connect.?
  Thanks
  
  Want to unsub? Do that here:
  http://www.w2knews.com/rd/rd.cfm?id=unsub
  Need a good FAQ? Try this one first:
  http://www.ultratech-llc.com/KB/
  
  Want to unsub? Do that here:
  http://www.w2knews.com/rd/rd.cfm?id=unsub
  Need a good FAQ? Try this one first:
  http://www.ultratech-llc.com/KB/
  
  
  
  Want to unsub? Do that here:
  http://www.w2knews.com/rd/rd.cfm?id=unsub
  Need a good FAQ? Try this one first:
  http://www.ultratech-llc.com/KB/
  
 
 
 __
 Do You Yahoo!?
 Listen to your Yahoo! Mail messages from any phone.
 http://phone.yahoo.com
 
 Want to unsub? Do that here:
 http://www.w2knews.com/rd/rd.cfm?id=unsub
 Need a good FAQ? Try this one first:
 http://www.ultratech-llc.com/KB/
 

Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/

VPN routing

[Jason Gauthier]

  This is a somewhat involved problem, so I'll try to give as much detail as
possible to help paint a picture.
  
We've got several internal subnets. (i.e., 192.168.1.x, 192.168.2.x,
192.168.3.x and so forth)
We have a firewall device terminating the VPN connections.  The pool of IP
addresses assigned for this are  in our primary subnet. (192.168.1.x).
By default, the W2k PPTP client adds a route to the network your VPN device
is assigned.  So, now all traffic destined for 192.168.1.x via the VPN
connection works great.

However, any communications to the other subnets will try and find their way
using my default route. My ISP.. and they won't get anywhere.

I can remedy this problem manually pretty easily:

ipconfig /all
get IP address of VPN interface
route add 192.168.0.0 MASK 255.255.0.0 [ip address of VPN interface]

However, This is not a sufficient task to ask my remote end users.
I'm looking for a way to automatically execute this command after the VPN
connection is established.
Even a batch file they can run manually would be acceptable. 
The problem I've run into, is that Windows does not have very advanced text
handling routines as commands. So stripping the IP address from ipconfig to
save into a variable is nearly impossible.

Thoughts, ideas, suggestions?

Jason





Want to unsub? Do that here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmintext_mode=0lang=english

RE: Attack and Gas Prices

[Jason Gauthier]

Title: RE: Attack and Gas Prices



What?

87: 
1.69
89: 
1.79
93: 
1.79

I 
got 93 this morning for the first time in a year.



  -Original Message-From: Laura Swartout 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, September 12, 
  2001 9:49 AMTo: NT System Admin IssuesSubject: RE: 
  Attack and Gas Prices
  
  Gas prices 
  in the Midwest rose 
  sharply before the Labor Day weekend. We were paying $1.96 for 87 unleaded 
  octane. All day yesterday it was down to 1.67. This morning it's back up to 
  almost 2 bucks. Lines were long at the pumps in 
  La 
  Crosse, 
  WI but 
  Winona, 
  MN hasn't 
  panicked yet. I think most people are taking a "wait and see" 
  attitude.
  
  -Original 
  Message-From: RAMSEY, 
  CAROLYN [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 8:26 
  AMTo: NT System Admin 
  IssuesSubject: RE: Attack 
  and Gas Prices
  
  Price gouching (raising prices for 
  pure greed) has been declared illegal in TX and OK, attorney generals have 
  sworn to prosecute as needed and reported.
  Lines were long yesterday, but 
  only heard about 10 cent increases. 
  Carolyn 
  Ramsey Texoma HealthCare 
  System Denison, Texas 75020 
  MIS Support 
  903-416-4175 
  
  
  -Original 
  Message- From: 
  Martin Blackstone [SMTP:[EMAIL PROTECTED]] 
  Sent: 
  Tuesday, September 11, 2001 3:46 
  PM To: 
  NT 
  System Admin Issues Subject: 
  RE: 
  Attack and Gas Prices 
  Exactly. It is pure greed. There 
  is no shortage. There is no reason to oil to be held up. 
  There is no reason to raise the price. It is pure 
  greed 
  -Original 
  Message- From: Senter, John M [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 11, 2001 
  1:44 PM To: NT System Admin 
  Issues Subject: RE: Attack and Gas 
  Prices 
  
  There is no reason for the gas 
  price to jump, except the greed of people to try and make money 
  off of other peoples loss. It makes me sick on how some 
  people try and make money. 
  js 
  -Original 
  Message- From: David James [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 11, 2001 
  3:40 PM To: NT System Admin 
  Issues Subject: RE: Attack and Gas 
  Prices 
  
  Oklahoma city 
  supposedly. Topeka KS, 5.00 a 
  gallon... 
  I'm not sure, I haven't been out 
  yet. Guess I'll run out and fill up in 
  case... 
  -Original 
  Message- From: David N. Precht [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 11, 2001 
  3:27 PM To: NT System Admin 
  Issues Subject: RE: Attack and Gas 
  Prices 
  Like where ... 
  
  -Original 
  Message- From: David James [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, September 11, 2001 
  16:11 To: NT System Admin 
  Issues Subject: Attack and Gas 
  Prices 
  
  Can anyone confirm that gas prices 
  are going up around the country? Supposedly it's 
  around $6.00 a gallon already in some places...   
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  
  _ 
  
  Do You Yahoo!? 
  
  Get your free @yahoo.com address 
  at http://mail.yahoo.com 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: NewYork Terrorist Attack

[Jason Gauthier]

Woah there.

No one has said there are 20,000 people dead.
There were 20,000 poeple in the towers when the first plane hit.
 
I beleive Tower 1 was being evacuated when it was hit.


 -Original Message-
 From: Dennis Atherton [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 11, 2001 12:59 PM
 To: NT System Admin Issues
 Subject: RE: NewYork Terrorist Attack
 
 
 And you don't think, that with over 20,000 people dead, World 
 War 3 has not
 been started on our shores now
 
 -Original Message-
 From: Murray Binette [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 11, 2001 9:56 AM
 To: NT System Admin Issues
 Subject: RE: NewYork Terrorist Attack
 
 
 Well, I just hope that Bush (or the 'Puppet' as many 
 Canadians refer to
 him as) doesn't fly off the handle and start WWIII.
 
 -Original Message-
 From: Andrew Baker [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 11, 2001 10:08 AM
 To: NT System Admin Issues
 Subject: RE: NewYork Terrorist Attack
 
 
 I would say that the US already feels pretty alienated right now
 
  
 - ASB
  
 
 
 -Original Message-
 From: Richard McClary [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 11, 2001 11:51 AM
 To: NT System Admin Issues
 Subject: RE: NewYork Terrorist Attack
 
 
 Well, that's one of the reactions terrorism is trying to 
 provoke.  Most
 of 
 the world finds US policy to be obnoxious, and a violent large scale 
 reaction will effectively alienate the US from the rest of the world.
 
 I don't mean to promote war, but we as a country HAVE to retaliate to
 this...
 F00k the 3rd world countries that harbor terrorists...
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: telnet client

[Jason Gauthier]

I would forgo SSH in favor of OpenSSH.

http://www.openssh.org

 -Original Message-
 From: Michael L. Callahan [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 06, 2001 10:11 PM
 To: NT System Admin Issues
 Subject: RE: telnet client
 
 
 I would forgo telnet in favor of Secure Shell.
 
 http://www.ssh.com
 
 
 -Original Message-
 From: Jim Busick [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 06, 2001 5:46 PM
 To: NT System Admin Issues
 Subject: telnet client
 
 
 Any suggestions for an alternative telnet client for Win2k?
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Remote changing of password

[Jason Gauthier]

Can anyone explain, and offer a solution to why this situation occurs?

(Primarily concern with 2000)
Remote user connected with VPN password expires/is about to expire
User presses ctrl-alt-del, select change password
and proceeds to change their password.

A couple days later the same user calls me back and says his password isn't
working.
Upon troubleshooting, I've determined it was the first time the user has
rebooted his system. It's now at the login prompt.  He presses ctrl-alt-del,
uses his OLD password, logs in, and then needs to authenticate with our VPN
using his NEW password.

We've had this problem since we've installed NT/2000, really. With dial-up
users as well.
It seems changing the password remotely does not change the client machine's
cached profile.  This is really a burden. Advice welcome.

Jason





http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Remote changing of password

[Jason Gauthier]

Typically, remote users authenticate logging into the domain using cached
profile information on their machines. 


 -Original Message-
 From: Ryan McBride [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 04, 2001 9:34 AM
 To: NT System Admin Issues
 Subject: RE: Remote changing of password
 
 
 Is this a domian or are they logining into a local machine. 
 Can u give us a
 bit of a run down on your network lay out. It might help
 
 Ryan
 
 -Original Message-
 From: Jason Gauthier [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, 4 September 2001 11:28 PM
 To: NT System Admin Issues
 Subject: Remote changing of password
 
 
 Can anyone explain, and offer a solution to why this situation occurs?
 
 (Primarily concern with 2000)
 Remote user connected with VPN password expires/is about to expire
 User presses ctrl-alt-del, select change password
 and proceeds to change their password.
 
 A couple days later the same user calls me back and says his 
 password isn't
 working.
 Upon troubleshooting, I've determined it was the first time 
 the user has
 rebooted his system. It's now at the login prompt.  He 
 presses ctrl-alt-del,
 uses his OLD password, logs in, and then needs to 
 authenticate with our VPN
 using his NEW password.
 
 We've had this problem since we've installed NT/2000, really. 
 With dial-up
 users as well.
 It seems changing the password remotely does not change the 
 client machine's
 cached profile.  This is really a burden. Advice welcome.
 
 Jason
 
 
 
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Is it a bird... is it a worm??

[Jason Gauthier]

Yeah, this was has been around for a little while.. I *think* it's 
sircam.


  -Original Message-From: EALES, Jack / RSAIFS - IOM 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, August 31, 2001 12:19 
  PMTo: NT System Admin IssuesSubject: Is it a bird... is 
  it a worm??
  One of our users has received a number of 
  identical messages from unrelated contacts that he (and I) is rather disturbed 
  by... it looks like some sort of worm / buffer overflow - maybe? I'm no 
  expert... but I sure there might be one or two of you out there 
  ;-)
  The attachment (which isn't attached) 
  name changes from message to message, but the bulk of the text of the message 
  is the same and is as follows:
  
  snip
  --1E6A12EB_Outlook_Express_message_boundary
  Content-Type: text/plain; 
  charset=ISO-8859-1
  Content-Transfer-Encoding: 
  quoted-printable
  Content-Disposition: message 
  text
  Hi! How are you=3F
  
  I send you this file in order to have 
  your advice
  
  See you later=2E Thanks
  --1E6A12EB_Outlook_Express_message_boundary
  /snip
  
  There then follows a stream ofseveral 
  hundred / thousand (no time to count - trust me it's lots!!) lines with 
  seemingly random characters.
  I've 
  hacked all this out as the list thinks I'm sending an 
  attachmentand refuses to 
  post it. Does this mean anything/ look familiar to anyone? If you want 
  the full text let me know and I'll send it off-list
  
  Jack
  Jack Eales
  Senior PC / Network 
  Project Analyst
  Tel: +44 1624 821236
  Mob: +44 7624 
  450125
  Fax: +44 1624 824405
  Royal  SunAlliance International Financial 
  Serviceshttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: NT 4 VPN and TCP/IP only

[Jason Gauthier]

Title: NT 4 VPN and TCP/IP only



Can 
you explain the setup of the network a little? 
Are 
the clients gettingIP addresses on the same subnet as the server? Or 
different?

can 
you ping the server from the clieht by name?
can 
you ping the client from the server by name?

  -Original Message-From: Blake R. Fowkes 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 29, 2001 8:56 
  AMTo: NT System Admin IssuesSubject: NT 4 VPN and TCP/IP 
  only
  I have just setup a VPN server in our office and am 
  having problems browsing. When a client connects he is not able to 
  browse the network and the logon script does not run. When he connects 
  everything appears to be fine. My server is NT 4 SP 6a and the clients 
  are W2K and Win 95/98. All of the clients are having this problem. 
  We are not running Wins and I do not want to load it. Does anyone know 
  what I am doing wrong or setting that I need to change to get the logon 
  scripts to run and the browsing to work properly?
  Thanks, Blake Fowkes Waid and Associates 
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: NT 4 VPN and TCP/IP only

[Jason Gauthier]

Title: NT 4 VPN and TCP/IP only




  Well, as much as you hate it, the best practice solutions I can think 
  of would be installing and configuring WINS.
  
  Or 
  else install LMHOSTS files on all remote computers. (A potential 
  administrative nightmare, especially adding/removing and changing servers' IP 
  addresses)
  
  Good luck,
  
   Jason

  -Original Message-From: Blake R. Fowkes 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 29, 2001 9:10 
  AMTo: NT System Admin IssuesSubject: RE: NT 4 VPN and 
  TCP/IP only
  Yes 
  the clients are getting an IP from the same subnet.
  No I 
  am not able to ping from the client to the server (or any other machine) by 
  name. Unless it if one of my entries in 
  hosts/lmhosts.
  Not 
  sure from server to client. I will try that one right 
  now.
  
  Thanks, Blake Fowkes Waid and Associates 
  
  
  
-Original Message-From: Jason Gauthier 
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 29, 2001 
8:02 AMTo: NT System Admin IssuesSubject: RE: NT 4 VPN 
and TCP/IP only
Can you explain the setup of the network a little? 

Are the clients gettingIP addresses on the same subnet as the 
server? Or different?

can you ping the server from the clieht by name?
can you ping the client from the server by name?

  -Original Message-From: Blake R. Fowkes 
  [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 29, 2001 8:56 
  AMTo: NT System Admin IssuesSubject: NT 4 VPN and 
  TCP/IP only
  I have just setup a VPN server in our office 
  and am having problems browsing. When a client connects he is not 
  able to browse the network and the logon script does not run. When 
  he connects everything appears to be fine. My server is NT 4 SP 6a 
  and the clients are W2K and Win 95/98. All of the clients are having 
  this problem. We are not running Wins and I do not want to load 
  it. Does anyone know what I am doing wrong or setting that I need to 
  change to get the logon scripts to run and the browsing to work 
  properly?
  Thanks, Blake Fowkes Waid and 
  Associates 
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: SMTP Servers

[Jason Gauthier]

Are there any requirements other than cheap/free and users?
POP3, IMAP, contacts, calendar? As much info as possible...

If you are looking for a straight SMTP mail server...
I would just install one of those snazzy free unixes with sendmail on it.


 -Original Message-
 From: Paul Armstrong [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, August 28, 2001 10:36 PM
 To: NT System Admin Issues
 Subject: SMTP Servers
 
 
 Hello All,
  
 Does anybody know of any good alternatives to Exchange. I 
 have a client
 that has about 5 users and doesn't want to pay the price for 
 Exchange so
 i am searching for a cheaper, or better yet free, alternative. Any
 recommendations?
 i⠊0⡞˧mm㲇
 r홉2࠱fyb!j醻^f
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Authenticating from a subnet without a BDC.

[Jason Gauthier]

A recent change in my network has caused some interesting issues, and I
wanted to get some advice.

We've recently added a 3rd interface to our PIX 520 firewall. We stuck our
web servers on it. (We only have one domain, and kept these part of it)

I've allowed traffic from the web servers to the domain controllers for
authentication purposes.  (There is no BDC on the subnet with the web
servers. The other subnets do have BDC's) 

Last week things appeared to be working correctly. I could log into the
servers (not using a cached profile) and from my inside subnet I could
browse the machines. (The PIX does some funky things with IP address
aliasing on a DMZ like this.)

Now, I come in monday morning, the machines are no longer getting
authentication information from the domain controllers. (This could have
occurred last week too, I suppose).  A user changed their password, and no
cannot log onto the web server.  I understand the web server broadcasts for
a domain controller to pick it up, but I also realize that they know the IP
addresses (somewhere) of the other domain controllers. I know this because
of the firewalling logging when it was closed off. The machine attempted
connections to every one of my domain controllers.   So, it doesn't seem to
be authenticating to the domain anymore...

I entered an entry in the lmhosts file pointing out the domain and PDC, but
alas, no go.

Anything that can be offered, I'd appreciate. One other small tidbit. The
web servers are 2000 systems, everything else is NT4.

Thanks,

Jason

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Authenticating from a subnet without a BDC.

[Jason Gauthier]

Theoretically.
I only allow echo-replies. But the PDC can ping the web servers.

 -Original Message-
 From: Correa, Andre [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 27, 2001 10:51 AM
 To: NT System Admin Issues
 Subject: RE: Authenticating from a subnet without a BDC.
 
 
 Can you ping the domain controllers from the web server subnet?
 
 
  -Original Message-
 From: Jason Gauthier [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, August 27, 2001 10:42 AM
 To:   NT System Admin Issues
 Subject:  Authenticating from a subnet without a BDC.
 
 A recent change in my network has caused some interesting 
 issues, and I
 wanted to get some advice.
 
 We've recently added a 3rd interface to our PIX 520 firewall. 
 We stuck our
 web servers on it. (We only have one domain, and kept these 
 part of it)
 
 I've allowed traffic from the web servers to the domain 
 controllers for
 authentication purposes.  (There is no BDC on the subnet with the web
 servers. The other subnets do have BDC's) 
 
 Last week things appeared to be working correctly. I could 
 log into the
 servers (not using a cached profile) and from my inside 
 subnet I could
 browse the machines. (The PIX does some funky things with IP address
 aliasing on a DMZ like this.)
 
 Now, I come in monday morning, the machines are no longer getting
 authentication information from the domain controllers. (This 
 could have
 occurred last week too, I suppose).  A user changed their 
 password, and no
 cannot log onto the web server.  I understand the web server 
 broadcasts for
 a domain controller to pick it up, but I also realize that 
 they know the IP
 addresses (somewhere) of the other domain controllers. I know 
 this because
 of the firewalling logging when it was closed off. The 
 machine attempted
 connections to every one of my domain controllers.   So, it 
 doesn't seem to
 be authenticating to the domain anymore...
 
 I entered an entry in the lmhosts file pointing out the 
 domain and PDC, but
 alas, no go.
 
 Anything that can be offered, I'd appreciate. One other small 
 tidbit. The
 web servers are 2000 systems, everything else is NT4.
 
 Thanks,
 
 Jason
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Authenticating from a subnet without a BDC.

[Jason Gauthier]

I've not changed anything in my PIX configuration. I have been watching the
logs while attempted logins have been made.  I've not gotten a single denial
logged yet.  (I have fairly verbose logging)

I downloaded WS_Ping ProPack, and it can gather limited information, but
since it's on a DMZ, most ports are blocked. The methodology involved is
that all can get to the DMZ, and only initiated connections can be used,
unless I've created a conduit through the PIX.  Which I've done for my PDC,
TCP/UDP on ports 137-139.
I *thought* this was all that was needed.  Thanks for the advice, I'll
continue plugging away.


 -Original Message-
 From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 27, 2001 10:52 AM
 To: NT System Admin Issues
 Subject: Re: Authenticating from a subnet without a BDC.
 
 
 I've allowed traffic from the web servers to the domain 
 controllers for
 authentication purposes. 
 
 VERY dangerous. I suggest that you move authentication to a 
 database if 
 possible. If you can't, then you may want to add a new domain 
 in the DMZ 
 that will not have a trust to the domain in the inside network. 
 
 If you can't get hardare for a new domain, then I suggest 
 that you look at 
 your PIX config. Make sure your conduits are setup correctly. 
 Get a copy of 
 WS_Ping ProPack from www.ipswitch.com (or a similer tool) to 
 see if your 
 webservers can connect to the ports on the DC's. See if you 
 can even ping 
 the DC's. 
 
 hth, 
 
 ~Seth 
 
 Jason Gauthier writes: 
 
  A recent change in my network has caused some interesting 
 issues, and I
  wanted to get some advice. 
  
  We've recently added a 3rd interface to our PIX 520 
 firewall. We stuck our
  web servers on it. (We only have one domain, and kept these 
 part of it) 
  
  I've allowed traffic from the web servers to the domain 
 controllers for
  authentication purposes.  (There is no BDC on the subnet 
 with the web
  servers. The other subnets do have BDC's)  
  
  Last week things appeared to be working correctly. I 
 could log into the
  servers (not using a cached profile) and from my inside 
 subnet I could
  browse the machines. (The PIX does some funky things with IP address
  aliasing on a DMZ like this.) 
  
  Now, I come in monday morning, the machines are no longer getting
  authentication information from the domain controllers. 
 (This could have
  occurred last week too, I suppose).  A user changed their 
 password, and no
  cannot log onto the web server.  I understand the web 
 server broadcasts for
  a domain controller to pick it up, but I also realize that 
 they know the IP
  addresses (somewhere) of the other domain controllers. I 
 know this because
  of the firewalling logging when it was closed off. The 
 machine attempted
  connections to every one of my domain controllers.   So, it 
 doesn't seem to
  be authenticating to the domain anymore... 
  
  I entered an entry in the lmhosts file pointing out the 
 domain and PDC, but
  alas, no go. 
  
  Anything that can be offered, I'd appreciate. One other 
 small tidbit. The
  web servers are 2000 systems, everything else is NT4. 
  
  Thanks, 
  
  Jason 
  
  http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
  
  
 
 http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm