Wireless network and its domain context

[Juned Shaikh]

Trying to understand this phenomenon :

Background: 
Win2kr2 Domain environment with 
1 root domain root.local
1 child domain: ad.local 
Wireless network setup - with SSID - Martini - all working fine

Q. First : When a network is connected the wireless connection the display 
suggests context as "root.local" ; why is this so? I have no clear technical 
understanding of why does the wireless network adapter flashes "root" domain as 
context?

Q: Second: On some users the pop-up balloon label on wireless network adapter 
suggests Martini (root.local) and some suggests "Martini(root.local)"; All 
config are same and pushed via GPO?

Thanks in advance, 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: DCs in saperate OU

[Juned Shaikh]

Thanks for all the replies! This is my stance as well, but we have some rookie 
admins; they have called in the meeting pointing this as "design flaw" 

Best regards, 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: URL redirect behavior - IE vs Chrome

[Juned Shaikh]

so www record exist and 2) yet another A record which is point to the domain 
 both exist. 

NSLOOKUP of www record show correct IP address

however NSLOOKUP of domain  finds all AD DNS Servers.. (expected 
as all servers are AD integrated DNS server)

This proves that although the A record point to www exist and saperate www 
record exist however it is nullify since domainname is taken over by being AD 
integrated DNS.

What is the possible workaround? in this event?

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: URL redirect behavior - IE vs Chrome

[Juned Shaikh]

Finished checking the DNS entry.. the entry exist.. 

The A record is pointing to , still for some reason it doesn't work 
with IE.. Any further advice?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: URL redirect behavior - IE vs Chrome

[Juned Shaikh]

Ben: What DNS needs to be created.. There already exist www record in DNS? Our 
DNS servers are AD integrated-  Win2k8R2. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: URL redirect behavior - IE vs Chrome

[Juned Shaikh]

DNS change seems to be more viable option? Can you please help us in 
understanding how to train DNS to handle this? Thanks 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

URL redirect behavior - IE vs Chrome

[Juned Shaikh]

I need understanding and help with this phenomenon:

Chrome : When I do http://.com ; it properly routes to my 
http://www..com

but 

Using IE : it takes me to Bing/Google and searches for the keyword. 

How do I get this fixed so that the URL http://>domainame>.com automatically 
get redirected. 

Thanks in advance, 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: Anyone Use Double-Take RecoverNow?

[Juned Shaikh]

We had double-take doing replication backup catalog between two servers; no 
problem then. NEver exceeded beyond that stage untill we moved to neverfail as 
comprehensive solution. We are currently in the implementation phase so not 
much experience to say good / bad about the product. The initial tests were 
very encouraging. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: Another new-ish angle on VDI

[Juned Shaikh]

Citrix licensing is getting crazier as competition is increasing. Last 
conversation with our sales rep, the CCU or concurrent licensing model is out.. 
Now you had to buy fixed licenses. There are so many twist and turns to 
licensing I don't understand if Citrix is serious about selling VDI solution. 

I believe some of their recent shrink wrapped offering have started trickling 
in the acquisition of Kaviza, whose motto was "VDI in a box"


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: Cloud-based servers and the like

[Juned Shaikh]

Pretty close to what you are thinking.. Amazon has "free tier" which allows you 
to rollout few micro-instances. You may need to explore that.. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: Employee Remote Access to Desktop

[Juned Shaikh]

Check out the mobikey solution from Route1; www.route1.com 

I have seen DHS folks using this technology. 

Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Windows 2K8 native upgrade

[Juned Shaikh]

Hi,

Has anyone on this list gone native with Win2k8R2 while having apps still 
hosted on Windows 2000 SP4 servers? Any issues identified during that upgrade? 

Appreciate the responses..

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Wireless / Wired bridging

[Juned Shaikh]

To Add to my initial questions:

- We have Wireless Cisco NAC implemented
- Wireless is based on EAPTLS with cert based authenticated brokered by RADIUS

Dell software solution which can automatically turn off the NIC. What was that 
software? 

Thanks in advance,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Wireless / Wired bridging

[Juned Shaikh]

Hi,

Security folks are hounding on this and any help will be highly appreciated. 

Setup Cisco wireless network - Highly secure configuration. No issues there. 

When a laptop are docked, the Win7 workstations gets IPs from both the network 
; Wired and wireless. 
- Route print command clear suggests, wired network is getting preference; 
technically all works fine. 

User when undocks it - system automatically switches over to wireless network - 
no issues.
- Route print command suggests the traffic going through wireless network  

===
But security team is flipping over the issue that the system is simultaneously 
connected to both the networks. 

In counter argument, we suggested following 3 Microsft KB articles 

http://support.microsoft.com/kb/315088
http://support.microsoft.com/kb/299540
http://support.microsoft.com/kb/894564

Which suggests how microsoft decides when system sees two connections, but 
that's not sufficient. 

In Security language, controlling the network path through route metrics is not 
sufficient. As per them there is no control in place to avoid split tunneling. 

===
Question is : What is the technical solution to this problem? Hardware Profiles 
is one, but it is phased out and doesn't make sense in todays more mobile 
workforce. 

Is the security concern right?
If not, what should be the technical explanation?
What is the current method of 100% ensuring the traffic route ?

Any suggestions?

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: New Policy UPN vs samAccountname

[Juned Shaikh]

Fantastic! Thanks Michael.. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

New Policy UPN vs samAccountname

[Juned Shaikh]

Trying to draft new policy for user accounts? What is the most effecitve 
advice? samAccountname - which is generally truncated, cryptic version of 
realname or nice and clean UPN which is i.e. first.lastn...@gmail.com. 

Certainly UPN seems scalable, cloud friendly and future proof?

Any thoughts or incompatibilites experienced?

Thanks in advance, 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Network Load Balancing question ( Windows 2003 R2)

[Juned Shaikh]

Hold on..

"NLB is just dumb load balancing. No different than an F5, CoyotePoint, 
whatever. It's just dumber because it has no application awareness. "

When was the last time you tried F5?




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Blocking files from being downloaded

[Juned Shaikh]

How does taking admin rights away stops them to "download" softwares from i.e. 
Softpedia?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: Wireless Question

[Juned Shaikh]

Keep these guys in your shortlist..

http://www.ruckussecurity.com/


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Blocking files from being downloaded

[Juned Shaikh]

Greetings:

How do disable users from download any software from the internet other than 
windows updates and files like .pdf, .xls, .doc, etc. 

TIA,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

re: SSL Intermediate Certs

[Juned Shaikh]

for most part SSL cert providers doesn't generate and provide access through 
their primary root servers. Most of the ssl vendors i.e. Verisign has differetn 
intermediary root servers, which sometimes they call it by classes i.e. class1, 
class2, class3 etc. Depending upon your business activity and rules governing 
the certs are issues by respective intermediate authroties. i.e. .gov 
intermediates have special trust to .gov TLDs. 

Thus on the server side when you plant a new cert, you had to apply hostname 
ssl cert and its corresponding intermediate cert. 

If you deal with F5, NetScaler devices - they have provision the GUI to request 
for each of one before proceeding further. 

The root certs are automatically updated on client workstations periodically by 
Microsoft through the Windows update services. 

Hope this helps. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Non AD integrated DNS

[Juned Shaikh]

No big about 300 workstations and approx few (@200) non windows sensors, badge 
readers and other devices. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Non AD integrated DNS

[Juned Shaikh]

In one of the projects the ADDC (win2k3) is heavily used and to buy the time, 
thinking to offload the DNS to standalone member server. This new server than 
hold DHCP/WINS and DNS offloading exclusive authentications to DC. 

Is there any disadvantage of running standalone DNS (NON AD integrated); apart 
from security. 

Thanks in advance,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: enforcing preferred DC

[Juned Shaikh]

Thanks for the clarification. 

Since we need to decomission the legacy domain controller anyways, what are the 
ways I can preferred them not be used. 

Best regards,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

enforcing preferred DC

[Juned Shaikh]

Hello:

We have recently upgraded Windows 2003 to Windows 2008 DCs and it seems that 
most workstations (mostly vista with few W2k) are indvertantly connecting to 
legasy Win2k3 DCs and it seems that the some of the GPOs with WMI filters are 
not working. 

Where are the options in the GPO, where I can mentioned i.e. DC1, DC2, DC3 and 
DC4 only. 

Thank you
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Quest ActiveRoles

[Juned Shaikh]

Need few feedback on Quest ActiveRoles product. Just completed the Pilot and 
the team here is mesmerized. Pricing seems attractive as well..

Has anyone used it before? Any competitive product which has better feature set?

Thanks in advance, 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: SYSVOL and NETLOGON Def perms

[Juned Shaikh]

Thanks, 

The security team that I am working with is of the opinion that Everyone : READ 
permission should be deleted and only Authenticated users : FULL CONTROL shoule 
be applied.

Theoretically it seems that nothing will break.. because these shares will only 
be accessed after successful authentication is completed.. 

Anyone has faced similar argument and what should be the response. 

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

SYSVOL and NETLOGON Def perms

[Juned Shaikh]

Hi, 

I am trying to fix some security finding with file shares and permissions and 
am trying to understand what are the default SHARE adn NTFS permissions on 
SYSVOL and NETLOGON 

In environment here, I am in serious argument with Security team.

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Yet another DNS question - about reverse Lookup zone

[Juned Shaikh]

Thank you.. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Yet another DNS question - about reverse Lookup zone

[Juned Shaikh]

Environment: Win2k8/3 Domains - AD integrated DNS zones

Question: It is critical to have a reverse lookup zone for every IP Subnet 
assigned in our environment visible under DNS ?

In our AD environment, I see few reverse lookup zones and many are missing - 
everything seems to be working smoothly - but our SMS team has always been 
complaining they don't see all the hosts correctly and package push fails.. 

thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Promoting the Domain functional level

[Juned Shaikh]

Thank you. That answers my question. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Q: Promoting the Domain functional level

[Juned Shaikh]

Need input from your real-life experience here:

Environment:
- Windows 2000 mixed mode environment (Both forest and Domain)
- Domain Controllers are Wndows 2000 SP4, Windows 2003 and Windows 2008 R2 with 
no issues. 

Requirement:
To start rolling out the RODCs for new smaller sites. 

As the prerequisite the domain has to be at Win2k3 functional level. 

NOW THE QUESTION: 
I am reading the below link and cannot truly grasp :

http://support.microsoft.com/kb/322692

- Can I upgrade the domain functional level to win2k3 without hurting Windows 
2000 DComain Controllers? 
- If I upgrade the domain functional level, will my Win2k DCs stop functioning? 

Thanks in advance,



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

firewall rule help

[Juned Shaikh]

Hello:

Can't seems to figure out the syntax of achieving the following firewall rule 
for Windows 2008 Server.

- Allow full inbound access (all Host IPs and profiles) 
- from two of my security scanner workstations i.e. 192.168.1.10 and 11

I am trying to script it using "netsh advfirewall firewall" but googling and 
trial is not helping much.

Appreciate any help.
Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: Resizing C partition in Server 2003

[Juned Shaikh]

Another option: (Try only after taking a full bare metal backup)

If both the C and D are both are of same RAID group and are logically 
partitioned - convert the volumes to Dynamic. Shrink the D drive by let's say 
10GB and expand the C drive by 10GB. 

My wording may be slightly obtuse, but crux is converting disk to dynamic 
should work for you as well..
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: DCPROMO demotion and DNS

[Juned Shaikh]

If you want to have the server to be demoted continue to work as DNS Server, 
you can get the zone from AD integrated to file based. 

Other than that if you demote a DC, it will definately stopped doing any 
function which was integrated as part of its former role.




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: DL185 fan speed

[Juned Shaikh]

Not sure about DL 185, but in blade environment - if ONBOARD Administrator is 
not functional all the FANS will spin at full Speed. 

Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Exiting from a Start command

[Juned Shaikh]

I tried the following without any success :

Start /MIN

START /B /MIN 

Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Exiting from a Start command

[Juned Shaikh]

Need an URGENT help:

I am trying to launch the ePOP Alert client from WiredRed from my login script 
by using the following command :
 
Call "Program Files\WiredRed\Epop\EPOPCLIENT.EXE" 

the launch is fine but the DOS window after launch gets hung. What are the 
methods where I can launch the .EXE and quick leave the process and continue 
with the script.

Thanks in advance,


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Modifying Local GPO on Workstation

[Juned Shaikh]

Need expert comments on the following situation:

A situation is arising by which the security team wants to run a Workstation 
Logoff and Login script to ensure system info updated in some databse. 

I can do GpEdit.msc on each machine and achive that.. but how can I implement 
this change of login and logoff script on hundreds of computers?

Thanks in advance,


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

DHCP Scope

[Juned Shaikh]

Planning to fixing IP Address conflict issue in a 2 DHCP Server environment - 
Win2k3R2 STD SP2. For some strange reason old Admin
has configured both the server with identical ranges on both the servers and 
much to my surprise apart for occassional IP address conflict - it is running 
fine. Machine names are getting registered at both the DHCP Servers. 

I am trying this lists expertise in this matter with the following. 

Findings: 

+ Every subnet is /24

+ In-total there are 20 Scopes defined for a 10 floor building and scope per 
wing. Each wing has no more than 150 computers 

+ Current usage suggest no floor with more than 130 DHCP provided IPs.  

+ IP Addresses 1-10 and 240-254 must be excluded for printers, Projectors, 
security and other static mapping devices. 

+ Both servers i.e. ServerA and ServerB are configured with same information. 

Question: What is the most efficient and best-practice-way to define DHCP Scope 
splits ?

(since 1-10 and 240-254 are Excluded across all subnets)

ServerA : 11-160; approx 150 IP Addresses   (Highest floor 
utilization is 130)
Exclude (161-239)

ServerB :  161-239  : approx 70 IP addresses
Exclude (11-160)

Is above approach correct?


Question : Switches are configured with IP helpers for both the servers.. How 
does IP helper works in Cisco switch environment? Does it select on round-robin 
basis or can it be configured that way? 


Question: How do I ensure that the IPs are either requested from both the 
servers or when ServerA is exhausted automatically rollover to ServerB for 
further requests?


Perhaps asking too many questions.. Thanks in advance,







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: GPO Security Context

[Juned Shaikh]

hmmm..

My understanding was if a script is run as 

\\domainname\netlogon\Logon.bat it will run under Logged-in user context

But the same script if run as part of GPO - It runs under LocalSystem Context.. 

If that's the case, any idea how do you run the registry keys directly as part 
of the GPO and not as script within a GPO.

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

GPO Security Context

[Juned Shaikh]

Hi,

Please help to understand the security context..

My understanding is that scripts running as part of Domain based GPO run under 
LocalSystem security context right? If that's the case than why am I getting 
"access denied" when I try and delete the key using command ===> reg.exe delete 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "something" /f

Please help me to understand this and what is other alternate to deleting a 
specific regitry entry.

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Kinda OT: ESX with only two nics

[Juned Shaikh]

That's right.. Creating trunk of 2 NICs (effectively giving 2 Gbps speed) than 
- You tag your ILO to use a particular VLAN (to access blade or enclosure)- Let 
your COS on a saperate VLAN, iSCSI and production network respectively.

This is supported configuration by VMWare. Just make sure that you have sharp 
networking folks around. 

Hope this helps.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NewSID

[Juned Shaikh]

Curious!! how did you find out the duplicate SIDs? 

One more observation about NEWSID. Once you have run NEWSID and process is 
completed, if you do a regedit and find old hostname you will most often find 
atleast couple of places which are not changed and you will have do manual 
change. 

That being said, NEWSID is our de facto tool and is part of server rollout 
process and never had any issues. But again this can only be confirmed once we 
are sure that there are no duplicates..

So how do you find duplicates?




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Federal Server Core Configuration (FSCC)

[Juned Shaikh]

Hi:

Anyone has seen Federal Server Core Configuration (FSCC) Guidelines??

Below link talks about the FSCC but hasn't had any downloaded guidelines

http://www.microsoft.com/industry/government/solutions/fscc/default.aspx

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Log On as a Service question

[Juned Shaikh]

I am trying to see why would you even try and place this account through domain 
GPO, why not place the said account in appropriate built-in groups 
(Administrator etc.) and get over with it. 

FYI, Citrix PS 4.5 and above has eliminated all accounts other than 
"ctx_cpsvcuser", that's the only account require for functioning and that 
handles everything. You can simply give appropriate rights to this account and 
everything works fine. 

Hope this helps. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: Cisco NAC and Login Script

[Juned Shaikh]

Thanks found the solution here:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a70c18.shtml
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Cisco NAC and Login Script

[Juned Shaikh]

Hi: Getting some expert help here. We are implementing Cisco NAC solution - and 
facing a very popular issue. 

While NAC client is doing its magic in the background - How do you delay the 
login scripts and GPO to run?

Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Win2k8-Gold Build Question

[Juned Shaikh]

Am sure many on these must have gone to similar exercise..

Finally got an approval to build a gold win2k8std-image for generic server 
rollout, but had to review and advice on all available guidelines and best 
practices. And I would like to tap on this vast knowledge pool of this list:

Considering, I am building a gold VM - Win2k8 Std..

1) What should be the standard C drive.. (base install itself gobbles over 
10GB) 
2) What are the current published and credible hardening guidelines?
3) What security template tweaks everyone on this list has done on their builds 
?
4) What Roles and features should be part of standard build.. i.e. Powershell, 
Telnet client?
5) Firewall rules: Apart from allowing ICMP response and RDP.. what else should 
be allowed?

I know it has many variations, but any pointers will be much appreciated.

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Q: Sharepoint Services

[Juned Shaikh]

Hello:

What is the advantage of installing Windows SharePoint Services 3.0 of file 
servers? 

http://technet.microsoft.com/en-us/windowsserver/sharepoint/bb400747.aspx


I understand the Windows Sharepoint Server and its features, but I unable to 
understand the advantage of installing Sharepoint Services alone on a Windows 
2003 file server, and after installing what extra features are available? Web 
enabled file shares?

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WIN2K8-64Bit: Two C:\Program Files ??

[Juned Shaikh]

You are right, I am running 32 Bit vista that's why I only see one "Program 
Files".. Thanks - I am getting there it seems. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WIN2K8-64Bit: Two C:\Program Files ??

[Juned Shaikh]

hmm. I am running vista on mya laptop and it has only one 'program files'

So this is only on VMware installation that Vista, Windows 7 and Win2k8 creates 
C:\Program Files x86.. Have you researched of disabling this behaviour?

Thanks in advance,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

WIN2K8-64Bit: Two C:\Program Files ??

[Juned Shaikh]

Hi,

Wanted to confirm. I am installing Win2k8-64Bit standard as VM (on ESX) and 
after installation I am seeing two C:\Program files ie.

C:\Program Files
C:\Program Files x86

Is this a normal behaviour? It seems obvious that something which is non-64 bit 
complaint may be going to x86 folder.. But in this case other than VMWare tools 
nothing is installed.

Is this a normal behaviour of Windows to create two 'program files' folders and 
be prepared in advance for future x86 apps?


Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win2k8 - 64Bit on ESX

[Juned Shaikh]

Thanks, I think I got the correct answer. 

IT does need VT enabled processor apart from being simply 64Bit binary 
compatible for it to work with VMWare ESX and XenServer. 

Direct installation of Windows 2008 on this hardware with Intel Xeon 3.0Ghz 
processor does work. VMWare ESX is displaying Intel Xeon CPU 3.60 GHz ; 
Processor Speed 3.6 GHz and Hyperthreading enabled. 

So.. thanks everybody pointing me to the right direction. 

Best regards,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Win2k8 - 64Bit on ESX

[Juned Shaikh]

I looked everywhere in the BIOS settings and found no reference to enabling or 
disabling the 64Bit. 

However the BIOS possibility is ruled out because I am able to install it 
directly. It is only on VMware ESX 3.5 as virtual machine its not working..!!
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win2k8 - 64Bit on ESX

[Juned Shaikh]

Where would I enable the "DEP" in the HP Server Bios? or Virtual Machine BIOS? 
because Windows OS is not yet installed!!!
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Win2k8 - 64Bit on ESX

[Juned Shaikh]

Hi:

I am tyring to understand this phenomena. HP DL380G4 with Intel Xeon3.0 GHz 
processor. Using Smartstart - I can install Windows 2008 - 64 Bit edition. No 
problem. 

Than I installed VMWare ESX 3.5 with latest updates. Trying to install Same 
Windows 2008 - 64 Bit ; no go. It gives me the message 

"Info: Attempting to load a 64-bit application, however this CPU is not 
compatible with 64-bit mode."

I am sure that CPU does support 64 Bit becuase I was able to install it 
directly on the hardware.
Googling pointed to various direction including 

1) checking the "Virtualization option" in BIOS - there is no option like that

2) Modifying the line in .VMX file on HP servers
   SMBIOS.reflectHost=TRUE
   No affect.

3) Upgrading the firmware on the server - done - no change. 

>From what I understand - VMWare ESX 3.5 doesn't have a 32 bit and 64-Bit 
>editions. 

Any help idea to check further will be appreciated.

Thanks,






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: View PAE setting on W2K8

[Juned Shaikh]

Thanks for the info.. 

but I am wondering that why would you need to have PAE in win2k8? becuase you 
have 32 bit installation or you need this on Win2k8-64 Bit for 32 bit enabled 
applications?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: RE: What's the easiest way to migrate printer from one server to another?

[Juned Shaikh]

Check this link out:

http://technet.microsoft.com/en-us/library/cc722360.aspx


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win 2003 R2 quotas

[Juned Shaikh]

You should be using the MMC for doing FSRM (File Server Resource management);

Ideally thsi is what you do:

With a faint idea about your environment, but since you said it is school - I 
would think in those lines.

You select entire volume (ie. D:\) and enable soft quota (Monitoring ONLY) - 
create standard alerts at 85% and 100% watermarks - point it to an email 
address for email alert.

Than, you create autoquota and set to hard limit of let's say 5 GB each. That 
ways 1) Existing folder and 2) ANY NEW folder(s)created will automatically 
inherit 5 GB quota. 

Thereafter you selectively assigned bigger quota(s) to individual folders - 
depending upon the folder usage or user request. 

dirquota is the commandline tool which can do this trick fairly easily. 

http://technet.microsoft.com/en-us/library/cc730873.aspx

HTH
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win2k3R2 Event forwarding to another Win2k3R2 server

[Juned Shaikh]

I beleive R2 added this functionality of forwarding events.. I am basically 
trying to "Forward" the events to Say a Win2k8 collector.. 

I already see the Forwarded Events view under event viewer of Wi2k3R2 std 
server.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Win2k3R2 Event forwarding to another Win2k3R2 server

[Juned Shaikh]

Hello,

I am trying to setup event forwarding to be collected on another Win2k3R2 (both 
standard) servers.. Googling isn't helping much. Does anyone on this list has 
achieved this before? Please share the steps, please.. thanks.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Building a new instrastructure

[Juned Shaikh]

Hi,

I am sure many of you have been through this before. How to do you deal with 
licensing part (CALs purchase) if one has to start the following 
instrastructure:

2600 users
10 servers - mostly file and print
2600 workstations

I was thinking in the following line - help me add / deduce some of the items:

Order 2600 workstations with WinXP Pro licenses 
Order 10 server bare with no OS
Get 10 licenses for Win2k3 STD server. 
How many CALs do I need to procure? and what type? 

I understand the WinXP Proalready contains Device CALs? So does that mean only 
Users CALs need to be procurred? How much is the street price for user CALs? 
any idea?

Thanks

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: AD: how to add a subnet

[Juned Shaikh]

I got it. I had to have Enterprise Admin rights to see that option.

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

AD: how to add a subnet

[Juned Shaikh]

Please hlep in defining how to add new IP subnet under AD sites and services. 
We are create few new IP subnets all in 1 site and would like to tie-in to that 
site. How can I add that IP subnets?

When I right click on 'subnets' under AD Sites and services, i don't see any 
option to add.

Any help will be highly appreciated.

Thanks

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Win2k8 Clustering

[Juned Shaikh]

Hello: Wondering if anyone on this list is at prod / test level of testing 
Win2k8 clustering options. I am reading tonnes of material where each 
clustering options has its pros and cons and would like to understand your 
findings and what prompted to reach that clustering model. 


Thanks,
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Domain Controllers time sync software

[Juned Shaikh]

Thanks for very informative string of suggestions! 

Greatly appreciated. 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

re: Printer Management

[Juned Shaikh]

We bought Print Manager Plus 2008 hasn't install it yet. We bought this 
basically to satisfy the requirement for System refresh group, they wanted to 
know how many papers are printed out and decide when to discontinue printer 
from service. 

http://www.softwareshelf.com/products/print_manager_plus_enterprise.htm


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Domain Controllers time sync software

[Juned Shaikh]

What is the time-sync software hardware that the list uses? In our environment 
- for FW reasons the sync with default time sysnc are not working and we are in 
the process of buying some hardware appliacne with can provide time services. 

In the meantime, does anyone has use some software option which can be 
installed (safely) on Active directory DC's?

Thanks,

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: File Server Migration Question

[Juned Shaikh]

Did the shares carry over too! In my tests when the LUNs are detached from one 
hosts and re-attached to another hosts (even with the same name), the shares 
goes completely out of whack. 

Please share your experience. 

thansk,
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: File Server Migration Question

[Juned Shaikh]

Initialize means, Device Manager --> Storage Management --> Rescan Disks --> 
Initialize disk. Which basically registers the disks on the hosts. 
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

File Server Migration Question

[Juned Shaikh]

Guys: help me out with this: 

I have a Win2k3 Server connected to SAN with two LUNs of 250 GB each hosting 
some shares. Now, I need to migrate it over to newer, better faster servers.

My understanding is that I should proceed the following:

1. e current WWNs of server Shutdown file server
2. Ask my SAN administrator to assign new WWNs of new server to same storage as 
old server.
3. restart new server (which already has OS etc. etc. installed)
4. Scan for disks if none is shown, Once disks are visible simply initialize 
them, data will not be destroyed, assign the drive letter
5. Now if I go by \\newservername\sharenames, I should be able to browse all 
the previous shares... 

Is my understanding correct? Have you done this sort of migration in the past? 
Please advice me what are the likely issues because after this tiny move, I 
will have to move a lot more file servers. 

TIA,



~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

How to identify DC roles?

[Juned Shaikh]

Hi,

Need help in identifying Domain Controllers role?

We have about 12 DCs (Mix of win2k and win2k3) and we would like to decomission 
or Upgrade some of them. Since they were created during various stages, I am 
wondering what are the ways to see what roles are scattered across. 

I mean, I need to identify which server is hosting Global Catalog, which is 
acting as Schema Master etc. 

Any help will be highly appreciated.

Thanks,
 
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Heat and Power calculations

[Juned Shaikh]

Perfect. Thank you.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Heat and Power calculations

[Juned Shaikh]

hi,

Does anyone on this list has done calculation or analysis of how much BTU and 
Power a 1U, 2U, and 4U servers consume! HP servers in particular?

Thanks in advance,

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

NTFS take ownership question

[Juned Shaikh]

Hi,

Need help in resolving this issue on our Common/Public drive. A directory is 
showing as NO permission even for Administrator. the NTFS permission security 
tab is absolutely blank. 

Current owner of this shows "Unable to display current owner."
If I tried to take ownership - it displays access denied and nothing happens.

Help please..

Thanks,
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Win2k TS - Registry size expansion

[Juned Shaikh]

Hi,

ENV: Win2k SP4 Server running citrix metaframx XP1.8

I am continously getting error message about registry size too low.Microsoft 
documents is only pointing to increase it under System properties and changing 
under System Properties doesn't seems to take effect.

Can someone please help me to get over this message. 

Thanks,
 
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

newSID question

[Juned Shaikh]

Hi,

Question related to newSID:

I am trying to backup SID and need to understand whether my take on this 
utility is correct. 

NewSid from Microsoft has capability to Generate SID or pull SID from other 
server and apply to new server, but it cannot backup the SID. 

So, when I launch the newSID utility, it displays current SID: as 
S-1-5-21-whatever..

Q1 Am I right in assuming that I can simply copy that "Current SID" from 
source server i.e. S-1-5-21-xxx string; in a txt file and that will be my SID 
BAckup??

Q2...And when it comes to applying back I simply can cut and paste that string 
under "Specify SID" option of NewSID utility prompts??

Thanks,


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

re: OS upgrade

[Juned Shaikh]

Hasn't worked for me. I had Win2k3STDSP2 server ; followed the link somewhere 
on Microsoft website, which basically said pop the R2CD2 and launch setup.. It 
kept flashing message cannot upgrade. Didn't had much time to downgrade the SP 
level or any further tinkering. Finally went with full install route. 

Basically whatever defaults mentioned didn't work for me. 

Thanks,
 
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

Jetdirect substitute

[Juned Shaikh]

Title: The server service was unable to map error code 1722



Hi guys,
 
I heard that HP is 
discontinuing Jetdirect and is goign to roll-out some something 
else? Has anybody heard about this.. How are you guys gearing up for that. We 
had some unresolve issues with Jetdirect on MCluster servers. 
Thanks,
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

Re: Exchange 2000

[Juned Shaikh]

Title: FW: Exchange 2000



I agree w/ exploring alternate solution esp. Notes. 
Initially we thought it to be a bad decision to launch Notes but it turns out a 
choice of many in org. It provides inbuilt archiving, offline/online email 
support, since it works seamlessly with any kind of IP network you can make it 
independently with any kind of dial-up service provider - Delegations etc is 
cakewalk.. so more and so forth. 
 
It won;t hurt if you do a beta test with evaluation 
copy of Notes in your environment. 
 
 
 

  Subject: FW: 
  Exchange 2000
  
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, September 07, 2001 8:19 AM To: 
NT System Admin Issues Subject: Re: Exchange 
2000 
Before you implement anything Exchange, I think it is in 
your best interest, (as in that of your company, 
users, and IT staff) to look into alternative E-mail 
platforms.  My first suggestion would be Lotus Domino. Their server software is more stable, easier to administer, and MORE 
SECURE than any of the competetion I have 
seen.  Also, the functionality of the client 
software is far superior to anything e-mail coming out of Redmond, 
WA.  If your server that you mentioned is now idle and 
will be performing ONLY email functionality, that is 
perfect for 100 users, and I would bet you could 
squeeze in another 100.  My suggestion for hard-disk space is a 
mirrored system volume (2 disks).  For the data, I 
would suggest allocation 100 meg for each 
user.  Disk space is cheap, eat it up.  Running 4 10 gig 
drives RAID5 would be a beautiful thing.  Buy 2 extra, 
just in case.  I would also recommend, if you 
want to upgrade desktops, to go with Windows 2000.  Upgrading, loading, installing, whatever you want to call 
it, WinXP could turn out to be a 
nightmare.   Especially with Microsoft's new Product 
Activation "feature".  In a business environment, 
there is no reason, as far as I have seen, to put 
WinXP on the desktop.  Windows 2000 has proven itself to me to be an adequate choice for end use. I must stress again the importance of exploring your options.  
Just because your OS says Microsoft on it doesn't 
mean your Backend product has to. 
Nathan W. 
Jim Mediger <[EMAIL PROTECTED]> on 09/07/2001 09:03:02 
AM 
Please respond to "NT System Admin Issues"   
<[EMAIL PROTECTED]> 
To:   "NT System Admin Issues" 
<[EMAIL PROTECTED]> cc: 
Subject:  Exchange 2000 
We are looking at implementing Exchange 2000 and I have a 
few questions, and wanted 
advice from people who have  had real world experience. We are 
currently running NT 4.0 Svr and 
Wkstn. I have setup a Windows 2000 Domain (still in testing phase). We have about 100 users. 
My Questions: 
1. I have a PII with 2 300mhz processors and 384mb ram. Will 
this be ample enough to handle Exchange 2000 and 
future growth? How much Hard Drive space would you 
recomend? 
2. We plan on Going from NT 4.0 to Windows XP. Can we 
connect to Exchange 2000 with the NT 4.0 Clients during the interim? Any issues I should be 
aware of? Any issues with 
WXP? 
3. We have 50-60 users on Outlook 2002 with internet access 
etc., and 40-50 users on other clients (internal 
e-mail and intranet only). Does Exchange play 
well with other e-mail clients? 
4. Any other Gottcha's, Do's, Don'ts? All advice will be 
greatly appreciated. 
Thanks, 
Jim 
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 

http://www.sunbelt-software.com/ntsysadmin_list_charter.htm 
http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm

RE: Win2000 Write delay cache

[Juned Shaikh]

Our issue with one of the machine got fixed by applying updates from
windowsupdate.microsoft.com.



_

Do You Yahoo!?

Get your free @yahoo.com address at http://mail.yahoo.com




http://www.sunbelt-software.com/ntsysadmin_list_charter.htm