Re: ALERT : NTSYSADMIN LIST MIGRATION
I never got the separate message as well, so I assumed this was spam. Is the list actually being shut down? On Fri, May 3, 2013 at 11:40 AM, Phil Hershey phers...@agia.com wrote: Stu, ** ** Never got a thing. I did just see your message about problems with Google Groups, so now I don’t have a clue where we’re going. What’s the link for the correct list/host? Thanks. Can’t do without the list. ** ** -Philip Hershey ** ** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.** ** ** *From:* s...@knowbe4.com [mailto:s...@knowbe4.com] *Sent:* Thursday, April 25, 2013 11:45 AM *To:* lyris.sunbelt-software.com *Subject:* ALERT : NTSYSADMIN LIST MIGRATION ** ** Hi All, You are invited to the new NTSYSADMIN list hosted by KnowBe4. This replaces the Lyris list hosted by Sunbelt Software / GFI, which will shut down at the end of this month. GFI will confirm this with a separate message. I will continue to moderate the NTSYSADMIN list from KnowBe4. Warm regards, Stu ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
PKI big picture?
I want to use PKI for SCCM 2012, and it's a nice to have for other servers. QUESTION: If I were to purchase a certificate from an outside trusted vendor like Verisign, could I skip the internal Enterprise server CA and import the purchased certificate directly to my SCCM server? From what I have read so far it looks best to purchase a cert, import it to your Enterprise CA and then create certificates from the Enterprise CA but it just sounds redundant. Am I really seeing this 'right'? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: PC power management
I use SCCM, but I've done all of this with free products, it just depends on how automated you'd like to get with it. shut down PCs after inactivity, Shutdown Screensaver (configure local or delivery via almost any management product) starting at a certain time of the day, BIOS settings to wake (Most Enterprise desktops, like Dell Optiplex, can be managed remotely or via management products) can put the monitor to sleep, Sleep settings on the monitor can be configured locally or via most any desktop management product.) can power on PC wol.exe (Executed from a machine running on the same subnet where the machine is configured in BIOS and Network card to respond to a wake on lan broadcast. If the WMI layer is healthy and the drivers are correct this is almost 95% accurate. Since it's a broadcast it should not matter what the machine's last IP address was. Some software attempts an IP specific address, which can usually get through a router, but I've had much better luck with broadcast as long as you have a machine on in the same subnet and can use something like psexec.) and power off. Shutdown.exe (Execute local or from a remote machine with admin rights using shutdown.exe /s /m \\remote ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Training for Unix Support?
Thank you for all the comments. I have started playing with CentOS in our virtual environment. I feel badly continuing this in an NT support list, is there a good list for *nix support? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Training for Unix Support?
Flavor? Our web developer wants to host a web site in house rather than with shared Unix hosting. When I asked what flavor he wants to use, he asked me! He even suggested that I download and learn a free one like CenOS and then we purchase an Enterprise one like Red Hat or SUSE Linux Enterprise. I don't mind learning something new, and I've actually always wanted a reason to learn some flavor of Unix, but it seems we are both starting from scratch! I think it's a classic case of the blind leading the blind! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Training for Unix Support?
I have supported Microsoft products since 1992. I am now being asked to support our first Unix box. Aside from the occasional install to play around, I have ZERO Unix exposure. What training would you request from an employer that wants me to branch out into Unix support? Thank you ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Need a free ping monitor with email notification for a handful of devices
Servers Alive used to monitor 10 for free http://www.woodstone.nu/salive/features.php ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RAID1 moved to new System Board
Thanks for all the feedback, I eventually found my way to testkit. (http://www.cgsecurity.org/wiki/TestDisk) which was able to open the 'invalid' drive and modify the metadata! Applying the new values allowed the drive to show up as a standard basic disk after restart. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RAID1 moved to new System Board
I had an old computer with a hardware RAID1 data disk. My system board died and I am moving the two physical disks to a new system board. The RAID setup on the new board is different and does not recognize the two disks. So my new system (Windows 7 Home Premium Edition) has two physical disks listed as Dynamic / Invalid. Since Home Edition doesn't support Dynamic I moved one of them to my Windows 7 Ultimate system and it also displays Dynamic / Invalid. I am back at my Home Premium system and looking at the Dynamic / Invalid drive that holds my data. (Yes I have a backup, but due to the failing system board the backup has not completed in two weeks, so I'd rather get my live data rather than my Memorex data.) Is there a way to take a RAID1 disk to a new system and read the data without recreating a RAID setup? I've read all about converting dynamic disks to basic disks, but this really wasn't dynamic before. This new system just displays 'dynamic'. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
www.DomainName.com
I have a Windows domain that someone named company.com Now they have a web site called company.com which no one in the company can get to! Aside from the fact that the windows domain should never have been set up this way, is there a way to keep the existing DNS entries for Active Directory AND allow users to get to the offsite web site? I know a web hosting company can make a distinction between example.com and www.example.com but is there a way to do this within Active Directory? Can I just set up a static entry being www.company.com in the Active Directory DNS server without killing the Active Directory managed workstations? (The external web site at company.com DOES use a static IP address!) TIA (Thanks In Advance) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: DFS for private folders?
That's a _huge_ it depends. For example I have users in two domains, for one domain when I type \\server\share\%username% in ADUC and hit OK, then it creates the user's home directory 'automatically' with all appropriate permissions when the user logs in for the first time. I'm sure part of this is the Group Policy Object in my case that specifies grant rights to user home path which is in the user's ADUC object. Although on the other domain they don't let us edit the Profile tab of the user's object, so we have a custom web form where we type in \\server\share\username, notice this is NOT a variable we have to actually specify the user's user name. Here since I'm not typing it into ADUC I must create the folder manually and set permissions. If you're in a standard Microsoft environment and have admin access to the ADUC user object, you should be able to just type it into ADUC, let the user log in and presto it's done. Try it on a test user and verify. On Mon, Feb 14, 2011 at 6:59 AM, Tom Miller tmil...@hnncsb.org wrote: Thanks, folks. So do you set the perms individually in the users' profiles, \\server\share\%username% for all your DFS servers then change the path to the DFS path? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: DFS for private folders?
I have been using %username% in the path of DFS shares since Windows Server 2000 came out. Back then each volume could only have one DFS root share so it was a lengthy \\domain\share\userhome\%username%. In short the environment variable is resolved at the workstation and then sent to the server, so the server would get \\domain\share\userhome\stephen and not ever be aware that it was a variable in the original script or group policy. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: SEP Symantec Endpoint Protection
We saw seriously slow installs when we had not removed the previous antivirus. We upgraded the servers from SAV 10 to SEP 11 and our expectation was that the install would upgrade the existing, which it did, but at a time cost. It was much faster to uninstall SAV10, restart and then install SEP 11. Hope that helps you! Oh, and we DID NOT turn on the NTP (SEP firewall) on the servers, only the workstations. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: DNS latency
Thanks gang! A couple of those tools were _exactly_ what I needed! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
DNS latency
I have an Active Directory domain, which means I have my own DNS environment. For any name resolution that is not in my domain, my DNS server must pass the request up to our ISP for resolution. Is there a way to measure how long the added delay might be to gain a reply? In other words how much faster would it be if I were pointing directly at the ISP DNS servers, not my own that forward? Thanks In Advance! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: AD Migration from 2003 to 2008
Make sure you have DVD drives! We did an in place upgrade of all our domain controllers to get the fine grained password policies; recently one of the domain controllers hosed up and the repair from the DVD would have been a very helpful utility, but without a DVD ROM in the server we were left to rebuild the server from scratch and then a restore from backup, a much longer process than it should have been. If you're planning on using Server 2008 for file services, keep in mind that Microsoft has changed the basic default NTFS security rights over the file sharing services. Read up on that before you start messing with the defaults to force what they used to be, don't skip it because it's just file sharing. -My 2 cents worth- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Installing SC OM2007 - SQL Server question
Going from memory I believe when you install SCOM with a SQL 2008 you need to create the database first, then install SCOM. I need to do this, but I've been putting it off! The migration we have to SQL 2008 has been pushed off several months so I'm not actively keeping up, but that might point you in the right direction to search. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: RE: Redirect folders to network
With Windows 2000 yes. Although with Windows 2003 R2 the quota system is set by File Server Resource Manager (FSRM) on a folder rather than per file owner on a volume. This alone is a great reason to upgrade a file server. I forget when FSRM was introduced, I know it is in 2003R2 but may have been in 2003 as well. With Windows 2000, you'd have to use a different volume for your roaming profiles. On Dec 31, 2010 10:44 PM, VIPCS vi...@stny.rr.com wrote: It was Jeffrey's understanding that a server file quota applies to ALL files owned by a user on that server, not whether they are in a home folder or a roaming profile folder. Sincerely, Jeffrey and Mary Jane Harris VIPCS _ From: Stephen Wimberly [mailto:riverside...@gmail.com] Sent: Friday, December 31, 2010 1:31 PM To: NT System Admin Issues Subject: Re: Redirect folders to network I love both roaming profiles and folder redirection, but have been burned by offline files in the past (Windows 2000 server and pro) and just don't want to go there again even though improvements have been made! We like the Keep It Simple principal, we redirect the My Documents folder to the user's mapped home directory found on the profiles tab within their Active Directory object. (This way we can offer server space for normal employees, but not contractors). Our users can always look to see if their My Documents match the contents of their mapped drive, this way it instills in them that these files are not on the local computer. We suggest that our Laptop users create a Local Folder for files that they need to travel with. It is up to them to keep these in sync with server copies so there is a backed up version. If you do roaming profiles without redirecting the My Documents folder, you may find yourself 'roaming' a good many files at login or logoff which could slow things down considerably. Plus you can put a quota on the user's shared drive, but not on a roaming profile share! Food for thought. My next goal is to understand and implement Microsoft Direct Access so our laptop users aren't really far from a server copy at any time, of course this means I'll be able to get to them for support as well. ;) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Redirect folders to network
I love both roaming profiles and folder redirection, but have been burned by offline files in the past (Windows 2000 server and pro) and just don't want to go there again even though improvements have been made! We like the Keep It Simple principal, we redirect the My Documents folder to the user's mapped home directory found on the profiles tab within their Active Directory object. (This way we can offer server space for normal employees, but not contractors). Our users can always look to see if their My Documents match the contents of their mapped drive, this way it instills in them that these files are not on the local computer. We suggest that our Laptop users create a Local Folder for files that they need to travel with. It is up to them to keep these in sync with server copies so there is a backed up version. If you do roaming profiles without redirecting the My Documents folder, you may find yourself 'roaming' a good many files at login or logoff which could slow things down considerably. Plus you can put a quota on the user's shared drive, but not on a roaming profile share! Food for thought. My next goal is to understand and implement Microsoft Direct Access so our laptop users aren't really far from a server copy at any time, of course this means I'll be able to get to them for support as well. ;) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: document sprawl
I have attempted to tackle this issue before, I like to call it encourage spring cleaning! but my words always seem to fall on deaf ears. Lately every time I bring it up we end up buying more hard drives for the server! I give up. Maybe I'm just too cheap? On Fri, Dec 3, 2010 at 11:50 AM, Jeff Brown 2jbr...@gmail.com wrote: In regards to email, we were able to establish a retention policy that messages in the Inbox, Sent Items, and Deleted Items folders are all deleted after 90 days. Exchange mailbox manager allowed to do that weekly. Don't manage other folders. Not perfect, but it helped. On Fri, Dec 3, 2010 at 10:25 AM, Don Guyer don.gu...@prufoxroach.com wrote: I’d be interested in a solution to this. Been fighting it for years to no avail, other than running a “data inventory” program (such as TreeSize) and doing a manual compare. Don’t forget all of the email attachments saved along with the original email… J Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: S Powell [mailto:powe...@gmail.com] Sent: Friday, December 03, 2010 11:17 AM To: NT System Admin Issues Subject: document sprawl Hello Everybody /Dr. Nick I'd like to pick your brains about how you deal with document sprawl, I was reading in another thread about how users would use their Recycle Bin as their archive. shudder we have users that will keep tens of copies of the same document in various locations around their My Documents; as well as in tens of locations within our shared folders on the network ... User education only goes so far when it comes to please don't do that as they nod and then keep doing it. I think we've moved beyond being nice and we've found ourselves mired in needing a sledgehammer. I'd just like to wrap it in a bit of velvet. Thoughts, Policies, procedures etc, would be helpful in this. TIA ./s Google.com Learn it. Live it. Love it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: document sprawl
Ten years ago we operated all file shares from a single 100 GB drive array, but used only about 30% of that. (Almost exact!) Now we have three file servers and a total of about 9 TB available and are using about 3 TB of actual user data, although some shares are replicated via DFS Replication so that's a guess without even looking. (so you and I are running neck and neck here!) Of course we also had only one web server, now we have four. Same with SQL Servers, used to be one and now that is five. They just sprout like weeds! On Fri, Dec 3, 2010 at 12:19 PM, Holstrom, Don dholst...@nbm.org wrote: Me too. When I arrived here eight years ago, we had 32 gigs of data. Now we have over 2 TBs... Just buy larger servers... -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Friday, December 03, 2010 12:17 PM To: NT System Admin Issues Subject: Re: document sprawl I have attempted to tackle this issue before, I like to call it encourage spring cleaning! but my words always seem to fall on deaf ears. Lately every time I bring it up we end up buying more hard drives for the server! I give up. Maybe I'm just too cheap? On Fri, Dec 3, 2010 at 11:50 AM, Jeff Brown 2jbr...@gmail.com wrote: In regards to email, we were able to establish a retention policy that messages in the Inbox, Sent Items, and Deleted Items folders are all deleted after 90 days. Exchange mailbox manager allowed to do that weekly. Don't manage other folders. Not perfect, but it helped. On Fri, Dec 3, 2010 at 10:25 AM, Don Guyer don.gu...@prufoxroach.com wrote: I'd be interested in a solution to this. Been fighting it for years to no avail, other than running a data inventory program (such as TreeSize) and doing a manual compare. Don't forget all of the email attachments saved along with the original email. J Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: S Powell [mailto:powe...@gmail.com] Sent: Friday, December 03, 2010 11:17 AM To: NT System Admin Issues Subject: document sprawl Hello Everybody /Dr. Nick I'd like to pick your brains about how you deal with document sprawl, I was reading in another thread about how users would use their Recycle Bin as their archive. shudder we have users that will keep tens of copies of the same document in various locations around their My Documents; as well as in tens of locations within our shared folders on the network ... User education only goes so far when it comes to please don't do that as they nod and then keep doing it. I think we've moved beyond being nice and we've found ourselves mired in needing a sledgehammer. I'd just like to wrap it in a bit of velvet. Thoughts, Policies, procedures etc, would be helpful in this. TIA ./s Google.com Learn it. Live it. Love it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN
I have servers and workstations in three areas separated by firewalls. Instead of making swiss cheese of the firewall I have always used IPSEC for any Domain Controller connection, this way all the authentication between the box in the DMZ and the domain controller is over port 500 rather than 1024 through 6. (If memory serves it requires three ports, 50 500 and one other, but it seems it almost always uses 500/TCP.) From a security point of view if your DMZ box is compromised they can still get to the Domain Controller, but this would prevent them from getting to the entire LAN. Just another view point. On Thu, Dec 2, 2010 at 8:13 AM, Ziots, Edward ezi...@lifespan.org wrote: Honestly, to your network-guy: Security by obscurity is not a security framework I would be subscribing to. If no servers in the DMZ was allowed to talk through a perimeter firewall ( separate the DMZ from Internal NET), then they aren’t going to be able to touch the internal LAN. Depending on how the network is setup, and if there are any internal firewalls, or access-lists on the routers, the LAN to LAN “island-hopping” as we call it may or may not be available. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: David Lum [mailto:david@nwea.org] Sent: Wednesday, December 01, 2010 5:49 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN From my network guy: “If someone were to gain access to a machine in the DMZ they will only have direct network access to other machines in the DMZ. However, if someone were to gain access to a machine on the LAN, they would have direct access to any other machine on the LAN. Limiting the ports and servers a machine in the DMZ can connect to further limits the access someone would have should they gain access.” I understand what he’s saying, but what the practical difference is I don’t know. Might be worthy to note this guy also believes in “security by obscurity”, one area we don’t see eye to eye… David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, December 01, 2010 2:35 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I agree with James. I can’t see any realistic reason why you shouldn’t do that. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org] Sent: Wednesday, December 01, 2010 5:30 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN From your suggestion I have actually asked my network guy about exactly this. There’s likely some reason not to do this, but I don’t fear looking like an idiot so I asked. Anyone here want to educate me on why we shouldn’t do this? Probably get replies faster here than my network guy who is slammed… David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: James Hill [mailto:james.h...@superamart.com.au] Sent: Wednesday, December 01, 2010 2:06 PM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Just stick the thing on the inside, open up 443 to it and the rest of this pain will go away. From: David Lum [mailto:david@nwea.org] Sent: Thursday, 2 December 2010 8:06 AM To: NT System Admin Issues Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN I’m talking about the RDS server finding (not being) a DNS server - the RDS (formerly Terminal Server) gateway has to resolve machine names and find a DC somehow doesn’t it? I guess an alternate would be to maintain a HOSTS file right? Dave From: -sc likes it when we configure our display name [mailto:don@gmail.com] Sent: Wednesday, December 01, 2010 2:01 PM To: NT System Admin Issues Subject: Re: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Ok, so let me ask you this, what specifically is TCP 53 used for? I'm probably missing the boat here since I'm not sure if we are talking about running DNS on a terminal server... Sent from my Verizon Wireless BlackBerry From: David Lum david@nwea.org Date: Wed, 1 Dec 2010 13:54:02 -0800 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: 2008 R2 RDS (was Terminal Server)in DMZ to 2K3 DC in LAN Because DNS uses port 53? From: -sc likes it when we configure our display name [mailto:don@gmail.com] Sent: Wednesday, December 01, 2010 1:49 PM To: NT System Admin Issues Subject: Re: 2008 R2 RDS (was Terminal
Re: Carpet
I suddenly find that my job sounds dull and boring! (Education, but then again there is eye candy here at times ;) I should mention it's College Education before anyone starts to call me names!) On Thu, Dec 2, 2010 at 7:22 AM, James Kerr cluster...@gmail.com wrote: No, nothing that exciting, I work for a health clinic that happens to specialize in HIV/AIDS, both treatment and prevention. James. On 12/1/2010 7:32 PM, James Hill wrote: Without knowing where you work exactly I can only assume you get to use a lot of the latest tech. Considering that it's often the Adult industry that uses it first. -Original Message- From: James Kerr [mailto:cluster...@gmail.com] Sent: Thursday, 2 December 2010 10:21 AM To: NT System Admin Issues Subject: Re: Carpet I was once able to make a nice adult themed pinata from stuff I got around the office. On 12/1/2010 7:06 PM, Maglinger, Paul wrote: Wow, I wonder what they hand out for Halloween! :-) -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Wednesday, December 01, 2010 6:04 PM To: NT System Admin Issues Subject: RE: Carpet Gotta be real careful which you grab from. Hmm, this bubble gum is kinda strange. That ain't bubble gum Jacobja...@excaliburfilms.com 12/1/2010 3:55 PM Yea. next to the candy bowl in the lobby. From: Webster [mailto:carlwebs...@gmail.com] Sent: Wednesday, December 01, 2010 2:22 PM To: NT System Admin Issues Subject: RE: Carpet I thought Jacob's company gave out the free condoms? Webster From: James Kerr [mailto:cluster...@gmail.com] Subject: Re: Carpet In that spirit, if anyone needs a free HIV test in South Florida or free condoms for that matter, email me offlist as I can hook you up. ;-) James - Original Message - From: John Aldrichmailto:jaldr...@blueridgecarpet.com Subject: Carpet I'll throw this out since I've had a couple questions about our carpet. we sell carpet world-wide. J If any of you are interested in our carpet, you can email me **off-list** and I can put you in touch with a sales rep or just go to our website and fill out the form and we'll have someone get back with you. J ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Random poll: GPO count
We did the same kind of thing a while back, but a different point of view. We wanted to limit the number of objects that a particular computer would run, we did combine some policies but we also used security filtering to limit the number of objects that a particular computer would run. For example when we looked at login times a couple of years ago one computer ran an average of 35 Policy Objects. Now each computer runs about 10 Policy Objects. The idea came from a Microsoft Rep that came to speak to our company about Active Directory organization tactics. The basic idea is that it takes about 5,000 lines of code to parse through a single GPO even if it's just to get to the item level targeting within the GPP and find that it just doesn't apply, but only a moment to attempt to open one that it doesn't have access to, record the Access Denied and move on to the next one. In essence taking 5,000 lines of code down to one line. Just another viewpoint. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: User last login info
I thought the last login date was sent to the domain controller running the role PDC? I have always used the csvde.exe from the resource kit as: csvde.exe -r ((objectCategory=Person)(objectClass=User)) -p Subtree -f C:\path\to\file.csv Then open the csv in Excel and use a formula to convert to an actual date: =IF(A20,A2/(8.64*10^11) - 109205,) (I cannot take credit for these formulas, I found them online.) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Random poll: GPO count
James, that would have been a good question, but no, he did indicate that a policy is about 5,000 lines which does take time to parse, but he did not indicate whether it would take longer if there were more values modified in a single policy. On Fri, Nov 5, 2010 at 9:20 AM, James Rankin kz2...@googlemail.com wrote: Did your MS rep happen to tell you whether it takes longer or not to parse through a GPO with lots of settings, compared to a GPO with just a few? I was always an advocate of keeping GPOs as simple as possible, so that finding an errant setting was more straightforward. However some people prefer to just create something like Workstations Policy and then chock it full of every setting they can think of. Certainly from a support perspective the more GPOs, less settings works better - but I was just wondering whether there might be any performance hit from this. On 5 November 2010 12:22, Stephen Wimberly swimbe...@gmail.com wrote: We did the same kind of thing a while back, but a different point of view. We wanted to limit the number of objects that a particular computer would run, we did combine some policies but we also used security filtering to limit the number of objects that a particular computer would run. For example when we looked at login times a couple of years ago one computer ran an average of 35 Policy Objects. Now each computer runs about 10 Policy Objects. The idea came from a Microsoft Rep that came to speak to our company about Active Directory organization tactics. The basic idea is that it takes about 5,000 lines of code to parse through a single GPO even if it's just to get to the item level targeting within the GPP and find that it just doesn't apply, but only a moment to attempt to open one that it doesn't have access to, record the Access Denied and move on to the next one. In essence taking 5,000 lines of code down to one line. Just another viewpoint. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Patch Management
WSUS and SCCM 2007. We can't beat the license agreement our company has! On Thu, Oct 28, 2010 at 1:54 PM, Brumbaugh, Luke luke.brumba...@butlerschein.com wrote: Now that I have figured out how to update adobe. My next question is what do you guys use for patch management. What do you think of EminentWare for wsus? Is there something better? Luke L. Brumbaugh Network Engineer Butler Animal Health Supply Ph:(614) 659-1736 ** CONFIDENTIALITY NOTICE - The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Schein Animal Health ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Map drive across domains forests via Windows XP
I have never seen much stability when I map a network drive from a Windows XP box in one Active Directory domain to a file share in another Active Directory domain when the two domains are in different forests and there is no trust relationship between the two domains. At some point the drive shows disconnected and usually a double click will reconnect, but sometimes a reconnect attempt will show Access Denied as though the workstation has forgotten the alternate credentials for the other domain and the user will have to run the mapping command over again, specifying the alternate credentials. We have tried setting the idle time-out value, mapping drives in the GUI, CMD net use, and vbs. We've tried other techniques in the past but really just found the drive mapping would fail over time. In the past my suggestion has always been that the workstation should be in the same domain as the file share. Is there a 'magic cure' to this problem that I am not aware of? Thank you! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Map drive across domains forests via Windows XP
Thanks, GPP wasn't around the last time we tried this, although in our case the user has credentials in the other domain which are forced to change periodically. Would there be a fairly easy way for the user to manage the credentials in the GPP? They would need to change the password within the GPP each time their password expired. Of course with credentials within the policy this would mean a new policy for EACH user! There must be a better way. On Wed, Oct 27, 2010 at 8:42 AM, James Rankin kz2...@googlemail.com wrote: Group Policy Preferences drive map with an alternative user id specified? On 27 October 2010 13:40, Stephen Wimberly swimbe...@gmail.com wrote: I have never seen much stability when I map a network drive from a Windows XP box in one Active Directory domain to a file share in another Active Directory domain when the two domains are in different forests and there is no trust relationship between the two domains. At some point the drive shows disconnected and usually a double click will reconnect, but sometimes a reconnect attempt will show Access Denied as though the workstation has forgotten the alternate credentials for the other domain and the user will have to run the mapping command over again, specifying the alternate credentials. We have tried setting the idle time-out value, mapping drives in the GUI, CMD net use, and vbs. We've tried other techniques in the past but really just found the drive mapping would fail over time. In the past my suggestion has always been that the workstation should be in the same domain as the file share. Is there a 'magic cure' to this problem that I am not aware of? Thank you! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Map drive across domains forests via Windows XP
I'm sure I've left out other very important details, but in short each user has an active account in both domains, the local divisional domain and the enterprise domain. User accounts are utilized for different applications. At times it would b nice to have drives mapped to shares in each domain, but we've never found it stable. I wanted to throw out a hook and see if I catch anything before I provide my longstanding recommendation yet again! Thank James for trying, it might be an option in limited scenarios, but not my current one. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: WSUS and non public patches
Apparently either System Center Configuration Manager 2007 or System Center Essentials 2007 are required. I found one page that talks about the API requirement (it's not just licensing, there are SCCM or SCE files used by SCUP) and I have found a good many pages that talk about deploying with SCCM. I don't find where it is possible to deploy updates WITHOUT SCCM or SCE. We have SCCM, but I don't use it for MS updates. At present our WSUS server can update laptops taken off site, but our SCCM server is not (and will not) be available off site. (Although we are looking into MS Direct Access, that is another whole can of worms.) Is it possible to use SCUP with the built in API from SCCM to build an update, publish it to WSUS and deploy it directly from WSUS without using the deployment mechanism within SCCM itself? THANKS! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Deploying Printers via GPO
I moved all our network printers to GPP with security groups as described above and love it! although now that we have started to deploy Windows 7 I find that it doesn't work on Windows 7. I don't have the article handy that explains why, but a word of caution to test your newly created GPP on some Windows 7 boxes before you go hog wild! On Fri, Sep 17, 2010 at 10:16 AM, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: Interesting—I don’t think I’ve heard of any hangs like that, but I will go check that setting as we don’t have a widespread deployment yet (but it’s coming soon!). Thanks! -B From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, September 17, 2010 5:40 AM To: NT System Admin Issues Subject: Re: Deploying Printers via GPO it's in User Configuration | Admin Templates | Control Panel | Printers | Point and Print Restrictions | Security Prompts On 17 September 2010 08:01, James Rankin kz2...@googlemail.com wrote: It's the GPO that allows Vista and above to automatically install the drivers when they are not present. Otherwise it hangs at the GPO application. I've just changed jobs so can't dig out the exact GPO setting, sorry! On 16 September 2010 16:01, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: +1, works well for us here too, but we target the computer ou + the user group in combo. James—can you clarify what you mean on the Point and print restrictions? I don’t think we have that set and I’m wondering what the issue is/was. For XP machines, make sure you have the latest GPP preferences update applied for this all to work. From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 16, 2010 2:15 AM To: NT System Admin Issues Subject: Re: Deploying Printers via GPO Use loopback policy processing on your computers OU, deploy the Group Policy Preferences printers list as a user config applied to the computers OU, set the default printer through that, and target it to the required users. Make sure you set the GPO with the point-and-print restrictions as well, so it doesn't hang when popping up the box to install the driver if there isn't a suitable one installed. On 15 September 2010 18:02, Kelsey, John jckel...@drmc.org wrote: Good afternoon all, Currently in a 08 domain with all XP workstations SP3 and GPO extensions installed. I need to deploy printers based on the machine and not the user. I see I can deploy printers to computers through a GPO, BUT you can’t set the default printer that way. It looks like I can deploy the printers to the user, then use ‘item-level targeting’ so it applies only when users logon to computers in certain OU’s. Is there a better way to skin this cat? Should I make a printer policy per OU, or make 1 global one with all the printers and assign them with the item-level targeting? Thanks all!! * John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 2 : 814.375.4005 *: jckel...@drmc.org * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke
Re: Deploying Printers via GPO
Bonnie, I think you're right, going from memory I think the problem I came to was the fact that we still have Windows 2003 print server with no plans to upgrade it in the near future. Some of the links I had for this project are below. I was hoping one of these would solve my problem, but what I am seeing is that when a new user logs into a Windows 7 computer the GPP printers just don't show up. Although in every case if an admin were to install them prior to the user login the when the user logs in they do show up immediately. There is no error in the log file, and no error to the screen. GPResult shows that the GPP had applied successfully. Since the problem only affects new users to new machines and is quickly solved by an admin login it's been difficult to really trace. I'm just holding off on Windows 7 in departments where I push printers. Not the best solution but we are understaffed! ;) http://www.edugeek.net/forums/windows-vista/22950-solution-mapping-printers-logon-scripts-vista-7-without-uac-interupting.html#post223322 http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/adebbc69-4623-4a96-a84a-d4c324e326c0 http://blogs.technet.com/b/askperf/archive/2008/09/19/installing-windows-vista-print-drivers-on-windows-server-2003.aspx On Fri, Sep 17, 2010 at 12:55 PM, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: And to possibly answer my own post, I did a quick google and am mostly seeing stuff about driver compatibility being the problem. For example, adding Win7 boxen when your print server is still WS03, then it can't load drivers so the GPP appears to not work. We just painfully completed our print server migration to 2008 R2 last spring, and have both XP and 7 machines loading drivers from there, both x86 and x64. I only have one application that is still having a major issue, which is Filemaker Pro combined with latest the HP universal drivers. -Original Message- From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Friday, September 17, 2010 9:38 AM To: NT System Admin Issues Subject: RE: Deploying Printers via GPO If you come up with the article, please post. This could be a huge problem for us implementing W7 for student labs. Don't think we've tried it yet. -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Friday, September 17, 2010 8:45 AM To: NT System Admin Issues Subject: Re: Deploying Printers via GPO I moved all our network printers to GPP with security groups as described above and love it! although now that we have started to deploy Windows 7 I find that it doesn't work on Windows 7. I don't have the article handy that explains why, but a word of caution to test your newly created GPP on some Windows 7 boxes before you go hog wild! On Fri, Sep 17, 2010 at 10:16 AM, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: Interesting-I don't think I've heard of any hangs like that, but I will go check that setting as we don't have a widespread deployment yet (but it's coming soon!). Thanks! -B From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, September 17, 2010 5:40 AM To: NT System Admin Issues Subject: Re: Deploying Printers via GPO it's in User Configuration | Admin Templates | Control Panel | Printers | Point and Print Restrictions | Security Prompts On 17 September 2010 08:01, James Rankin kz2...@googlemail.com wrote: It's the GPO that allows Vista and above to automatically install the drivers when they are not present. Otherwise it hangs at the GPO application. I've just changed jobs so can't dig out the exact GPO setting, sorry! On 16 September 2010 16:01, Miller Bonnie L. mille...@mukilteo.wednet.edu wrote: +1, works well for us here too, but we target the computer ou + the user group in combo. James-can you clarify what you mean on the Point and print restrictions? I don't think we have that set and I'm wondering what the issue is/was. For XP machines, make sure you have the latest GPP preferences update applied for this all to work. From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, September 16, 2010 2:15 AM To: NT System Admin Issues Subject: Re: Deploying Printers via GPO Use loopback policy processing on your computers OU, deploy the Group Policy Preferences printers list as a user config applied to the computers OU, set the default printer through that, and target it to the required users. Make sure you set the GPO with the point-and-print restrictions as well, so it doesn't hang when popping up the box to install the driver if there isn't a suitable one installed. On 15 September 2010 18:02, Kelsey, John jckel...@drmc.org wrote: Good afternoon all, Currently in a 08 domain with all XP workstations SP3 and GPO extensions installed. I need to deploy printers based on the machine and not the user. I see I can deploy
Re: File Renaming Utility
I like http://www.fauland.com/af5.htm. It isn't aimed at audio, just files. I use it for vacation pictures, to change the pictures to the nickname of the vacation. On Tue, Sep 14, 2010 at 12:29 PM, Manuel Santos nel...@gmail.com wrote: It's not that you *must* use powershell for everything, but sometimes, it helps to use those old utilities. 2010/9/14 HELP_PC g...@enter.it If for every thing I have to do I must learn a language (maybe powershell or C++)... Now you can tell me that for creating a new user in AD I may use powershell. I still prefer the GUI option GuidoElia HELPPC Da: Anders Blomgren [mailto:chanks...@gmail.com] Inviato: martedì 14 settembre 2010 18.06 A: NT System Admin Issues Oggetto: Re: File Renaming Utility Tools like that are great for people that do not have the time to learn powershell but it's probably one of the first things you do learn... -Anders On Tue, Sep 14, 2010 at 6:01 PM, Bob Hartung bhart...@wiscoind.com wrote: I recently needed to rename a bunch of files. I didn't want to rename each one individually so I started looking for a utility, free or otherwise, that would help. I came across the aptly named Bulk Rename Utility ( www.bulkrenameutility.co.uk ). If you need to rename files, this free utility is great. You can do things like replace underscores with dashes, append date/time to file names, append serialized numbers to file names (ex -0001, 0002 etc.). You can also use it to change file attributes like archive bits and date stamps. The main screen is like looking at the dashboard of a 747 but like the help file says, Don't Panic. Generally you are only going to use a 1/4 of the options. What I like is that it gives you a preview of what your setting will do to the files you have selected. When you're satisfied with the results, then you commit the changes. It's primarily aimed at people who work with audio files but I'm sure you network admins out there from time to time run into things like this. I'm not affiliated in any way with the developers. I just wanted to let others know about the utility because it did a great job for me and saved a load of time. -- Bob Hartung Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Hyper-V and 'Default Gateway'
The box has four NICs in it. Although we currently only have two connected, one is the Host NIC and the other is used for the different virtual machines. We have two others we can grow into as need arises. Our Network department charges us per network connection, so we are trying to limit our connections until need arises. The free alternative would be to request multiple IP Addresses in the same range and grow into them as needed. On Sun, Aug 1, 2010 at 10:33 AM, Ken Schaefer k...@adopenstatic.com wrote: If you have multiple NICs on your machine, then there is no need for them to be all in the same subnet. Obviously they would connect to different interfaces of a router, or to ports on a switch that are on different VLANs. My guess is that you only have a single NIC. In that case, the virtual NIC on the guest, and the physical NIC on the host are both connected *at the other end* to a single switch port that needs to be connected to a single VLAN or router interface. In that case, they need to be on the same subnet. Cheers Ken -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Saturday, 31 July 2010 5:41 AM To: NT System Admin Issues Subject: Re: Hyper-V and 'Default Gateway' Thanks for the replies! Now I just need to beg our network team for addresses in the same subnet!!! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Hyper-V and 'Default Gateway'
Is it possible to use a different default gateway on one Hyper-V guest than the Hyper-V host is using? What I have is a situation where we have multiple IP ranges within the same network meaning there is no router nor firewall between the different IP segments, but each IP subnet is different so I have multiple default gateways. let's say the first is 192.168.0.1 with a mask of 255.255.255.192 and the second would be 192.168.0.70 / mask of 255.255.255.192. In short I have tried all kinds of configurations but i can't seem to get a connection using any other gateway address, and it would make sense that it should agree with the host, but I cant find anywhere to 'verify' that! I have found many documents telling me that all the virtual servers on a Hyper-V host must be in the same network but no where does it define the parameters of the network! (Each of my Hyper-V guests are pointed directly at a physical network card on the host, they are _not_ NATed) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Hyper-V and 'Default Gateway'
Thanks for the replies! Now I just need to beg our network team for addresses in the same subnet!!! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
DPM, SCCM AND SCOM on same box???
I am pricing out a DPM box which we are likely to purchase. Dell R510 16 GB RAM 2 146GB RAID1 for OS 12 2TB RAID5 for database storage pool The question is: Would you put SCCM and SCOM on the same box??? SCCM and SCOM would use a remote SQL server rather than the same internal storage. We have fewer than 500 workstations, and DPM would not be used for workstation backup, only backing up data from 17 servers. Design thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: DPM, SCCM AND SCOM on same box???
I've read a good bit in recent weeks and maybe I misread something or read something about an older version, but I am under the impression that DPM cannot be installed in a virtual environment, if that is possible then yeah, I'm good to go with this!!! Currently we run SCCM and SCOM on the same box, so in a way it makes sense to add DPM, but I share Malcom's concern with regards to mixing SCCM with much of anything. On Mon, May 17, 2010 at 12:08 PM, Brian Desmond br...@briandesmond.com wrote: Why don't you put HyperV on it and break up the roles? I wouldn't mix all those three together. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Monday, May 17, 2010 10:13 AM To: NT System Admin Issues Subject: DPM, SCCM AND SCOM on same box??? I am pricing out a DPM box which we are likely to purchase. Dell R510 16 GB RAM 2 146GB RAID1 for OS 12 2TB RAID5 for database storage pool The question is: Would you put SCCM and SCOM on the same box??? SCCM and SCOM would use a remote SQL server rather than the same internal storage. We have fewer than 500 workstations, and DPM would not be used for workstation backup, only backing up data from 17 servers. Design thoughts? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Virtual Server Training?
What training would you consider 'recommended' for a server admin going into virtual servers for the first time? We have used Microsoft Virtual Server 2005 before, but did not care for the setup. We are currently looking at a recommendation from Dell which covers two server host boxes, one storage box and one management switch. I currently manage about 20 physical servers, so what I would need would be specific to the differences to virtual servers rather than physical servers. All I need to do is add a line item for training costs and go for funding options! How much do you think training for virtual environments could be worth? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtual Server Training?
We will be going with Hyper-V. Since I work at a University, I can't really discount the classroom setting, but I can ask to keep the media (CBT versus classroom). ;) Thanks for the links and the advice! I'm off to read those and see where they take me! On Wed, Mar 10, 2010 at 1:13 PM, Erik Goldoff egold...@gmail.com wrote: So you thinking Hyper-V or vmWare ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' -Original Message- From: Stephen Wimberly [mailto:swimbe...@gmail.com] Sent: Wednesday, March 10, 2010 11:56 AM To: NT System Admin Issues Subject: Virtual Server Training? What training would you consider 'recommended' for a server admin going into virtual servers for the first time? We have used Microsoft Virtual Server 2005 before, but did not care for the setup. We are currently looking at a recommendation from Dell which covers two server host boxes, one storage box and one management switch. I currently manage about 20 physical servers, so what I would need would be specific to the differences to virtual servers rather than physical servers. All I need to do is add a line item for training costs and go for funding options! How much do you think training for virtual environments could be worth? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: KB974417 Patch Failures
On one workstation I did the complete set of instructions, uninstalled
.Net, stopped the wuauclt service, removed the software distribution
files, etc etc etc. Reinstalled .Net from the microsoft download site
and then it wanted to install kb974417 again, and again failed. (I
was working from a kb article but don't have it handy.)
It's only failing on newly installed workstations.
On Wed, Mar 10, 2010 at 1:51 PM, Sam Cayze sam.ca...@rollouts.com wrote:
Yep, got it here too.
Seen this back in the day with another .Net Patch too :(
From: Sean Rector [mailto:sean.rec...@vaopera.org]
Sent: Wednesday, March 10, 2010 12:44 PM
To: NT System Admin Issues
Subject: RE: KB974417 Patch Failures
I just went through fixing this on one of my workstations yesterday with
PSS. I had to uninstall all .NET and re-install it.
Sean Rector, MCSE
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Wednesday, March 10, 2010 7:33 AM
To: NT System Admin Issues
Subject: RE: KB974417 Patch Failures
# for decimal 1642 / hex 0x66a :
ERROR_PATCH_TARGET_NOT_FOUND winerror.h
# The upgrade patch cannot be installed by the Windows
# Installer service because the program to be upgraded may be
# missing, or the upgrade patch may update a different
# version of the program. Verify that the program to be
# upgraded exists on your computer an
# d that you have the correct upgrade patch.
Do you get the same error if you run the installer manually?
Cheers
Ken
From: Martin Blackstone [mailto:mblackst...@gmail.com]
Sent: Wednesday, 10 March 2010 8:20 PM
To: NT System Admin Issues
Subject: KB974417 Patch Failures
I’m seeing multiple failures installing this via WSUS in my lab. I’ve got
about a 10% failure rate at this point. It just fails to install.
This is the .NET Framwork 2.0 SP2 Security Update patch.
Event Type: Error
Event Source: HotFixInstaller
Event Category: None
Event ID: 5000
Date: 3/10/2010
Time: 4:16:37 AM
User: N/A
Computer: BLAH
Description:
EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb974417, P2
1033, P3 1642, P4 msi, P5 f, P6 9.0.40302.0, P7 install, P8 x86, P9 w2k3,
P10 0.
Anyone else seeing this?
Information Technology Manager
Virginia Opera Association
E-Mail: sean.rec...@vaopera.org
Phone: (757) 213-4548 (direct line)
{+}
Virginia Opera's 35th Anniversary Season ends with America's favorite, The
Gershwins' Porgy and BessSM
2010-2011 subscriptions are on sale now! Featuring:
Rigoletto | Così Fan Tutte | The Valkyrie | Madama Butterfly
Visit us online at www.VaOpera.org or call 1-866-OPERA-VA
The vision of Virginia Opera is to enrich lives through the powerful
integration of music, voice and human drama.
This e-mail and any attached files are confidential and intended solely for
the intended recipient(s). Unless otherwise specified, persons unnamed as
recipients may not read, distribute, copy or alter this e-mail. Any views or
opinions expressed in this e-mail belong to the author and may not
necessarily represent those of Virginia Opera. Although precautions have
been taken to ensure no viruses are present, Virginia Opera cannot accept
responsibility for any loss or damage that may arise from the use of this
e-mail or attachments.
{*}
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: NET SEND?
I had a similar situation; all our workstations involved are still Windows XP and the service is still there, but is disabled by a service pack or security patch or something, I forget the details. In order to allow the old fashioned and insecure net send command I created a Group Policy Object similar to the one here: http://www.eggheadcafe.com/software/aspnet/31323861/create-policy-for-allowre.aspx Microsoft has an article here that describes the Net Send command and search on AllowRemoteRPC to learn more! http://msdn.microsoft.com/en-us/library/aa383842%28VS.85%29.aspx On Mon, Jan 18, 2010 at 2:16 PM, Evan Brastow ebras...@automatedemblem.comwrote: Hi all, I have a legacy application I wrote in PowerBuilder about 10 years ago that uses the syntax NET SEND (username) (message) to send messages to users (they pick the messages from a drop-down box for speed). However, since a certain service pack in XP as well as in Vista, this functionality no longer available and the service itself it gone. What I’m wondering is, is there anything out there that will essentially install a replica of the Windows Messenger service so that the same API can be used to send/receive popup messages? I don’t need a full-fledged messaging app as the messages must come from my legacy app, not be user-typed. I found something called LanTalk XP which seems like it could have worked, but not quite. Anyone have any ideas? Thanks so much.. Evan** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: GPO Best Practices
Servers and workstations should be in different OU's for a variety of reasons, GPO is one of the best reasons. We used to use restrictive groups for the local Administrators group, but yes this does delete all contents and replace with the contents of the GPO. If you have Server 2003 Domain controllers running at the 2003 functional level you should be able to use GPP rather than GPO. This will allow you to fine tune the local groups on the workstations and servers as you would like without destroying your existing contents. It can do the same thing in the end result, but the thought of emptying before replacing bothered me. ;) 2010/1/20 John Bowles john.bow...@wlkmmas.org I have a customer who is looking to implement a GPO to add Domain Admins to all the workstations and servers. I was looking into using Restricted Groups to tackle this task, but it seems if you use Restricted Groups you will lose anything outside of the groups you have listed in the restricted groups, that reside in local admin group of workstations or servers. My question is, if I recall a finely tuned AD the concept was to have your workstations and servers in seperate OU's right? This way you can have seperate sets of GPO's for each class, either workstations or servers? Or, is there just a flat out easier way to push certain accounts to the servers and workstations? Thanks, John Bowles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: FSRM Quota Email Notifications user is NT Authority/System???
We restarted the server and still have the same issue: FSRM user quota determines the owner of a file is NT Authority\System yet NTFS shows the owner of the file is the original user. This causes the notification email to go to a blank 'TO:' field because NT Authority\System has no email address. ALL our user accounts have email addresses though. We have verified many of these instances and found that in every randomly chosen case the NTFS security differs from the Event log, which shows Event 12324; User NT AUTHORITY\SYSTEM has exceeded the limit for the quota on D:\DFSRoots\user\userhome\%username% on server FILE1. Yet the NTFS owner is %username%. The truly odd part is that the 'error' arises in _most_ cases, but in some cases the Event log and FSRM shows the correct username and the email goes out just fine! It seems though that if it's working for a single user, it works every time; where if it's broken for a user it's broken every time a file is saved. What can cause the Event log to capture the wrong file owner??? TIA (Thanks In Advance!) On Sat, Sep 19, 2009 at 9:03 AM, Stephen Wimberly riverside...@gmail.comwrote: We have been using the Quota system in Windows Server 2003 R2 FSRM and it's been working perfectly up until Thursday of this past week when we applied two updates via our WSUS server, update Microsoft Silverlight 3.0.40723.0 and update Microsoft .NET Framework 3.5 SP1 update KB963707 and restarted. During the restart though the closest domain controller was in the process of restarting as well and was not responding 'correctly' and needed a hard reset. The file server displayed the following error: File Server Resource Manager failed to enumerate share paths or DFS paths. Mappings from local file paths to share and DFS paths may be incomplete or temporarily unavailable. FSRM will retry the operation at a later time. Now each time a user saves a file that they have ownership of, FSRM captures the 'owner' as NT AUTHORITY/SYSTEM rather than the user. The email goes out, but the TO line is blank! (NT AUTHORITY/SYSTEM has no email address.) It might be helpful to know that we have configured the Additional Email Headers to include a few emails within the BCC line, this is how we were 'notified' that the emails are going out without a TO listed. NTFS Security: Looking at the files that are causing these notifications; the user is saving files to their home directory in most cases, the user is listed as the owner and the user has a valid email address in the Active Directory. In most cases these are users that used to receive quota notifications! I am tempted to just restart the server again, but it's a production server that hosts some 7x24 applications and the notification period for a restart is 'complicated.' If I was sure a restart would fix the issue I'd be all for it. I've done some searching, but I haven't found anything helpful yet. Anyone seen this before??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: RSAT For windows 7 RC
Try this: http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d I saved this from my windows 7 x64 install and it's working just fine! On Tue, Oct 6, 2009 at 8:33 AM, Don Guyer don.gu...@prufoxroach.com wrote: Jason, X86 or 64-bit? I’ll Zip it and send offline. Thx, Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com *From:* Jason Gauthier [mailto:jgauth...@lastar.com] *Sent:* Monday, October 05, 2009 7:00 PM *To:* NT System Admin Issues *Subject:* RSAT For windows 7 RC All, MS has pulled the RC RSAT tools since the RTM. Anyone have it or a link? I had to reinstall my RC, and alas.. no tools! Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
FSRM Quota Email Notifications user is NT Authority/System???
We have been using the Quota system in Windows Server 2003 R2 FSRM and it's been working perfectly up until Thursday of this past week when we applied two updates via our WSUS server, update Microsoft Silverlight 3.0.40723.0 and update Microsoft .NET Framework 3.5 SP1 update KB963707 and restarted. During the restart though the closest domain controller was in the process of restarting as well and was not responding 'correctly' and needed a hard reset. The file server displayed the following error: File Server Resource Manager failed to enumerate share paths or DFS paths. Mappings from local file paths to share and DFS paths may be incomplete or temporarily unavailable. FSRM will retry the operation at a later time. Now each time a user saves a file that they have ownership of, FSRM captures the 'owner' as NT AUTHORITY/SYSTEM rather than the user. The email goes out, but the TO line is blank! (NT AUTHORITY/SYSTEM has no email address.) It might be helpful to know that we have configured the Additional Email Headers to include a few emails within the BCC line, this is how we were 'notified' that the emails are going out without a TO listed. NTFS Security: Looking at the files that are causing these notifications; the user is saving files to their home directory in most cases, the user is listed as the owner and the user has a valid email address in the Active Directory. In most cases these are users that used to receive quota notifications! I am tempted to just restart the server again, but it's a production server that hosts some 7x24 applications and the notification period for a restart is 'complicated.' If I was sure a restart would fix the issue I'd be all for it. I've done some searching, but I haven't found anything helpful yet. Anyone seen this before??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Windows 7
I am currently testing an interesting method based on this same thought process. Create a vb script on a file server; shared to the machine accounts only and named %computername%.vbs, which does nothing but import these registry entries. Assign the GPO to the machine account so that it runs at startup, before user login that does nothing but run %computername%.vbs, yes the variable, there are several machines in the OU where the GPO is applied. Once the startup scripts are complete the auto-login is performed. After login another GPO is assigned to the user account which is another vb script that deletes the DefaultPassword value. No users ever have read access to the vb files; the Default Password is stored on the client workstation for a very short time period. This isn't considered _secure_ but for a kiosk location it seems to be working and is about as secure as I can figure it out. ;) This also means that all passwords are kept within easy reach of administrators for maintenance. On Thu, Aug 20, 2009 at 5:53 PM, Dennis Hoefer dhoe...@ufcoop.com wrote: John, just to confirm spelling etc., here are the entries from the one I have working. AutoAdminLogon REG_SZ 1 DefaultDomainName REG_SZ XXX DefaultPassword REG_SZ XXX DefaultUserName REG_SZ XXX ForceAutoLogon REG_SZ 1 Beyond that, your second solution is fairly foolproof also. -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Firefox 3.5 Silent Install.
Actually to install FireFox, you just need to be a power user. Full Admin rights are _not_ required. Power User rights provide full control over the Program Files folder, but not full rights to the System32 folder. Most of our users are power users, but VERY few are admins. To get the security patches (updates) out there I download the installer and push it to computers that have older versions of FireFox through SCCM (SMS) as a silent install FireFoxSetup3.5 -ms SCCM can install with system rights. I just haven't found time to push out updates to all the various Add-Ons. On Tue, Jul 7, 2009 at 4:06 PM, Angus Scott-Fleming angu...@geoapps.comwrote: On 5 Jul 2009 at 11:57, Stephen Wimberly wrote: The NTT sounds great, but can a non-admin run it and upgrade any update??? No, you have to be admin to update any program except Chrome, which installs in %APPDATA% and is completely writeable by the user who install it. Now if you had installed Firefox in %APPDATA%, each user would have a separate installation but they could update their own --- and when Chrome or FF gets 0- day-holed, so would their browsers. There are reasons why users can't update applications. I think Frontmotion makes an MSI installer for corporate deployments of Firefox. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 +---+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Firefox 3.5 Silent Install.
The NTT sounds great, but can a non-admin run it and upgrade any update??? On Sun, Jul 5, 2009 at 3:07 AM, Angus Scott-Fleming angu...@geoapps.comwrote: On 1 Jul 2009 at 11:04, Sam Cayze wrote: Force Firefox extensions to work in the latest version When Firefox updates to a new version, some extensions are disabled. However, you can easily edit the extensions to make Firefox re-enable them -- no particular expertise required. Or you can download the Nightly Tester Tools extension, which allows you to force the installation of extensions which haven't made the version-number adjustment you describe. Nightly Tester Tools :: Add-ons for Firefox https://addons.mozilla.org/en-US/firefox/addon/6543 Once NTT is installed, you can right-click on any disabled extension in the Add-Ons window and choose Override Compatibility. Works like a champ. HTH Angus -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 +---+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Firefox 3.5 Silent Install.
Mozilla changed the Silent install for FireFox 3.5. Now the switch is -ms rather than the old /S Just thought I'd pass that alone if you're like me you've been doing /S all morning! Now on to create my SMS package! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Firefox 3.5 Silent Install.
Well, I've started _testing_ the deployment, but I expect that we'll deploy in the coming weeks. My first three test deployments went without incident. ;) It's one of few applications that can upgrade silently while the customer is using the application! Makes my job easy! On Tue, Jun 30, 2009 at 2:09 PM, Sam Cayze sam.ca...@rollouts.com wrote: Thanks! (A little fast on the deployment, aren't we? :) I'm liking it so far. Most all my extensions worked too. -- *From:* Stephen Wimberly [mailto:riverside...@gmail.com] *Sent:* Tuesday, June 30, 2009 11:56 AM *To:* NT System Admin Issues *Subject:* Firefox 3.5 Silent Install. Mozilla changed the Silent install for FireFox 3.5. Now the switch is -ms rather than the old /S Just thought I'd pass that alone if you're like me you've been doing /S all morning! Now on to create my SMS package! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Clone an OS/2 Disk
I have used Ghost to clone O/S 2 WARP HPFS drives MANY times, but this was over ten years ago... my current employer doesn't have much use for OS2, but my last employer was almost entirely os2! I can't imagine they would have done anything to kill the HPFS library within Ghost, but if it doesn't work right off, you should be able to use an older version of Ghost. -Stephen On Wed, Jun 10, 2009 at 4:41 PM, Roger Wright rwri...@evatone.com wrote: We have a large press controlled by an aging (and failing) OS/2 system. I’d like to at least clone the drive before it dies completely. Will Symantec Ghost handle this task? Perhaps Clonezilla? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 [image: ET E-mail Signature Logo] _ Creativity is no substitute for knowing what you are doing. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image003.jpg
NET SEND alternatives for Vista XP environment.
Are there free alternatives to the old NET SEND command that could be sent from a Vista workstation to multiple Windows XP workstations such that a free form message could be displayed to the end user at the remote XP or Vista workstation? So far our only thought was a vbs script that could echo a statement sent to it via psexec from the Vista machine. Is there a 'better way?' Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: NET SEND alternatives for Vista XP environment.
Nice idea, and if these were actual users that would work... although in this case we are sending messages to sales cashiers to a Point of Sale station. Yes, they are 'real people', but the level of expertise is not there to handle something as sophisticated as an instant messenger window. What I really need is to drop the existing custom application to the background via a transparency and place a rather opaque message across the screen for all to see, but allowing the cashier to continue to function. This way the cashier and the manager would easily see that something needs to be done. That would be best, but I'm not holding my breath. We really just need to get them to restart the POS application after a network outage or server outage. On Wed, May 13, 2009 at 8:24 AM, Christopher Bodnar christopher_bod...@glic.com wrote: Have you looked into adding instant messaging to your environment? MOCS is great, but you could go Open Source and setup a Jabber server and use a free client like Pidgen. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 -- *From:* riverside...@gmail.com [mailto:riverside...@gmail.com] *Sent:* Wednesday, May 13, 2009 7:43 AM *To:* NT System Admin Issues *Subject:* NET SEND alternatives for Vista XP environment. Are there free alternatives to the old NET SEND command that could be sent from a Vista workstation to multiple Windows XP workstations such that a free form message could be displayed to the end user at the remote XP or Vista workstation? So far our only thought was a vbs script that could echo a statement sent to it via psexec from the Vista machine. Is there a 'better way?' Thanks! -- * This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Adding users as Admins
I have done this in two ways: 1. GPO: There is a policy that will wipe out all current members of the Administrators Group and replace it with what you have in the GPO. Just be sure to include EVERYONE you would like listed, the local Administrators group even. I find this handy for machines that may have been played with too much and you really need to clean up! 2. CSE: The relatively new client side extensions through Preferences I have started using and it will ADD an individual group or user to whatever is currently there. This is handy if you don't want to totally stir the existing. Have fun! On Tue, Apr 7, 2009 at 8:13 PM, Joseph L. Casale jcas...@activenetwerx.comwrote: I have a GPO that adds a group into the local admin group on every wkst. Problem is that it overwrites any manual additions. Is there a way to control this behavior or a better way to do this so that if a user for whatever reason has to be added, it can be done at the wkst without risk of losing this? Thanks! jlc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
File Server Security; Best Practice.
I have two file servers, each Windows 2003 R2, and use DFS replication to keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a single domain forest. if that matters. I have always shared folders to a group and maintained the members of those groups to allow specific access. I have considered this best practice. I now have two coworkers that insist on adding user objects rather than security groups directly to the file shares as well as specific folders under the file share. Other than a maintenance nightmare, is there really any reason for using security groups over user objects? Does it create more CPU overhead for example? Thanks in Advance! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: File Server Security; Best Practice.
This sounds like what I needed, I'm like you, I don't keep up with the small stuff and keep things as simple as possible. Here it sounds like it's not only wasted CPU, but it stores more in RAM (more SIDs). On a server that is already experiencing some resource issues, we need to cut corners everywhere we can! That on top of the other reply, which results in the horrid SID issue when a user object is deleted, which is the more obvious problem but can easily be dismissed in circumstances where there is little turnover. Thanks again! On Wed, Apr 1, 2009 at 8:50 AM, Michael B. Smith mich...@owa.smithcons.comwrote: I agree with you - use groups. Your security token is built when you log on to a workstation and once each 10 hours after that (with a bit of randomness thrown in - I'm sure Ken can tell us how Kerberos does that - I don't keep up with those details). :-) That includes the groups of which you are a member (their SIDs) and your account SID. Using groups allows you to actually reduce the processing overhead by reducing the number of SIDs which must be compared to determine whether a particular process/user/etc. can gain access. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Monitoring Exchange w/OpsMgr now available http://snurl.com/45ppf -- *From:* Stephen Wimberly [riverside...@gmail.com] *Sent:* Wednesday, April 01, 2009 7:32 AM *To:* NT System Admin Issues *Subject:* File Server Security; Best Practice. I have two file servers, each Windows 2003 R2, and use DFS replication to keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a single domain forest. if that matters. I have always shared folders to a group and maintained the members of those groups to allow specific access. I have considered this best practice. I now have two coworkers that insist on adding user objects rather than security groups directly to the file shares as well as specific folders under the file share. Other than a maintenance nightmare, is there really any reason for using security groups over user objects? Does it create more CPU overhead for example? Thanks in Advance! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Scripting: How to tell if login was cached or domain?
I have a script that I want to run, but only when the user login was cached. Is there a way to tell whether the current user login was cached or verified by a domain controller? I _thought_ I'd use the %logonserver% variable, but apparently it shows the domain controller that last authenticated the user even when the current login was cached. Most scripts I've seen ping a server that is only available on the LAN and look for the reply. In this case though I don't care if they are on LAN or not, I care if they are cached or not. I found a script that looks through the event log for Last cache login and displays the date/time, but it doesn't effectively tell me what my current login is. Anyone know a way to tell? I know the XP firewall has settings for a domain profile, is it using a domain profile for all cached logins? Thanks In Advance for pointers! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails.
I have figured out how to get the auto-enroll working! YEAH! Although; when it comes to SCCM the site server seems to require the same client certificate as the actual 'clients'. What I am finding is that the certificates I create (duplicate) are Windows Server Enterprise certificates, the domain controller on the other side of the firewall that is a subordinate CA Authority is a Windows Server Standard, not Enterprise. Each time I attempt to manually enroll or auto-enroll one of the certificates I build through the Enterprise templates (which is the reason we are using Enterprise!) the client wants to get a reply from the Enterprise server. This is not going to happen over the firewall!!! I may just have to RTFM. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2008 11:29 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I'm glad to hear that you go it figured out. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 10:47 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. It's always the simple stuff... I had forgotten to open the Windows Firewall to certsrv.exe on the sub CA. I now have auto enrollment working like a charm -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 8:57 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. What I'm trying to do: We are attempting to use certificates for SCCM. In the future we would like to extend the certificate structure for IPSEC authentication and we are considering the use of certificates for file encryption. We are utilizing the Enterprise level Windows Server in order to take advantage of the Certificate Templates. The Enterprise Server is generating the root CA and the SCCM certificates outlined in the 'step by step' sccm documentation and publishing those to AD. The problem comes in when the workstation attempts to AutoEnroll the certificates. Via network trace I can see that the workstation is requesting something from the Enterprise Server, which is behind a firewall. The firewall blocks the traffic and the Auto Enrollment fails. Since the firewall was the problem, I thought that MAYBE another CA on the same side of the firewall might be in order. So, back to my original question; do I need a CA Server on the same side of the firewall as the workstations? I only have two servers on the same network as the workstations, both are domain controllers. Or MAYBE the problem is elsewhere? The actual error I get is Event ID 13; Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba). The RPC server is unavailable. When I attempt to gain the certificate manually I get the same error. I assume the RPC server is that of the root CA server, which is the Enterprise level server on the other side of the firewall. It's not going to reply. _SHOULD_ the workstation gain everything it needs from the Domain Controller rather than any CA Server??? -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 1:43 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Yes, an intermediate CA is the same thing as a subordinate CA. I think subordinate CA is the correct terminology. Sorry about that. From your description, it's not clear to me what you are trying to do. Why do you have 2 CAs? For my experience, the reason why you have two is so that the root CA can be kept off line for added security. The root CA is used to generate the certificate for the subordinate CA, and isn't used again except for CRL updates and to renew the cert on the subordinate CA. The subordinate CA is the one that is used day to day in issuing certificates. From you description below, you say that you have an enterprise CA server publishing to AD. Is that your root CA? What does the subordinate CA do? You don't need windows enterprise to issue certificates - you only need it if you want to make changes to the templates of the certs that are issued. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 3:34 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed the CA services on the DC as a subordinate CA server, maybe it needs to be an Enterprise CA server? Overview: Windows Enterprise running Enterprise CA Server publishing to AD Two windows standard running DC == Firewall
RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails.
That's exactly where the FM comes into play; I've got to take recommended methods and Microsoft's examples and _attempt_ to put them into place in an infrastructure that looks nothing like a test environment. The firewall is in place because our environment is fairly open. The only port to our Enterprise server that is open is for SQL, as it's our SQL Server that I'm using for the root CA. The thought was that we _should_ be able to implement certificate services without opening any more firewall ports. So it would appear I either need to ask the security team if I'm in trouble by opening another port, or ask for more money to gain another Enterprise server. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 10:50 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I agree. While I don't understand the reason for the firewall, you definitely need the enterprise server issuing the certs. As was previously suggested, you could set up an root CA behind the firewall (or an off line root CA) and put the subordinate CA on the other side of the firewall. .Tim From: Jon Harris [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 7:38 AM To: NT System Admin Issues Subject: Re: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I think you may need to put an Enterprise server in your mix that is not behind the firewall. Jon On Wed, Dec 3, 2008 at 10:34 AM, Stephen Wimberly [EMAIL PROTECTED] wrote: I have figured out how to get the auto-enroll working! YEAH! Although; when it comes to SCCM the site server seems to require the same client certificate as the actual 'clients'. What I am finding is that the certificates I create (duplicate) are Windows Server Enterprise certificates, the domain controller on the other side of the firewall that is a subordinate CA Authority is a Windows Server Standard, not Enterprise. Each time I attempt to manually enroll or auto-enroll one of the certificates I build through the Enterprise templates (which is the reason we are using Enterprise!) the client wants to get a reply from the Enterprise server. This is not going to happen over the firewall!!! I may just have to RTFM. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 02, 2008 11:29 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. I'm glad to hear that you go it figured out. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 10:47 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. It's always the simple stuff... I had forgotten to open the Windows Firewall to certsrv.exe on the sub CA. I now have auto enrollment working like a charm -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 8:57 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. What I'm trying to do: We are attempting to use certificates for SCCM. In the future we would like to extend the certificate structure for IPSEC authentication and we are considering the use of certificates for file encryption. We are utilizing the Enterprise level Windows Server in order to take advantage of the Certificate Templates. The Enterprise Server is generating the root CA and the SCCM certificates outlined in the 'step by step' sccm documentation and publishing those to AD. The problem comes in when the workstation attempts to AutoEnroll the certificates. Via network trace I can see that the workstation is requesting something from the Enterprise Server, which is behind a firewall. The firewall blocks the traffic and the Auto Enrollment fails. Since the firewall was the problem, I thought that MAYBE another CA on the same side of the firewall might be in order. So, back to my original question; do I need a CA Server on the same side of the firewall as the workstations? I only have two servers on the same network as the workstations, both are domain controllers. Or MAYBE the problem is elsewhere? The actual error I get is Event ID 13; Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba). The RPC server is unavailable. When I attempt to gain the certificate manually I get the same error. I assume the RPC server is that of the root CA server, which is the Enterprise level server on the other side of the firewall. It's not going to reply. _SHOULD_ the workstation gain everything it needs from the Domain Controller rather than any CA Server??? -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 1:43 PM To: NT System Admin
RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails.
What I'm trying to do: We are attempting to use certificates for SCCM. In the future we would like to extend the certificate structure for IPSEC authentication and we are considering the use of certificates for file encryption. We are utilizing the Enterprise level Windows Server in order to take advantage of the Certificate Templates. The Enterprise Server is generating the root CA and the SCCM certificates outlined in the 'step by step' sccm documentation and publishing those to AD. The problem comes in when the workstation attempts to AutoEnroll the certificates. Via network trace I can see that the workstation is requesting something from the Enterprise Server, which is behind a firewall. The firewall blocks the traffic and the Auto Enrollment fails. Since the firewall was the problem, I thought that MAYBE another CA on the same side of the firewall might be in order. So, back to my original question; do I need a CA Server on the same side of the firewall as the workstations? I only have two servers on the same network as the workstations, both are domain controllers. Or MAYBE the problem is elsewhere? The actual error I get is Event ID 13; Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba). The RPC server is unavailable. When I attempt to gain the certificate manually I get the same error. I assume the RPC server is that of the root CA server, which is the Enterprise level server on the other side of the firewall. It's not going to reply. _SHOULD_ the workstation gain everything it needs from the Domain Controller rather than any CA Server??? -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 1:43 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Yes, an intermediate CA is the same thing as a subordinate CA. I think subordinate CA is the correct terminology. Sorry about that. From your description, it's not clear to me what you are trying to do. Why do you have 2 CAs? For my experience, the reason why you have two is so that the root CA can be kept off line for added security. The root CA is used to generate the certificate for the subordinate CA, and isn't used again except for CRL updates and to renew the cert on the subordinate CA. The subordinate CA is the one that is used day to day in issuing certificates. From you description below, you say that you have an enterprise CA server publishing to AD. Is that your root CA? What does the subordinate CA do? You don't need windows enterprise to issue certificates - you only need it if you want to make changes to the templates of the certs that are issued. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 3:34 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed the CA services on the DC as a subordinate CA server, maybe it needs to be an Enterprise CA server? Overview: Windows Enterprise running Enterprise CA Server publishing to AD Two windows standard running DC == Firewall == (DCs replicate via IPSEC) Two windows standard running DC; one running Enterprise subordinate CA server Workstations. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 4:22 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Our root CA is off line. I only fire it up every couple of months to keep it patched and update the CRL's. You will need an intermediate CA online somewhere to issue certificates. The problem is that, if you want to use certificate templates and modify the defaults, you need windows enterprise for the intermediate CA that actually issues the certs. Our root CA is standard, but the intermediate CA is enterprise. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 1:06 PM To: NT System Admin Issues Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. The plan was to user our SQL Server (the only Enterprise level server we have) to issue the root CA, publish it to Active Directory and use GPO to push the computer certificate to the workstations. The plan _almost_ works The workstation fails on auto enrollment because it is sending out a request directly to the SQL server (root CA server) to register the certificate. (I see this via WireShark) The SQL server is behind a firewall and we really don't want to open any more ports. Is there a way (that I'm obviously missing) to push the certificates directly from AD (Server 2003 R2 STANDARD) so there is no required communication back to the root CA Server
RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails.
It's always the simple stuff... I had forgotten to open the Windows Firewall to certsrv.exe on the sub CA. I now have auto enrollment working like a charm -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 8:57 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. What I'm trying to do: We are attempting to use certificates for SCCM. In the future we would like to extend the certificate structure for IPSEC authentication and we are considering the use of certificates for file encryption. We are utilizing the Enterprise level Windows Server in order to take advantage of the Certificate Templates. The Enterprise Server is generating the root CA and the SCCM certificates outlined in the 'step by step' sccm documentation and publishing those to AD. The problem comes in when the workstation attempts to AutoEnroll the certificates. Via network trace I can see that the workstation is requesting something from the Enterprise Server, which is behind a firewall. The firewall blocks the traffic and the Auto Enrollment fails. Since the firewall was the problem, I thought that MAYBE another CA on the same side of the firewall might be in order. So, back to my original question; do I need a CA Server on the same side of the firewall as the workstations? I only have two servers on the same network as the workstations, both are domain controllers. Or MAYBE the problem is elsewhere? The actual error I get is Event ID 13; Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba). The RPC server is unavailable. When I attempt to gain the certificate manually I get the same error. I assume the RPC server is that of the root CA server, which is the Enterprise level server on the other side of the firewall. It's not going to reply. _SHOULD_ the workstation gain everything it needs from the Domain Controller rather than any CA Server??? -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 1:43 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Yes, an intermediate CA is the same thing as a subordinate CA. I think subordinate CA is the correct terminology. Sorry about that. From your description, it's not clear to me what you are trying to do. Why do you have 2 CAs? For my experience, the reason why you have two is so that the root CA can be kept off line for added security. The root CA is used to generate the certificate for the subordinate CA, and isn't used again except for CRL updates and to renew the cert on the subordinate CA. The subordinate CA is the one that is used day to day in issuing certificates. From you description below, you say that you have an enterprise CA server publishing to AD. Is that your root CA? What does the subordinate CA do? You don't need windows enterprise to issue certificates - you only need it if you want to make changes to the templates of the certs that are issued. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, November 27, 2008 3:34 AM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed the CA services on the DC as a subordinate CA server, maybe it needs to be an Enterprise CA server? Overview: Windows Enterprise running Enterprise CA Server publishing to AD Two windows standard running DC == Firewall == (DCs replicate via IPSEC) Two windows standard running DC; one running Enterprise subordinate CA server Workstations. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 4:22 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Our root CA is off line. I only fire it up every couple of months to keep it patched and update the CRL's. You will need an intermediate CA online somewhere to issue certificates. The problem is that, if you want to use certificate templates and modify the defaults, you need windows enterprise for the intermediate CA that actually issues the certs. Our root CA is standard, but the intermediate CA is enterprise. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 1:06 PM To: NT System Admin Issues Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. The plan was to user our SQL Server (the only Enterprise level server we have) to issue the root CA, publish it to Active Directory and use GPO to push the computer certificate to the workstations. The plan _almost_ works The workstation fails on auto enrollment because it is sending out
RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails.
Is the 'intermediate CA' the same thing as a 'subordinate CA.' I installed the CA services on the DC as a subordinate CA server, maybe it needs to be an Enterprise CA server? Overview: Windows Enterprise running Enterprise CA Server publishing to AD Two windows standard running DC == Firewall == (DCs replicate via IPSEC) Two windows standard running DC; one running Enterprise subordinate CA server Workstations. -Original Message- From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 4:22 PM To: NT System Admin Issues Subject: RE: PKI Infrastructure / GPO Auto Enroll over Firewall fails. Our root CA is off line. I only fire it up every couple of months to keep it patched and update the CRL's. You will need an intermediate CA online somewhere to issue certificates. The problem is that, if you want to use certificate templates and modify the defaults, you need windows enterprise for the intermediate CA that actually issues the certs. Our root CA is standard, but the intermediate CA is enterprise. ...Tim -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 1:06 PM To: NT System Admin Issues Subject: PKI Infrastructure / GPO Auto Enroll over Firewall fails. The plan was to user our SQL Server (the only Enterprise level server we have) to issue the root CA, publish it to Active Directory and use GPO to push the computer certificate to the workstations. The plan _almost_ works The workstation fails on auto enrollment because it is sending out a request directly to the SQL server (root CA server) to register the certificate. (I see this via WireShark) The SQL server is behind a firewall and we really don't want to open any more ports. Is there a way (that I'm obviously missing) to push the certificates directly from AD (Server 2003 R2 STANDARD) so there is no required communication back to the root CA Server??? I'm wanting all the communication to come directly from the domain controller that is in the same network. Do I need to set up the DC as a subordinate CA? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Computer GPO at startup over wireless?
I have some laptop and wireless workstations that are not on the network at the time the user logs on, but later once they get a desktop they can create a vpn which will give them full server access. At the time they boot up, they get a 'guest wireless' connection which does not allow them to our servers and does not provide them with our DNS settings. I can deal with the DNS settings via script to point them to our domain, at that point they could run gpupdate even if it is manual. The problem is that some updates, specifically the Computer Configuration Policies must run at startup, before the user has logged in. (I am not trying to install software, just apply computer policies.) Is there a way to instruct Windows XP to cache the computer policies and startup scripts and process them once the computer has a vpn with the right DNS settings? I've looked at the Wireless Policy that came out with Server 2003, but since the DHCP server does not provide our DNS settings, I don't see that ever working, unless I'm missing something. At one point I attempted to use GPO to set the DNS settings, but that threw them into the registry where laptop users who attempted to take the machines home could not change them, I need to leave the DNS settings DHCP by default, or at least leave them visible to the user. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: GPO settings for power management?
I have been using EZ GPO for years, just for turning off the monitor on Windows 2000 and Windows XP machines. Recently we have been using it to be a bit more aggressive, put the computer to sleep... my challenge was _not_ to turn off those computers that are used by users off campus for remote desktop, so I created a WMI filter that bypasses machines on Static IP Addresses. (we only use static IP for remote access.) -Original Message- From: Matt Cross [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 11:45 AM To: NT System Admin Issues Subject: Re: GPO settings for power management? I just implemented the EZ GPO and it works like a champ for XP. Ralph Smith wrote: Here is a link I saved a while ago but never followed up on. It is EZ GPO which if remember correctly is a template for Group Policy created by Energy Star that is supposed to work with Windows 2003 server for 2000 and XP clients. Now I'll have to go check this out myself. http://www.energystar.gov/index.cfm?c=power_mgt.pr_power_mgt_ez_gpo Ralph Smith Gateway Community Industries 845-331-1261 x234 -- -- *From:* David Mazzaccaro [mailto:[EMAIL PROTECTED] *Sent:* Thursday, September 18, 2008 10:52 AM *To:* NT System Admin Issues *Subject:* GPO settings for power management? In Win2003 server, you cannot use GPOs to configure Windows XP power settings (turn off monitor, turn off hard disk, standby, etc).correct? How about Win2008 sever? ** *Confidentiality Notice:* *This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message.* -- Matt Cross, MCSE: Messaging mailto:[EMAIL PROTECTED] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: AV on *all* servers...or no?
I used to say no, not all servers, but I have been hit with virus/worms that infect via open ports rather than email or web browsing so now I'm more inclined to install AV on all servers. Yes it has to be configured a bit different on a server than a workstation, but that is more 'a cost of doing business'. -Original Message- From: David Lum [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 11:53 AM To: NT System Admin Issues Subject: AV on *all* servers...or no? [Cross posted here and on the Vipre Enterprise list] There is some debate among my fellow IS staff here weather AV should be on all 200+ of our servers. From my standpoint my question would be Why not? - put it on all servers and exclude what's necessary We are SQL heavy and I'm sure performance is the primary concern , but is there any compelling reason to completely leave it off of some servers? Dave Lum - Systems Engineer 971-222-1025 Northwest Evaluation Association - www.nwea.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Disconnected on a schedule???
Signing up for a free trail on experts-exchange did nothing since 1. The original question was actually how to replicate the data since they were not replicating prior to the problem, and 2. The answers posted really didn't address the question that was even asked but since no one spoke up, it auto closed with a positively corrected answer! This sounds MUCH more like the problem I'm having: http://support.microsoft.com/kb/822219 I had totally disabled the Symantec Antivirus on the server, but never thought to disable the VERITAS (err Symantec) Backup Exec Remote Agent (RANT) on the server. By now all the data is on the other file server and all replication is turned off but the problem is still happening! So I'm going to disable the RANT and see if that 'solves' the problem. Maybe this is what I 'need' to get enough funds to upgrade our Backup Exec 10D. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 2:44 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? You might want to sign up an account to read the comments (not sure if they are really helpful), but in the problem description, the person mentions stopping the DFS Service to stabilize the box. Over the last couple of months our Poweredge server would hang the only response we would get from it was a ping we would have to give it a cold start. We disabled the replication to the second dfs server but this didnt help. We have now stopped the dfs service and disabled it on the box (dfs1) for the last two days and it has been stable. It could still be unrelated to what you're seeing though. If stopping replication or DFS solves the problem, I'd be on the horn to PSS (and maybe sooner if there are still no leads). -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:10 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Sorry I didn't make that clear, when this started we were really thinking it was a firewall problem and it morphed over to a server problem rather slowly. The DFS Replication logs show an error every few weeks about a file that cannot be replicated due to consistent sharing violations, but normally all I see are the informational 'a file was changed on multiple servers and a conflict resolution algorithm was used to determine the winning file.' The data/time on the sharing violations do not match anywhere close to the date/time of the current outages we are seeing. We have gone over each documented outage time and looked through all the log files for anything close to the outages and found nothing recorded within five minutes of any outage. I am going to have DFS Replication turned off by Monday. Bonnie, certainly you're saying 'DFS Replication' had to be turned off, not 'DFS Namespace' entirely??? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:42 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Although you mentioned DFS, this is the first mention I've seen of replication--that could be causing an obscure problem, and it does usually happen on a schedule like what you're seeing. This sounds a lot like what you are talking about: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_S erver/Q_22791394.html Looks like s/he had to disable the DFS Service altogether to get the problem to quit. Are you seeing anything in the DFS Replication event logs? I wonder if there's a way to turn up the logging on the service... -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 4:59 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks for playing, yes we upgraded the SATA HD firmware as well, in all we had two updates that required an external boot and a manual install process at a DOS prompt, they each went smooth. If you've been playing along, thanks Bonnie, you may remember I've got two PE2950 that are both file servers, nothing else, they each are Windows 2003 Server R2 running sharing files via MS DFS and using DFS Replication (the new R2 version, not the older File Replication Service) to keep the files in sync as well as file Quotas using File Server Resource Manager (FSRM). Virtually nothing else is running on these, except of course Symantec Antivirus Corporate Edition 10.1.5.5010 with tamper protection turned off as we have seen problems with tamper protection in prior versions. As part of our diagnostics we did disable Symantec Antivirus for several days and that did not help the problem at all. So, even though the DFS Replication diagnostic reports have been telling us that there are no errors nor warnings we are finding that replication is not actually happening a good bit of the time! As we attempt to migrate users to the failover file server we
RE: Disconnected on a schedule???
Thanks for playing, yes we upgraded the SATA HD firmware as well, in all we had two updates that required an external boot and a manual install process at a DOS prompt, they each went smooth. If you've been playing along, thanks Bonnie, you may remember I've got two PE2950 that are both file servers, nothing else, they each are Windows 2003 Server R2 running sharing files via MS DFS and using DFS Replication (the new R2 version, not the older File Replication Service) to keep the files in sync as well as file Quotas using File Server Resource Manager (FSRM). Virtually nothing else is running on these, except of course Symantec Antivirus Corporate Edition 10.1.5.5010 with tamper protection turned off as we have seen problems with tamper protection in prior versions. As part of our diagnostics we did disable Symantec Antivirus for several days and that did not help the problem at all. So, even though the DFS Replication diagnostic reports have been telling us that there are no errors nor warnings we are finding that replication is not actually happening a good bit of the time! As we attempt to migrate users to the failover file server we find via tools like Microsoft SyncToy and 2BrightSparks SyncBack that files are not actually replicated 100%. Out of about one million files spread across 10 different Replication groups that two of the replication groups have missed about 1000 files, so replication normally works, but at times it's having a bit of difficulty. Once I can get all the users pointed to a single file server I plan to disable the DFS Replication to see if the outage times stop. Right now, I'm seeing that both file servers are actually having problems; as we have a diagnostic application running on the system partition of each file server appending a text file on the data partitions every five seconds. At a variety of times on no apparent time table the application cannot append the text file on the data partition, although at a time table that is a bit predictable, about every six hours it seems to get real bad only on one file server though, the older of the two PE2950's that has a slower processor. The Performance Monitor tells us that the CPU is spiking to over 100% for 4.5 minutes every six hours. Most outages are roughly 10 to 20 seconds. I should know more next week after we migrate the rest of the data off the problematic server this weekend. Hopefully we won't be migrating the _problem_ with it! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2008 10:55 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? It sounds like you are all updated firmware/driver-wise with the RAID controller, bios, etc--have you or they tried installing the latest SAS (or SATA) HD Firmware yet? You have to get the utility to make an ISO or cd and boot from that to update the drives. I've only updated one SAS 2950 server so far, which was in the process of being built/installed from scratch--haven't done any live systems--but the one I did went fine. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:41 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? After extended discussions with Dell, I'm really starting to wonder if this is a hardware issue at all. If you're familiar with Dell's DSET utility you'll know that it is able to capture logs from many areas of both hardware and software related items. They have gone over the log files several times and seen periods where the log files do not capture any information during the outage but in no place does any log file capture a problem. While logged into the console of the problematic server Windows Explorer seems to go into a Non Responding period of approximately four minutes. The task manager, running prior to the outage is 'frozen' during the outage so no new tasks nor updates on existing tasks is visible. Running Performance Monitor on the server during the outage freezes while the outage is happening, so it is not possible to see anything on screen while the problem happens. I was able to capture a log file of the Performance Monitor and send it to Dell for analysis, but they could not see any problems and have asked for another Performance Monitor capture. What else could cause Windows Explorer to lock up 'every so often.' It is usually Approximately 1 AM, 7 AM, 1 PM and 7 PM, or up to 40 minutes after each of those time frames. Twice now I have seen explorer windows lock up on ONE VOLUME only, and twice I've seen Windows Explorer lock up entirely, on both volumes. This server is relatively new, was purchased as a file server, no other roles are active, nothing unnecessary was installed, not Web server, nothing. The only ports open to the file server via an external hardware firewall are those ports required for File/Print sharing. (139/TCP, 445/TCP, 137/UDP and 138/UDP
RE: Disconnected on a schedule???
Sorry I didn't make that clear, when this started we were really thinking it was a firewall problem and it morphed over to a server problem rather slowly. The DFS Replication logs show an error every few weeks about a file that cannot be replicated due to consistent sharing violations, but normally all I see are the informational 'a file was changed on multiple servers and a conflict resolution algorithm was used to determine the winning file.' The data/time on the sharing violations do not match anywhere close to the date/time of the current outages we are seeing. We have gone over each documented outage time and looked through all the log files for anything close to the outages and found nothing recorded within five minutes of any outage. I am going to have DFS Replication turned off by Monday. Bonnie, certainly you're saying 'DFS Replication' had to be turned off, not 'DFS Namespace' entirely??? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 11:42 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Although you mentioned DFS, this is the first mention I've seen of replication--that could be causing an obscure problem, and it does usually happen on a schedule like what you're seeing. This sounds a lot like what you are talking about: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_S erver/Q_22791394.html Looks like s/he had to disable the DFS Service altogether to get the problem to quit. Are you seeing anything in the DFS Replication event logs? I wonder if there's a way to turn up the logging on the service... -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2008 4:59 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks for playing, yes we upgraded the SATA HD firmware as well, in all we had two updates that required an external boot and a manual install process at a DOS prompt, they each went smooth. If you've been playing along, thanks Bonnie, you may remember I've got two PE2950 that are both file servers, nothing else, they each are Windows 2003 Server R2 running sharing files via MS DFS and using DFS Replication (the new R2 version, not the older File Replication Service) to keep the files in sync as well as file Quotas using File Server Resource Manager (FSRM). Virtually nothing else is running on these, except of course Symantec Antivirus Corporate Edition 10.1.5.5010 with tamper protection turned off as we have seen problems with tamper protection in prior versions. As part of our diagnostics we did disable Symantec Antivirus for several days and that did not help the problem at all. So, even though the DFS Replication diagnostic reports have been telling us that there are no errors nor warnings we are finding that replication is not actually happening a good bit of the time! As we attempt to migrate users to the failover file server we find via tools like Microsoft SyncToy and 2BrightSparks SyncBack that files are not actually replicated 100%. Out of about one million files spread across 10 different Replication groups that two of the replication groups have missed about 1000 files, so replication normally works, but at times it's having a bit of difficulty. Once I can get all the users pointed to a single file server I plan to disable the DFS Replication to see if the outage times stop. Right now, I'm seeing that both file servers are actually having problems; as we have a diagnostic application running on the system partition of each file server appending a text file on the data partitions every five seconds. At a variety of times on no apparent time table the application cannot append the text file on the data partition, although at a time table that is a bit predictable, about every six hours it seems to get real bad only on one file server though, the older of the two PE2950's that has a slower processor. The Performance Monitor tells us that the CPU is spiking to over 100% for 4.5 minutes every six hours. Most outages are roughly 10 to 20 seconds. I should know more next week after we migrate the rest of the data off the problematic server this weekend. Hopefully we won't be migrating the _problem_ with it! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2008 10:55 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? It sounds like you are all updated firmware/driver-wise with the RAID controller, bios, etc--have you or they tried installing the latest SAS (or SATA) HD Firmware yet? You have to get the utility to make an ISO or cd and boot from that to update the drives. I've only updated one SAS 2950 server so far, which was in the process of being built/installed from scratch--haven't done any live systems--but the one I did went fine. -Original Message- From: Stephen
RE: Disconnected on a schedule???
After extended discussions with Dell, I'm really starting to wonder if this is a hardware issue at all. If you're familiar with Dell's DSET utility you'll know that it is able to capture logs from many areas of both hardware and software related items. They have gone over the log files several times and seen periods where the log files do not capture any information during the outage but in no place does any log file capture a problem. While logged into the console of the problematic server Windows Explorer seems to go into a Non Responding period of approximately four minutes. The task manager, running prior to the outage is 'frozen' during the outage so no new tasks nor updates on existing tasks is visible. Running Performance Monitor on the server during the outage freezes while the outage is happening, so it is not possible to see anything on screen while the problem happens. I was able to capture a log file of the Performance Monitor and send it to Dell for analysis, but they could not see any problems and have asked for another Performance Monitor capture. What else could cause Windows Explorer to lock up 'every so often.' It is usually Approximately 1 AM, 7 AM, 1 PM and 7 PM, or up to 40 minutes after each of those time frames. Twice now I have seen explorer windows lock up on ONE VOLUME only, and twice I've seen Windows Explorer lock up entirely, on both volumes. This server is relatively new, was purchased as a file server, no other roles are active, nothing unnecessary was installed, not Web server, nothing. The only ports open to the file server via an external hardware firewall are those ports required for File/Print sharing. (139/TCP, 445/TCP, 137/UDP and 138/UDP.) -Original Message- From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 12:21 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Weird. I had a similar problem a month ago on a 2950. The PERC went unresponsive. When I finally got the server back I had lost all my data. That was not a fun day. I was current with patches (Netware) and firmware/bios updates. Stephen Wimberly [EMAIL PROTECTED] 7/24/2008 12:06 PM Here is a twist! Today I was connected to the console of the file server at the very moment the problem occurred. The problem seems to be the drive array, as the System volume responded just fine during the outage, but the internal RAID 5 drive array went to a non-responding state for FOUR MINUTES! I have opened a ticket with Dell, as it's a Dell PowerEdge 2950 server which is fully under warranty. The tech that answered did not see anything wrong in the DSET report, and has escalated the issue to a supervisor. So I think our Network guys are right, it's not a network issue, it's inside the box. This is a fairly new server, which runs as a file server only, no other roles are installed, so it 'should' be fairly easy to diagnose. At the time of the problem, all windows explorer windows showing anything on the RAID5 array go dormant with Not Responding at the top. Any windows explorer window displaying something on the system volume responds as normal, where I am able to open and close files, modify and save modified files, etc. The taskbar also goes dormant where it does not respond to any clicking. When the server returned to normal it very quickly processed all the clicks I had done to switch windows, just flashing on the screen rather quickly as though it had been storing my mouse clicks. The event logs don't record anything during nor after the problem. The next entries in the App, Security, system logs are well after it started to respond and have nothing to do with 'anything'. So now I await a return call from Dell. Thought I'd provide a follow up since several of you have sent me messages on what to look for! Thanks again! -Original Message- From: Kim Longenbaugh [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:49 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Have the network guys look at the flow-control settings on your switches. If flow-control is on (as it should be in most cases), ports may be getting overwhelmed with traffic, resulting in pause frames. Flow-control pausing a connection will not result in tcp retransmits. Also, some switches may run out of buffer for the paused frames, although that condition would cause you to start seeing tcp retransmits. Some switches allow broadcast and unicast throttling. If they're turned on, they may be shutting down connections until the traffic goes below the thresholds again. An obvious thing is the speed/duplex settings. If there's a mismatch, the resulting degradation may only become noticeable under heavy traffic loads. Can you identify the source and destination for the SMB traffic? If so, you could try to find what's causing it. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22
RE: Disconnected on a schedule???
Here is a twist! Today I was connected to the console of the file server at the very moment the problem occurred. The problem seems to be the drive array, as the System volume responded just fine during the outage, but the internal RAID 5 drive array went to a non-responding state for FOUR MINUTES! I have opened a ticket with Dell, as it's a Dell PowerEdge 2950 server which is fully under warranty. The tech that answered did not see anything wrong in the DSET report, and has escalated the issue to a supervisor. So I think our Network guys are right, it's not a network issue, it's inside the box. This is a fairly new server, which runs as a file server only, no other roles are installed, so it 'should' be fairly easy to diagnose. At the time of the problem, all windows explorer windows showing anything on the RAID5 array go dormant with Not Responding at the top. Any windows explorer window displaying something on the system volume responds as normal, where I am able to open and close files, modify and save modified files, etc. The taskbar also goes dormant where it does not respond to any clicking. When the server returned to normal it very quickly processed all the clicks I had done to switch windows, just flashing on the screen rather quickly as though it had been storing my mouse clicks. The event logs don't record anything during nor after the problem. The next entries in the App, Security, system logs are well after it started to respond and have nothing to do with 'anything'. So now I await a return call from Dell. Thought I'd provide a follow up since several of you have sent me messages on what to look for! Thanks again! -Original Message- From: Kim Longenbaugh [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:49 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Have the network guys look at the flow-control settings on your switches. If flow-control is on (as it should be in most cases), ports may be getting overwhelmed with traffic, resulting in pause frames. Flow-control pausing a connection will not result in tcp retransmits. Also, some switches may run out of buffer for the paused frames, although that condition would cause you to start seeing tcp retransmits. Some switches allow broadcast and unicast throttling. If they're turned on, they may be shutting down connections until the traffic goes below the thresholds again. An obvious thing is the speed/duplex settings. If there's a mismatch, the resulting degradation may only become noticeable under heavy traffic loads. Can you identify the source and destination for the SMB traffic? If so, you could try to find what's causing it. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 2:16 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? This just gets more fun... Our network team came out to our building to perform an on-site network sniff. There are no TCP retries, so there are no lost packets. Follow that with the statement There is a lot of SMB traffic, and SMB wouldn't attempt a resend, so there might be some network lost packets. He has taken the network traffic to research SMB traffic. In the meantime, we find that some machines drop connection at the same time that other machines don't. We have a test script running on several machines which append a text file every fifteen seconds and records failures. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 8:24 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? When we ping the file server and any server in the same network a 'normal' reply would be either =1 ms or =2 ms. At the time of these problems we are getting well over 100 ms for approximately two minutes! Our network department has looked at wireshark traces from both workstation and server and has merely pointed out that there is SMB traffic happening at the time of the problem. (I would think that to be rather 'normal' when you run an application from a file share.) I asked why they brought it up, whether it is unusual, they said that they did not know and would need to do more research. So now we are waiting on them to review more log files. -Original Message- From: Terry Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 2:45 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? So have you tried something simple like a Ping to that server to see if the Pings timeout, or are slower at the time of the slowdowns? Just might help to figure out if it is network related or not. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:34 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? We will un-team in the next couple of days as a test; but keep in mind the SQL Server
RE: Disconnected on a schedule???
This just gets more fun... Our network team came out to our building to perform an on-site network sniff. There are no TCP retries, so there are no lost packets. Follow that with the statement There is a lot of SMB traffic, and SMB wouldn't attempt a resend, so there might be some network lost packets. He has taken the network traffic to research SMB traffic. In the meantime, we find that some machines drop connection at the same time that other machines don't. We have a test script running on several machines which append a text file every fifteen seconds and records failures. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2008 8:24 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? When we ping the file server and any server in the same network a 'normal' reply would be either =1 ms or =2 ms. At the time of these problems we are getting well over 100 ms for approximately two minutes! Our network department has looked at wireshark traces from both workstation and server and has merely pointed out that there is SMB traffic happening at the time of the problem. (I would think that to be rather 'normal' when you run an application from a file share.) I asked why they brought it up, whether it is unusual, they said that they did not know and would need to do more research. So now we are waiting on them to review more log files. -Original Message- From: Terry Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 2:45 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? So have you tried something simple like a Ping to that server to see if the Pings timeout, or are slower at the time of the slowdowns? Just might help to figure out if it is network related or not. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:34 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? We will un-team in the next couple of days as a test; but keep in mind the SQL Server is teamed using the same NICs as well with no issues, that's why it hasn't been suspect yet. I'm going to look into the firmware tomorrow morning when we have scheduled downtime, thanks for mentioning. As for Software firewall; we normally run the Windows firewall, but turned that off for testing with no change. The problem occurred again today at 1:15 PM. It seems that Windows Explorer 'freezes' on almost all domain computers and no one can access their file shares for a few seconds, until a reconnect can be established. One diagnostic script we have running appends a text file on the server every 15 seconds and during the outage could not append for a full five minutes! Network ports are not ours to swap, but our network team. Once they give the word we could try that. There are hardware firewalls at play as well; the firewall team is looking into those to determine possible issues with load balancing, etc. Thanks for your suggestions! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:42 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Hmm.. sounds like it's already been set then, but I don't know as I've always done both the reg entry and the RSS on the Bcom NIC itself. We also are not using teaming at the moment, so I don't know if that might have a separate issue. Just re-read your post. I see you mentioned all drivers updated, but how about firmware? Are you able to swap a network port the file server is using with the SQL server that works? What else is running on your file servers that is the same across both--any software firewalls? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? All the registry entries are as you have them Although; my Broadcom BCM5708C NetXtreme II GigE cards were set to ENABLE 'Receive Side Scaling'. I changed them to 'Disable'. Each card disabled for a moment, then auto re-enabled; so I assume this does not need a restart. These servers have teamed NICs; all our servers do. The BACS (BroadCom Advanced Control Suite) is set up for switch failover as each NIC is physically plugged to a different switch for failover. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 10:29 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? They're in the same area of the registry--My .reg file that I import looks like this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] EnableTCPA=dword: EnableRSS=dword: EnableTCPChimney=dword: Also, on the Broadcom NIC(s) properties, look at the advanced tab. Make sure Receive Side Scaling
RE: Disconnected on a schedule???
Scheduled tasks was our first thought, once we identified the pattern. All servers have been checked repeatedly by different admins and the only scheduled tasks are 1. Backup at midnight and 2. Antivirus updates at 2 AM and 6 PM. And 3. Symantec antivirus corp ed ver 10.1.0.5010 scans at 4 AM. None of these represent anything to do with the outage times we have. -Original Message- From: Walker, Clay [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 3:20 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Getting back to basics, you might look in the task scheduler to see if there are any re-occurring tasks. In addition, you might run the at command at the command prompt to see if there are any tasks. You might also check the task scheduler's logs. Something with this consistency almost screams scheduled task. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:34 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? We will un-team in the next couple of days as a test; but keep in mind the SQL Server is teamed using the same NICs as well with no issues, that's why it hasn't been suspect yet. I'm going to look into the firmware tomorrow morning when we have scheduled downtime, thanks for mentioning. As for Software firewall; we normally run the Windows firewall, but turned that off for testing with no change. The problem occurred again today at 1:15 PM. It seems that Windows Explorer 'freezes' on almost all domain computers and no one can access their file shares for a few seconds, until a reconnect can be established. One diagnostic script we have running appends a text file on the server every 15 seconds and during the outage could not append for a full five minutes! Network ports are not ours to swap, but our network team. Once they give the word we could try that. There are hardware firewalls at play as well; the firewall team is looking into those to determine possible issues with load balancing, etc. Thanks for your suggestions! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:42 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Hmm.. sounds like it's already been set then, but I don't know as I've always done both the reg entry and the RSS on the Bcom NIC itself. We also are not using teaming at the moment, so I don't know if that might have a separate issue. Just re-read your post. I see you mentioned all drivers updated, but how about firmware? Are you able to swap a network port the file server is using with the SQL server that works? What else is running on your file servers that is the same across both--any software firewalls? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? All the registry entries are as you have them Although; my Broadcom BCM5708C NetXtreme II GigE cards were set to ENABLE 'Receive Side Scaling'. I changed them to 'Disable'. Each card disabled for a moment, then auto re-enabled; so I assume this does not need a restart. These servers have teamed NICs; all our servers do. The BACS (BroadCom Advanced Control Suite) is set up for switch failover as each NIC is physically plugged to a different switch for failover. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 10:29 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? They're in the same area of the registry--My .reg file that I import looks like this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] EnableTCPA=dword: EnableRSS=dword: EnableTCPChimney=dword: Also, on the Broadcom NIC(s) properties, look at the advanced tab. Make sure Receive Side Scaling is set to Disable. I haven't done the netsh method, but I understand that can change it w/out needing a server reboot. -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 7:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks Bonnie! The TCP Chimney options are off! (I had to look, @ HKLM\System\CurrentControlSet\Services\Tcpip\Parapeters\EnableTCPChimney =0 I've never configured them either way!) The SNP I don't know how to check. I see where I can use a netsh to set it to disabled, but how would I see its current state? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:56 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Any kind of backup or snapshot taking place at those times? Although I can't say this would happen like clockwork, have you already disabled
RE: Disconnected on a schedule???
When we ping the file server and any server in the same network a 'normal' reply would be either =1 ms or =2 ms. At the time of these problems we are getting well over 100 ms for approximately two minutes! Our network department has looked at wireshark traces from both workstation and server and has merely pointed out that there is SMB traffic happening at the time of the problem. (I would think that to be rather 'normal' when you run an application from a file share.) I asked why they brought it up, whether it is unusual, they said that they did not know and would need to do more research. So now we are waiting on them to review more log files. -Original Message- From: Terry Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 2:45 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? So have you tried something simple like a Ping to that server to see if the Pings timeout, or are slower at the time of the slowdowns? Just might help to figure out if it is network related or not. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:34 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? We will un-team in the next couple of days as a test; but keep in mind the SQL Server is teamed using the same NICs as well with no issues, that's why it hasn't been suspect yet. I'm going to look into the firmware tomorrow morning when we have scheduled downtime, thanks for mentioning. As for Software firewall; we normally run the Windows firewall, but turned that off for testing with no change. The problem occurred again today at 1:15 PM. It seems that Windows Explorer 'freezes' on almost all domain computers and no one can access their file shares for a few seconds, until a reconnect can be established. One diagnostic script we have running appends a text file on the server every 15 seconds and during the outage could not append for a full five minutes! Network ports are not ours to swap, but our network team. Once they give the word we could try that. There are hardware firewalls at play as well; the firewall team is looking into those to determine possible issues with load balancing, etc. Thanks for your suggestions! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:42 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Hmm.. sounds like it's already been set then, but I don't know as I've always done both the reg entry and the RSS on the Bcom NIC itself. We also are not using teaming at the moment, so I don't know if that might have a separate issue. Just re-read your post. I see you mentioned all drivers updated, but how about firmware? Are you able to swap a network port the file server is using with the SQL server that works? What else is running on your file servers that is the same across both--any software firewalls? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? All the registry entries are as you have them Although; my Broadcom BCM5708C NetXtreme II GigE cards were set to ENABLE 'Receive Side Scaling'. I changed them to 'Disable'. Each card disabled for a moment, then auto re-enabled; so I assume this does not need a restart. These servers have teamed NICs; all our servers do. The BACS (BroadCom Advanced Control Suite) is set up for switch failover as each NIC is physically plugged to a different switch for failover. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 10:29 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? They're in the same area of the registry--My .reg file that I import looks like this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] EnableTCPA=dword: EnableRSS=dword: EnableTCPChimney=dword: Also, on the Broadcom NIC(s) properties, look at the advanced tab. Make sure Receive Side Scaling is set to Disable. I haven't done the netsh method, but I understand that can change it w/out needing a server reboot. -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 7:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks Bonnie! The TCP Chimney options are off! (I had to look, @ HKLM\System\CurrentControlSet\Services\Tcpip\Parapeters\EnableTCPChimney =0 I've never configured them either way!) The SNP I don't know how to check. I see where I can use a netsh to set it to disabled, but how would I see its current state? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:56 AM To: NT System Admin Issues Subject
Disconnected on a schedule???
We have workstations that appear to be losing connection to the file share on the server at almost precise times, every six hours. 7 AM, 1 PM, 7 PM, 1 AM; Repeat. The event logs on the workstation and servers are clean, Domain controllers and file share server. So I assume the loss is not long enough for the OS to recognize it. Although we have a custom application running on many machines that can't seem to handle the brief outage and fails like clockwork. The application vendor tells us it has a sixty second timeout before it will fail; certainly long enough to handle any brief disconnect. Network traces (using wireshark) from the server to workstation and workstation to server do not show any sign of failure. A script that updates a text file on the server every fifteen seconds does show the failure, it fails to update the text file on the server for up to four _minutes_ at a time! Although during the four minute failure period it's able to update once or twice during the outage, so it's not a total blackout. Workstations map a drive to the file share using a DFS path; ie: \\domain\share file:///\\domain\share . So we tested a direct mapping using \\server\share file:///\\server\share , and we get the same result. We mapped drives to two different file servers, each file server is in a different building on different ends of campus. The workstations used four test drive mappings, two for each server, one DFS on each server and one direct for each server. All four drive mappings failed at the same time. The connection to the SQL server is never lost. The SQL server is plugged into the same network switch as the file server. The Windows Domain has no trusts; it's a single domain forest. There are no services on any server with a six hour schedule that we know of. Backup runs daily at midnight and completes prior to 7 AM. Virus scan is still running at the 7 AM hour, but is long since complete by the 1 PM hour. Both file servers are Dell PE 2950 running Windows Server 2003 R2; All drivers seem up to date with Dell's support site. Workstations are a variety of makes, running either Windows XP Pro SP2, Windows XP Pro SP3 and Windows Vista SP1 and are scattered all over campus on different network subnets. Our network department is telling us that the network is fine, it's either a workstation or a server issue. Anyone seen this type of thing before??? Thanks! ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Disconnected on a schedule???
Thanks Bonnie! The TCP Chimney options are off! (I had to look, @ HKLM\System\CurrentControlSet\Services\Tcpip\Parapeters\EnableTCPChimney=0 I've never configured them either way!) The SNP I don't know how to check. I see where I can use a netsh to set it to disabled, but how would I see its current state? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:56 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Any kind of backup or snapshot taking place at those times? Although I can't say this would happen like clockwork, have you already disabled the Chimney/SNP network options on those servers? -Bonnie From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 5:51 AM To: NT System Admin Issues Subject: Disconnected on a schedule??? We have workstations that appear to be losing connection to the file share on the server at almost precise times, every six hours. 7 AM, 1 PM, 7 PM, 1 AM; Repeat. The event logs on the workstation and servers are clean, Domain controllers and file share server. So I assume the loss is not long enough for the OS to recognize it. Although we have a custom application running on many machines that can't seem to handle the brief outage and fails like clockwork. The application vendor tells us it has a sixty second timeout before it will fail; certainly long enough to handle any brief disconnect. Network traces (using wireshark) from the server to workstation and workstation to server do not show any sign of failure. A script that updates a text file on the server every fifteen seconds does show the failure, it fails to update the text file on the server for up to four _minutes_ at a time! Although during the four minute failure period it's able to update once or twice during the outage, so it's not a total blackout. Workstations map a drive to the file share using a DFS path; ie: \\domain\share file:///\\domain\share . So we tested a direct mapping using \\server\share file:///\\server\share , and we get the same result. We mapped drives to two different file servers, each file server is in a different building on different ends of campus. The workstations used four test drive mappings, two for each server, one DFS on each server and one direct for each server. All four drive mappings failed at the same time. The connection to the SQL server is never lost. The SQL server is plugged into the same network switch as the file server. The Windows Domain has no trusts; it's a single domain forest. There are no services on any server with a six hour schedule that we know of. Backup runs daily at midnight and completes prior to 7 AM. Virus scan is still running at the 7 AM hour, but is long since complete by the 1 PM hour. Both file servers are Dell PE 2950 running Windows Server 2003 R2; All drivers seem up to date with Dell's support site. Workstations are a variety of makes, running either Windows XP Pro SP2, Windows XP Pro SP3 and Windows Vista SP1 and are scattered all over campus on different network subnets. Our network department is telling us that the network is fine, it's either a workstation or a server issue. Anyone seen this type of thing before??? Thanks! ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Disconnected on a schedule???
All the registry entries are as you have them Although; my Broadcom BCM5708C NetXtreme II GigE cards were set to ENABLE 'Receive Side Scaling'. I changed them to 'Disable'. Each card disabled for a moment, then auto re-enabled; so I assume this does not need a restart. These servers have teamed NICs; all our servers do. The BACS (BroadCom Advanced Control Suite) is set up for switch failover as each NIC is physically plugged to a different switch for failover. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 10:29 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? They're in the same area of the registry--My .reg file that I import looks like this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] EnableTCPA=dword: EnableRSS=dword: EnableTCPChimney=dword: Also, on the Broadcom NIC(s) properties, look at the advanced tab. Make sure Receive Side Scaling is set to Disable. I haven't done the netsh method, but I understand that can change it w/out needing a server reboot. -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 7:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks Bonnie! The TCP Chimney options are off! (I had to look, @ HKLM\System\CurrentControlSet\Services\Tcpip\Parapeters\EnableTCPChimney=0 I've never configured them either way!) The SNP I don't know how to check. I see where I can use a netsh to set it to disabled, but how would I see its current state? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:56 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Any kind of backup or snapshot taking place at those times? Although I can't say this would happen like clockwork, have you already disabled the Chimney/SNP network options on those servers? -Bonnie From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 5:51 AM To: NT System Admin Issues Subject: Disconnected on a schedule??? We have workstations that appear to be losing connection to the file share on the server at almost precise times, every six hours. 7 AM, 1 PM, 7 PM, 1 AM; Repeat. The event logs on the workstation and servers are clean, Domain controllers and file share server. So I assume the loss is not long enough for the OS to recognize it. Although we have a custom application running on many machines that can't seem to handle the brief outage and fails like clockwork. The application vendor tells us it has a sixty second timeout before it will fail; certainly long enough to handle any brief disconnect. Network traces (using wireshark) from the server to workstation and workstation to server do not show any sign of failure. A script that updates a text file on the server every fifteen seconds does show the failure, it fails to update the text file on the server for up to four _minutes_ at a time! Although during the four minute failure period it's able to update once or twice during the outage, so it's not a total blackout. Workstations map a drive to the file share using a DFS path; ie: \\domain\share file:///\\domain\share . So we tested a direct mapping using \\server\share file:///\\server\share , and we get the same result. We mapped drives to two different file servers, each file server is in a different building on different ends of campus. The workstations used four test drive mappings, two for each server, one DFS on each server and one direct for each server. All four drive mappings failed at the same time. The connection to the SQL server is never lost. The SQL server is plugged into the same network switch as the file server. The Windows Domain has no trusts; it's a single domain forest. There are no services on any server with a six hour schedule that we know of. Backup runs daily at midnight and completes prior to 7 AM. Virus scan is still running at the 7 AM hour, but is long since complete by the 1 PM hour. Both file servers are Dell PE 2950 running Windows Server 2003 R2; All drivers seem up to date with Dell's support site. Workstations are a variety of makes, running either Windows XP Pro SP2, Windows XP Pro SP3 and Windows Vista SP1 and are scattered all over campus on different network subnets. Our network department is telling us that the network is fine, it's either a workstation or a server issue. Anyone seen this type of thing before??? Thanks! ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja
RE: Disconnected on a schedule???
We will un-team in the next couple of days as a test; but keep in mind the SQL Server is teamed using the same NICs as well with no issues, that's why it hasn't been suspect yet. I'm going to look into the firmware tomorrow morning when we have scheduled downtime, thanks for mentioning. As for Software firewall; we normally run the Windows firewall, but turned that off for testing with no change. The problem occurred again today at 1:15 PM. It seems that Windows Explorer 'freezes' on almost all domain computers and no one can access their file shares for a few seconds, until a reconnect can be established. One diagnostic script we have running appends a text file on the server every 15 seconds and during the outage could not append for a full five minutes! Network ports are not ours to swap, but our network team. Once they give the word we could try that. There are hardware firewalls at play as well; the firewall team is looking into those to determine possible issues with load balancing, etc. Thanks for your suggestions! -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 1:42 PM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Hmm.. sounds like it's already been set then, but I don't know as I've always done both the reg entry and the RSS on the Bcom NIC itself. We also are not using teaming at the moment, so I don't know if that might have a separate issue. Just re-read your post. I see you mentioned all drivers updated, but how about firmware? Are you able to swap a network port the file server is using with the SQL server that works? What else is running on your file servers that is the same across both--any software firewalls? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? All the registry entries are as you have them Although; my Broadcom BCM5708C NetXtreme II GigE cards were set to ENABLE 'Receive Side Scaling'. I changed them to 'Disable'. Each card disabled for a moment, then auto re-enabled; so I assume this does not need a restart. These servers have teamed NICs; all our servers do. The BACS (BroadCom Advanced Control Suite) is set up for switch failover as each NIC is physically plugged to a different switch for failover. -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 10:29 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? They're in the same area of the registry--My .reg file that I import looks like this: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] EnableTCPA=dword: EnableRSS=dword: EnableTCPChimney=dword: Also, on the Broadcom NIC(s) properties, look at the advanced tab. Make sure Receive Side Scaling is set to Disable. I haven't done the netsh method, but I understand that can change it w/out needing a server reboot. -Bonnie -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 7:23 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Thanks Bonnie! The TCP Chimney options are off! (I had to look, @ HKLM\System\CurrentControlSet\Services\Tcpip\Parapeters\EnableTCPChimney=0 I've never configured them either way!) The SNP I don't know how to check. I see where I can use a netsh to set it to disabled, but how would I see its current state? -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 8:56 AM To: NT System Admin Issues Subject: RE: Disconnected on a schedule??? Any kind of backup or snapshot taking place at those times? Although I can't say this would happen like clockwork, have you already disabled the Chimney/SNP network options on those servers? -Bonnie From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 5:51 AM To: NT System Admin Issues Subject: Disconnected on a schedule??? We have workstations that appear to be losing connection to the file share on the server at almost precise times, every six hours. 7 AM, 1 PM, 7 PM, 1 AM; Repeat. The event logs on the workstation and servers are clean, Domain controllers and file share server. So I assume the loss is not long enough for the OS to recognize it. Although we have a custom application running on many machines that can't seem to handle the brief outage and fails like clockwork. The application vendor tells us it has a sixty second timeout before it will fail; certainly long enough to handle any brief disconnect. Network traces (using wireshark) from the server to workstation and workstation to server do not show any sign of failure. A script that updates a text file on the server every fifteen seconds does show the failure
Can \\pc1\user has rights to \\pc2\share\folder1?
If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add local users from \\pc1, the computer I am locally logged into? Both SERVER1 and pc1 are in the same windows domain. I have a coworker that tells me he has had this setup for years and Friday it suddenly stopped working, and now pc1 is no longer an option when clicking on LOCATIONS to add users or groups. He wants me to fix it so that \\pc1\user can have security rights to \\SERVER1\share\folder1. How is SERVER1 going to know anything about a local user on a remote machine? Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Can \\pc1\user has rights to \\pc2\share\folder1?
The user attempting the share is a domain admin and a member of Enterprise Admins. The user on the local workstation is merely a user. Could it be that the local user needs domain admin rights to do this? Ie: iuser_pc1. -Original Message- From: Eric Woodford [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:42 PM To: NT System Admin Issues Subject: Re: Can \\pc1\user has rights to \\pc2\share\folder1? IMO, it sounds like his domain account had inherited admin rights on that server and they were removed. Now he only has basic access rights and cannot modify folders.. On Mon, Jun 23, 2008 at 9:37 AM, Stephen Wimberly [EMAIL PROTECTED] wrote: If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add local users from \\pc1, the computer I am locally logged into? Both SERVER1 and pc1 are in the same windows domain. I have a coworker that tells me he has had this setup for years and Friday it suddenly stopped working, and now pc1 is no longer an option when clicking on LOCATIONS to add users or groups. He wants me to fix it so that \\pc1\user can have security rights to \\SERVER1\share\folder1. How is SERVER1 going to know anything about a local user on a remote machine? Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Can \\pc1\user has rights to \\pc2\share\folder1?
I have been able to duplicate the 'problem' so here is a more detailed user issue: I am also a member of Domain Admins and Enterprise Admins in our forest. We have a simple forest with only one domain. When I log into \\pc1 with full rights, I map a drive to \\SERVER1\Share and right click folder1 to gain properties I can click ADD to add a user or group to the security rights list, and then click on LOCATIONS to pick users from a specific location. In the results I see the server hosting the share, SERVER1, and the AD structure. NOT the local \\pc1 as a choice. I am told that I should see the local computer as a choice and be able to select users that are local to the local computer. Is that correct? The account in question is the IUSR_pc1, which is a web user that needs to write code to the file share. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:45 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Are you *sure* the user is part of the lcoal PC1 security and NOT part of the Domain logging in from PC1 ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:37 PM To: NT System Admin Issues Subject: Can \\pc1\user has rights to \\pc2\share\folder1? If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add local users from \\pc1, the computer I am locally logged into? Both SERVER1 and pc1 are in the same windows domain. I have a coworker that tells me he has had this setup for years and Friday it suddenly stopped working, and now pc1 is no longer an option when clicking on LOCATIONS to add users or groups. He wants me to fix it so that \\pc1\user can have security rights to \\SERVER1\share\folder1. How is SERVER1 going to know anything about a local user on a remote machine? Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Can \\pc1\user has rights to \\pc2\share\folder1?
If I follow you, you're saying create a group at the domain level and add a user from a workstation into the domain group? I already have a group that has access for other reasons, when I attempt to add \\pc1\user I get name is not valid. I could add the computer object, \\pc1, but the application is not using the system account. I don't know how to add a local machine user to a domain group. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:03 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? H, could you not just make a group that has the required rights to the share, and then explicitly add the local user from PC1 to the group ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:58 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? I have been able to duplicate the 'problem' so here is a more detailed user issue: I am also a member of Domain Admins and Enterprise Admins in our forest. We have a simple forest with only one domain. When I log into \\pc1 with full rights, I map a drive to \\SERVER1\Share and right click folder1 to gain properties I can click ADD to add a user or group to the security rights list, and then click on LOCATIONS to pick users from a specific location. In the results I see the server hosting the share, SERVER1, and the AD structure. NOT the local \\pc1 as a choice. I am told that I should see the local computer as a choice and be able to select users that are local to the local computer. Is that correct? The account in question is the IUSR_pc1, which is a web user that needs to write code to the file share. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:45 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Are you *sure* the user is part of the lcoal PC1 security and NOT part of the Domain logging in from PC1 ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:37 PM To: NT System Admin Issues Subject: Can \\pc1\user has rights to \\pc2\share\folder1? If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add local users from \\pc1, the computer I am locally logged into? Both SERVER1 and pc1 are in the same windows domain. I have a coworker that tells me he has had this setup for years and Friday it suddenly stopped working, and now pc1 is no longer an option when clicking on LOCATIONS to add users or groups. He wants me to fix it so that \\pc1\user can have security rights to \\SERVER1\share\folder1. How is SERVER1 going to know anything about a local user on a remote machine? Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Can \\pc1\user has rights to \\pc2\share\folder1?
I don't see where anything has changed on pc1, and I've tried this with several computers and I'm not seeing any difference. Maybe a needed service on pc1 or server1 has been disabled or corrupted? -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:47 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Well, if the PC1 is a member of the domain computers and you're a domain administrator then you *should* be able to enumerate the local PC users Groups. Can you login locally to PC1 to check users and groups to see if anything has been changed or deleted ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:20 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? If I follow you, you're saying create a group at the domain level and add a user from a workstation into the domain group? I already have a group that has access for other reasons, when I attempt to add \\pc1\user I get name is not valid. I could add the computer object, \\pc1, but the application is not using the system account. I don't know how to add a local machine user to a domain group. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:03 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? H, could you not just make a group that has the required rights to the share, and then explicitly add the local user from PC1 to the group ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:58 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? I have been able to duplicate the 'problem' so here is a more detailed user issue: I am also a member of Domain Admins and Enterprise Admins in our forest. We have a simple forest with only one domain. When I log into \\pc1 with full rights, I map a drive to \\SERVER1\Share and right click folder1 to gain properties I can click ADD to add a user or group to the security rights list, and then click on LOCATIONS to pick users from a specific location. In the results I see the server hosting the share, SERVER1, and the AD structure. NOT the local \\pc1 as a choice. I am told that I should see the local computer as a choice and be able to select users that are local to the local computer. Is that correct? The account in question is the IUSR_pc1, which is a web user that needs to write code to the file share. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:45 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Are you *sure* the user is part of the lcoal PC1 security and NOT part of the Domain logging in from PC1 ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:37 PM To: NT System Admin Issues Subject: Can \\pc1\user has rights to \\pc2\share\folder1? If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add local users from \\pc1, the computer I am locally logged into? Both SERVER1 and pc1 are in the same windows domain. I have a coworker that tells me he has had this setup for years and Friday it suddenly stopped working, and now pc1 is no longer an option when clicking on LOCATIONS to add users or groups. He wants me to fix it so that \\pc1\user can have security rights to \\SERVER1\share\folder1. How is SERVER1 going to know anything about a local user on a remote machine? Is this 'broken'? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.4.1/1514 - Release Date: 6/23/2008 7:17 AM ~ Upgrade
RE: Can \\pc1\user has rights to \\pc2\share\folder1?
Actually pc1 and server1 are both at Windows 2003 Server R2 with Service Pack 2. The domain is a functional 2003 domain level. Where I actually disagree with the method here; I don't think a local user of one server or computer should be granted rights to a folder on yet another computer rather than a domain member, I agree it _should_ function. I'm told it has functioned until Friday afternoon. The last time I approved and applied any MS updates was last Monday. We run a fairly clean environment as it's only 20 servers and 400 or so desktops, so it's fairly easy to manage IF they are all relatively similar to each other so we try to keep them that way. Pc1 is a web server with NO file/Print ports open, server1 is a file share with NO web ports open. Neither is a domain controller. There are no ports blocked between the two computers and the domain controllers though, the servers are all on the same switch. Thanks for taking an interest! This one has me going mad. mad I tell ya! -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 2:48 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Strange... What level AD are you running(2000, 2003?), and what OS for the PC1 desktop (2000, XP, Vista) ? You got me curious now, gotta try this in a lab or VM environment to see -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 2:34 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? I don't see where anything has changed on pc1, and I've tried this with several computers and I'm not seeing any difference. Maybe a needed service on pc1 or server1 has been disabled or corrupted? -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:47 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Well, if the PC1 is a member of the domain computers and you're a domain administrator then you *should* be able to enumerate the local PC users Groups. Can you login locally to PC1 to check users and groups to see if anything has been changed or deleted ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:20 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? If I follow you, you're saying create a group at the domain level and add a user from a workstation into the domain group? I already have a group that has access for other reasons, when I attempt to add \\pc1\user I get name is not valid. I could add the computer object, \\pc1, but the application is not using the system account. I don't know how to add a local machine user to a domain group. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 1:03 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? H, could you not just make a group that has the required rights to the share, and then explicitly add the local user from PC1 to the group ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:58 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? I have been able to duplicate the 'problem' so here is a more detailed user issue: I am also a member of Domain Admins and Enterprise Admins in our forest. We have a simple forest with only one domain. When I log into \\pc1 with full rights, I map a drive to \\SERVER1\Share and right click folder1 to gain properties I can click ADD to add a user or group to the security rights list, and then click on LOCATIONS to pick users from a specific location. In the results I see the server hosting the share, SERVER1, and the AD structure. NOT the local \\pc1 as a choice. I am told that I should see the local computer as a choice and be able to select users that are local to the local computer. Is that correct? The account in question is the IUSR_pc1, which is a web user that needs to write code to the file share. -Original Message- From: Erik Goldoff [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:45 PM To: NT System Admin Issues Subject: RE: Can \\pc1\user has rights to \\pc2\share\folder1? Are you *sure* the user is part of the lcoal PC1 security and NOT part of the Domain logging in from PC1 ? -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2008 12:37 PM To: NT System Admin Issues Subject: Can \\pc1\user has rights to \\pc2\share\folder1? If I am on a computer, call it \\pc1 and map a drive to \\SERVER1\share could I then right click a sub folder to the mapped drive, call it \\SERVER1\share\folder1 and look at the properties for the folder1, ADD a user or group and then click LOCATIONS to add
RE: DRAC Issue
Not sure if this is relevant since my issue was a PE2650, not a PE2950... they are much different... but if it helps go for it. We had three PE2650 servers and one RAC was flakey from the start, called DELL several times to no avail. The resolution: Upgrade the DRAC firmware via a DOS boot diskette rather than the Windows Update version of the same software. Upgrading it with their packaged for windows updater just didn't function. -Original Message- From: Jon B. Lewis [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 9:09 AM To: NT System Admin Issues Subject: RE: DRAC Issue I have done the flash in BIOS thing both ways. No luck either way. I wasn't at all familiar with the racadm until yesterday. Still don't claim to be an expert but I figured out the firmware update process (even had success with it on a working card so I was sure I was doing it right) but still no luck. I've tried the Windows installer and the command line thing with no luck on either. I'm going to see if my on-site person can swap some cards around and see where I get. Jon Lewis -Original Message- From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2008 7:46 AM To: NT System Admin Issues Subject: RE: DRAC Issue Sounds like you already checked this, but I know I've had trouble updating the firmware on these if I had disabled the flash in the bios (#3), so you might check that out, along with the USB mention while you're in there. That being said, I've had 2 of these cards fail in the last 9 months, each one in a different way--they were both from a set of 3 servers we purchased around last September/October and we have about 12 PE 2950s total. Neither had partly responded like yours is doing, but I wouldn't rule it out as a symptom. One hung the entire system when rebooting to the point that the card had to come out of the slot to boot at all. Another one I found had quit working when the firmware wouldn't update at all--Noticed that it would quickly report an error shortly after the bios screen during booting, but it blipped right past and booted anyway (unlike the first failure). Went through a similar rigamarole on the phone before they sent a new card on the second one. I'm not very familiar with racadm--I usually do the Windows-based firmware updates, but the Dell tech I spoke with tried updating the firmware with something command-level as well, which would also fail--have they tried that on yours? One thing of note that I mentioned to the tech after the second call is that the DRAC card has two green lights on it inside the case and I noticed the bad ones only had one green light that was coming on. Once the good on was in, both lights come on (I think one blinks, but I don't recall exactly). -Bonnie -Original Message- From: Jon B. Lewis [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2008 6:30 PM To: NT System Admin Issues Subject: DRAC Issue Does anyone know why a DRAC (2950 server if that matters) won't display the web interface? I can work on it locally with racadm but I can't connect to it remotely via racadm. I can also SSH into it and run racadm commands. The firmware is outdated but I can't get the firmware to update and I've tried several different ways. We've cut the power to the server and reseated the card. When attempting to update the firmware I get this business. As near as I can tell each of these conditions are met. 1. Appropriate IPMI and managed node drivers must be installed and enabled. 2. On Windows, WMI services must be enabled and running. 3. RAC Virtual Flash must not be in use by the operating system or another application. 4. USB must be enabled. I did a chat with Dell Tech Support earlier and he wasn't much help. Well, no help really. Jon Lewis ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Server Monitor: M$ SCOM or Servers Alive???
I've not downloaded the trial yet, so forgive my ignorance when I ask: One of the main points of interest is just how granular the monitoring is, for example we rely very heavily on domain DFS with replication. Recently the File Replication Service failed and within a few hours we had issues with critical processes. SA: can monitor the service and let us know if it stops running. CAN SCOM monitor different aspects that affect the service, like is it running into other errors, is disk space getting low, is the staging area getting full too regularly, in other words can SCOM provide that warm and fuzzy feeling that the service is actually working like it should. == Stephen Wimberly == -Original Message- From: Rankin, James R [mailto:[EMAIL PROTECTED] Sent: Monday, May 19, 2008 8:05 AM To: NT System Admin Issues Subject: RE: Server Monitor: M$ SCOM or Servers Alive??? We are also a non-profit and with the discounts available we ended up going for SCOM rather than Servers Alive or other cheaper options. We use Citrix, VMWare and AppSense amongst other software and it was vital for us to be able to monitor these from one console, which the MPs make very straightforward. Personally I was going to use SCE, but we have VMWare Update Manager which takes care of the WSUS stuff so we ended up going for the full version of SCOM 2007. Having said that, configuring SCOM is a bit of a pain if you haven't used any of the previous incarnations. -Original Message- From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: 19 May 2008 12:44 To: NT System Admin Issues Subject: RE: Server Monitor: M$ SCOM or Servers Alive??? I use Servers alive, to monitor about 250+ servers right now. All you need is time to set it up, but most of the time it will tell me whatever I want to know. And it's a hell of a lot cheaper than SCOM. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Friday, May 16, 2008 2:26 PM To: NT System Admin Issues Subject: Server Monitor: M$ SCOM or Servers Alive??? We are looking into Server monitoring with the ability to notify us when certain services or applications fail. I have used Servers Alive before, it's inexpensive and fairly easy to configure. Although at the nonprofit higher educational institution I am at we get many Microsoft products at a severe discount. Talking with our software sales rep he is pushing me to consider the System Center Suite, which includes System Center Operations Manager for both server and critical workstation monitoring. Anyone like to comment on the benefit of System Center Operations Manager over Servers Alive for service and application monitoring and alerting??? - THANKS! The full Suite he's pushing includes: System Center Configuration Manager 2007 (we will do this either way) System Center Data Protection Manager 2007 (Would be a nice add on) System Center Operations Manager 2007 System Center Virtual Machine Manager (we have no current use for this) ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: SCOM log review??
This might sound nitpicky, but does the server 'pull' the logs or do the workstations 'push' logs? Our plan is to put the SCOM server behind a firewall from the workstations. Server to Workstations: all ports are open, so SNMP will go from Server to Workstation. Workstations to Server: only select ports are open and SNMP (161) is closed, so SNMP from workstation will be ignored at firewall. == Stephen Wimberly == -Original Message- From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Sent: Monday, May 19, 2008 1:34 PM To: NT System Admin Issues Subject: RE: SCOM log review?? SCOM works great with either V1 or 2 SNMP for your firewall. Server and Updates logs are collected by default if you are using WSUS for patching. TVK From: Phil Guevara [mailto:[EMAIL PROTECTED] Sent: Monday, May 19, 2008 12:25 PM To: NT System Admin Issues Subject: SCOM log review?? Can SCOM pull logs for review and auditing? Firewall Log Review Server Log Review Patch Log Our firewall is a checkpoint firewall, could scom pull logs from non-microsoft products? ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Server Monitor: M$ SCOM or Servers Alive???
We are looking into Server monitoring with the ability to notify us when certain services or applications fail. I have used Servers Alive before, it's inexpensive and fairly easy to configure. Although at the nonprofit higher educational institution I am at we get many Microsoft products at a severe discount. Talking with our software sales rep he is pushing me to consider the System Center Suite, which includes System Center Operations Manager for both server and critical workstation monitoring. Anyone like to comment on the benefit of System Center Operations Manager over Servers Alive for service and application monitoring and alerting??? - THANKS! The full Suite he's pushing includes: System Center Configuration Manager 2007 (we will do this either way) System Center Data Protection Manager 2007 (Would be a nice add on) System Center Operations Manager 2007 System Center Virtual Machine Manager (we have no current use for this) ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Dell OMA SNMP community name
Related: Is there a way to install SNMP to a Windows XP workstation via GPO, MSI, EXE, etc? Seems each time I must manually configure it via Add/Remove Programs. == Stephen Wimberly == -Original Message- From: Sam Cayze [mailto:[EMAIL PROTECTED] Sent: Friday, February 29, 2008 9:46 AM To: NT System Admin Issues Subject: RE: Dell OMA SNMP community name Yes. The windows 'SNMP Service' service actually handles the SNMP alerts, so you will change the name there, on the same tab where you specify the trap. -Sam From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Friday, February 29, 2008 7:49 AM To: NT System Admin Issues Subject: Dell OMA SNMP community name Is there a way to change the snmp community name for snmp messages from dell open manage on a PE server ? Olly ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Server room during a rain shower
Once upon a time when I was a desktop support tech I was asked to venture to a remote location and restart a server... simple enough. When I arrived I found the building A/C was down. The server room door had been propped open, with the lights off. As I entered the room there was a low popping noise and I noticed a puddle under my foot. When I turned on the light I found that the server room's own A/C was attempting to cool the entire building, but for some reason the A/C had been positioned in the ceiling directly above the server rack! The overflow from the humidity had been dripping into the back of the CRT monitor, then out all over the half height server rack and down across the front of the single server inside. I reached to my left and pulled the electrical cord out of the wall, paged my boss and sat down to wait for the hardware team, the server team, the backup team, and everyone else who would not believe my text message! The server has decided to take a shower, please send towels ASAP. == Stephen Wimberly == ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Backup Exec 12
No worries, there is a thread on the support site. It's not updated with version 12 yet, but it will be eventually. I am in no hurry to upgrade ;) == Stephen Wimberly == -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 2:06 PM To: NT System Admin Issues Subject: RE: Backup Exec 12 I'm clueless on this one... Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 Always do right: Gratify some and astonish the rest. -Original Message- From: Stephen Wimberly [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 8:03 AM To: NT System Admin Issues Subject: RE: Backup Exec 12 I'm still using 10D, because 11D did not solve the _one_ problem I'm having... I'm curious if 12 comes with a fix? When backing up a DFS share that is replicated via FSRM I get the error: A failure occurred accessing the object list and the job status reports failed. I have tried creating reports in the xml format and saving them to the local server, but this does not stop the error. Any idea if BE12 can backup a DFS share replicated via FSRM? What used to be FRS prior to R2. == Stephen Wimberly == -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 3:58 PM To: NT System Admin Issues Subject: RE: Backup Exec 12 Just did the upgrade to BUE12. Now I have another 60 days to my trial. I'll pass on any issues I find after tonight's jobs run. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 An idle mind is worth two in the bush. From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 1:01 PM To: NT System Admin Issues Subject: RE: Backup Exec 12 Has it been released? I'm still in my trial for 11D. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 Go directly to jail. Do not pass Go, do not collect $200. From: Stefan Jabs [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 8:48 AM To: NT System Admin Issues Subject: Backup Exec 12 Has anyone installed v12? Any problems? __ Stefan Jafs ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Backup Exec 12
I'm still using 10D, because 11D did not solve the _one_ problem I'm having... I'm curious if 12 comes with a fix? When backing up a DFS share that is replicated via FSRM I get the error: A failure occurred accessing the object list and the job status reports failed. I have tried creating reports in the xml format and saving them to the local server, but this does not stop the error. Any idea if BE12 can backup a DFS share replicated via FSRM? What used to be FRS prior to R2. == Stephen Wimberly == -Original Message- From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 3:58 PM To: NT System Admin Issues Subject: RE: Backup Exec 12 Just did the upgrade to BUE12. Now I have another 60 days to my trial. I'll pass on any issues I find after tonight's jobs run. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 An idle mind is worth two in the bush. From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 1:01 PM To: NT System Admin Issues Subject: RE: Backup Exec 12 Has it been released? I'm still in my trial for 11D. Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 Go directly to jail. Do not pass Go, do not collect $200. From: Stefan Jabs [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 8:48 AM To: NT System Admin Issues Subject: Backup Exec 12 Has anyone installed v12? Any problems? __ Stefan Jafs ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Altiris, Zenworks, LANDesk, SMS...decisions decisions
I've not seen a single plug for LANDesk in this thread, sorry if I missed it. We just went with LANDesk, and where I don't feel I have enough experience with it to compare it with the ZENWorks I used at my last job (which I loved!) I will have to say we chose LANDesk largely because it was more impressive in the cross platform category as we have a great deal of Macintosh machines, some Linux stations and of course the ever present Microsoft flavors. One of the main things we wanted was the ability to image workstations of any platform. LANDesk makes claims to do this and was able to demonstrate this in a dog and pony show for us. To image a Macintosh requires an Apple server in addition to the existing MS Servers which do the other OSes. SMS was ruled out and not considered because it required third party plug ins for the MAC support. For software distribution and inventory all products seems rather similar. == Stephen Wimberly == -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 12:21 PM To: NT System Admin Issues Subject: RE: Altiris, Zenworks, LANDesk, SMS...decisions decisions I suspect folks would consider you a unique individual. From: HELP_PC [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 12:18 PM To: NT System Admin Issues Subject: R: Altiris, Zenworks, LANDesk, SMS...decisions decisions Not Symantec apologist. But as I use many of their products since many years I cannot complain having more issues than I had with MS(i.e.) or Adobe GuidoElia HELPPC Da: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Inviato: venerdì 18 gennaio 2008 17.48 A: NT System Admin Issues Oggetto: RE: Altiris, Zenworks, LANDesk, SMS...decisions decisions No question, just Guido being a Symantec apologist. From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:41 AM To: NT System Admin Issues Subject: RE: Altiris, Zenworks, LANDesk, SMS...decisions decisions Not sure I understand the question. From: HELP_PC [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 10:25 AM To: NT System Admin Issues Subject: R: Altiris, Zenworks, LANDesk, SMS...decisions decisions Opinion on using or just a firing to Symantec ? GuidoElia HELPPC Da: Rod Trent [mailto:[EMAIL PROTECTED] Inviato: venerdì 18 gennaio 2008 16.03 A: NT System Admin Issues Oggetto: RE: Altiris, Zenworks, LANDesk, SMS...decisions decisions Reed Porter is about the only individual I know who still uses Altiris. Im sure there are more, but its now more hit-and-miss, it seems. I really dont know if thats a Symantec-issue or not. Im sure Reed would be willing to help you out offline. Let me know if you need this and I can set it up. BTW: There was a recent poll on the Symantec acquisition of Altiris. You can view the results: http://www.myitforum.com/absolutepm/polls/symalt.asp From: Tom Miller [mailto:[EMAIL PROTECTED] Sent: Friday, January 18, 2008 9:50 AM To: NT System Admin Issues Subject: Re: Altiris, Zenworks, LANDesk, SMS...decisions decisions Zen uses MSI format now, so I'd only have to create a pointer in the new package, whatever that is. Looks like Altiris is now owned by Symantec. Any issues with support? Bryan Garmon [EMAIL PROTECTED] 1/18/2008 9:47 AM It's worth noting for your consideration that while there is the cost of the software itself, I assume you're using Zenworks packages for software distribution. If you choose to switch vendors, you'll more than likely be rebuilding all of your application packages into a non Zenworks format (possibly MSI or exe). This could be a significant undertaking depending on how many application packages you have and might be good enough reason to stick with Zen. I'm biased toward Altiris but it will probably be the more expensive of them. -Original Message- From: Tom Miller [EMAIL PROTECTED] Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Altiris, Zenworks, LANDesk, SMS...decisions decisions Date: Fri, 18 Jan 2008 08:35:39 -0500 Hi Folks, I'm currently using Novell's Zenworks for workstation and user management here (imaging, ghosting, remote control, inventorying, application deployment, user and workstation management). There is a new version out and it looks great. But, before I purchase Zenworks can those of you who use LANDesk, Altiris, and SMS give me some feedback on what you like/don't like about those products? All of these products seems to provide similar functionality. One big thing for me (as my organization is not-for-profit) is that Microsoft has non-profit licensing that is so much less than the other three, and cost is a factor here. But Zen does a lot
RE: AD Script
Upgrade severs to 2003 R2, using FSRM (File Server Resource Manager) create DFS (Distributed File System) name for \\domain\home to point to the existing \\server1\home. Use FRS (File Replication Service) to replicate all data keeping all existing file ownership and security, then change the login script to \\domain\home\%username% then once all data is replicated to both servers add \\server2\home to the DFS as another namespace; then kill the \\home\server1 namespace at your leisure and lastly, kill the FRS before you kill the server1. I've been using DFS and FRS for years and it's been a wonderful way to standardize the login scripts, while providing server redundancy. I've yet to have a problem with it! *** READ THE WHITE PAPERS! FSRM FRS DFS *** == Stephen Wimberly == -Original Message- From: Michael Adamson [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 11:41 PM To: NT System Admin Issues Subject: AD Script Hi I need to change my AD users homes folders from \\server1\home\username\ file:///\\server1\home\username\ to \\server2\home\username file:///\\server2\home\username . Can someone share a script that can do this for me? Thanks Michael Michael Adamson | Network Analyst - Australia/NZ | Health World Ltd 741 Nudgee Rd Northgate 4013| Tel: +61 (7) 3117 3378 | Fax: +61 (7) 3117 3399 | Email: [EMAIL PROTECTED] | Website: www.healthworld.com.au Health World Ltd ABN: 73 010 636 165 741 Nudgee Rd Northgate QLD 4013 Ph: +61 7 3117 3300 Fax: +61 7 3117 3399 Visit us at: www.metagenics.com.au Disclaimer: This email message (and attachments) may contain information that is confidential to Health World Limited. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Health World Limited are neither given nor endorsed by it. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
