Now that we are sporting Windows 2003 SP1 in our production environment, I took a look at the Windows 2003 Access-based Enumberation utility available from Microsoft. In short, this prevents users from seeing folders, files and shares that they don't have rights to access. Coming from a Novell NetWare environment, it's great to see this functionality.
It requires Windows 2003 SP1, and provides for either a command line or GUI interface to enable the functionality globally or on a individual share basis.
Good Stuff!
Wednesday, December 07, 2005
Tuesday, November 08, 2005
Vacation and AIX Training
I've taken a break from the Microsoft World to take a trip to Estes Park, CO and then after a brief touchdown at work, off for an IBM AIX class in Houston, TX.
I am trying to studying up for the 70-291 exam, but it's a slow going process.
I am trying to studying up for the 70-291 exam, but it's a slow going process.
Tuesday, July 05, 2005
Passed 70-284!
I took the test on Saturday and passed with a 790. Not great, but it's a pass.
I had perfects in:
managing security in the exchange environment
managing recipient objects and address lists
I performed well on:
managing and monitoring technologies that support exchange server 2003
installing, configuring and troubleshooting exchange server 2003
My weak areas were:
managing, monitoring and troubleshooting exchange server computers
managing, monitoring and troubleshooting exchange organization
Mostly my problem was I didn't focus in-depth enough on things that we didn't implement in my organization: ISA and Exchange, Microsoft Cluster and Public Folders in Front-end/Back-end configurations.
To study I had the Microsoft class, the ExamCram 2 book, Self-Test software and converting from GroupWise to Exchange 2003 at my organization.
One last thing, I didn't realize until after the test the large number of Exchange 2003 webcasts out there:
Webcasts
I had perfects in:
managing security in the exchange environment
managing recipient objects and address lists
I performed well on:
managing and monitoring technologies that support exchange server 2003
installing, configuring and troubleshooting exchange server 2003
My weak areas were:
managing, monitoring and troubleshooting exchange server computers
managing, monitoring and troubleshooting exchange organization
Mostly my problem was I didn't focus in-depth enough on things that we didn't implement in my organization: ISA and Exchange, Microsoft Cluster and Public Folders in Front-end/Back-end configurations.
To study I had the Microsoft class, the ExamCram 2 book, Self-Test software and converting from GroupWise to Exchange 2003 at my organization.
One last thing, I didn't realize until after the test the large number of Exchange 2003 webcasts out there:
Webcasts
Thursday, June 16, 2005
Terminal Services in Windows 2003
In an effort to provide some file sharing and applications to our China office, I delved into Terminal Server that was built into Windows Server 2003. (My first thought was Windows Sharepoint Services which is free with a licensed copy of Server 2003, but that's another blog entry.)
First decision was whether or not I needed Standard or Enterprise Windows 2003 server. I went with standard since we were not planning for a multi-server implementation. A comparison can be found here .
Installation was painless since it's all built-in components on the Windows Server 2003 CD. I did defer from the recommendations and install the licensing server on the same box, since this was going to be a small implementation.
Speaking of licensing, one really interesting thing I found was that Microsoft was providing a 1:1 licensing match for Terminal Services based on the number of XP Desktop licenses you had when Windows 2003 shipped. Check the bottom of this article.
I only had a few applications to install, one of them being Office 2000 which required a special MST .
I also found Deb Shinder's article on securing Terminal Services in Windows 2000 useful.
First decision was whether or not I needed Standard or Enterprise Windows 2003 server. I went with standard since we were not planning for a multi-server implementation. A comparison can be found here .
Installation was painless since it's all built-in components on the Windows Server 2003 CD. I did defer from the recommendations and install the licensing server on the same box, since this was going to be a small implementation.
Speaking of licensing, one really interesting thing I found was that Microsoft was providing a 1:1 licensing match for Terminal Services based on the number of XP Desktop licenses you had when Windows 2003 shipped. Check the bottom of this article.
I only had a few applications to install, one of them being Office 2000 which required a special MST .
I also found Deb Shinder's article on securing Terminal Services in Windows 2000 useful.
Thursday, April 28, 2005
Auto Accept Agent
Now that the majority (almost 700) of our users are off groupWise and on Exchange 2003, manually handling calendars for Resources such as conference rooms is becoming a pain.
First, I looked at setting this in Outlook 2003, but found it too intensive based on the requirement to set permissions for each user that is going to send appointments to the resource and the Outlook client must be running (so one might have a dedicated desktop running Outlook with all resources).
Next, I looked at Exchange server auto accept agent . It's a COM application that runs on your Exchange server and handles the auto accept on it's own. Plus side is that it doesn't use Free/Busy generation to search scheduling, so it's faster, and also the resource doesn't have to be added to the meeting as a resource (. i.e. it still works if a users adds the recourse in the TO: field). Negatives are that you have a single XML configuration file that will apply to all Exchange accounts you configure to auto accept, so no configuration options down to the mailbox level and you must also set some AD values and permissions for it to work. (Although they supply a cscript to make this a little easier).
Check out the documentation here .
First, I looked at setting this in Outlook 2003, but found it too intensive based on the requirement to set permissions for each user that is going to send appointments to the resource and the Outlook client must be running (so one might have a dedicated desktop running Outlook with all resources).
Next, I looked at Exchange server auto accept agent . It's a COM application that runs on your Exchange server and handles the auto accept on it's own. Plus side is that it doesn't use Free/Busy generation to search scheduling, so it's faster, and also the resource doesn't have to be added to the meeting as a resource (. i.e. it still works if a users adds the recourse in the TO: field). Negatives are that you have a single XML configuration file that will apply to all Exchange accounts you configure to auto accept, so no configuration options down to the mailbox level and you must also set some AD values and permissions for it to work. (Although they supply a cscript to make this a little easier).
Check out the documentation here .
Monday, April 11, 2005
Disabled accounts and Exchange
Well, being relatively new to the world of Exchange, I was surprised to find it took more than a single click to resolve situations where with a disabled mailbox enabled account being re-enabled. I was expecting that once re-enabled, the mailbox would also be set to work, but it turns out there is a little more legwork needed.
Here is the Microsoft KB article on it, which is a bit windy. However, I found the comments at amset.info a little easier to digest.
This is probably not a big deal for most organizations, but since we are also using DirXML and GroupWise doesn't behave this way, I can see some headaches when NDS/eDir accounts are disabled previous to Exchange account access being transferred if needed.
Here is the Microsoft KB article on it, which is a bit windy. However, I found the comments at amset.info a little easier to digest.
This is probably not a big deal for most organizations, but since we are also using DirXML and GroupWise doesn't behave this way, I can see some headaches when NDS/eDir accounts are disabled previous to Exchange account access being transferred if needed.
Tuesday, April 05, 2005
DirXML populating
Now that the Novell DirXML Starter Pack is up and running, synching NDS/eDirectory accounts and Active Directory accounts, I needed a way to gradually add existing users to the sync as the desktop group migrated the client from GroupWise to Outlook 2003. Since this would be happening almost everyday for over a month, I didn't want to burn too much time in the iManager interface.
My solution was to first export the entire Active Directory forest as a comma delimited file using the Microsoft CSVDE tool. (Here's an overview from Guy Thomas.) I had previously populated the accounts with DirXML, but had removed the driver for a reconfiguring at one point. Desktop wanted the sync to be enabled as close as possible to the migration day anyway, so it actually helped that the accounts weren't entirely linked. I took the CSVDE export and narrowed it down to just the DN, the GUID and the SAMaccount name.
Next step was an import into UltraEdit (kedit is another good editor) and a save. This broke the DN down into fields for each aspect of the context, and allowed me to perform a search and replace on the first part of the DN with the SAMaccount name inside of Microsoft Excel. (This was necessary as the DirXML starter pack uses the Full Name attribute out of NDS/eDirectory for the Common Name in AD, and I was trying to populate the DirXML attribute on NDS/eDirectory).
This left me in the dilemma of how to get a comma delimited file into NDS/eDirectory, and although the developer version of the ICE command line is supposed to support imports from delimited files, I was never able to figure out the right combination of switches. Instead I found a Novell Consulting tool that takes a CSV and generates and LDIF file.
After a little more search and replace to correct syntax and issues such as an Organization unit (O) being and Organizational Unit (OU) in AD, I had a flat LDIF file of all my user accounts.
As the desktop support team serves up a list of user daily, I perform a find on my master list and stage an import LDIF file for ConsoleOne.
Friday, March 18, 2005
Admodify.NET rocks!!
Here's a tool that neither one of my AD classes or anything I had read mentioned: Admodify.
Excellent for bulk changes, I used it to add the appropriate UPN suffix to several hundred accounts that were missing it. I've also used it to modify the display name.
MSExchange.org has a nice write-up on it.
You can download it from Microsoft here. The .NET version is the latest.
Excellent for bulk changes, I used it to add the appropriate UPN suffix to several hundred accounts that were missing it. I've also used it to modify the display name.
MSExchange.org has a nice write-up on it.
You can download it from Microsoft here. The .NET version is the latest.
Monday, March 14, 2005
Passed 70-294!
Woo Hoo! I passed the 70-294 exam for "Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure" this Saturday.
Here's a rip from MCSE World on my thoughts:
OUTSIDE READING IMHO is a must for this exam.
I took the Microsoft 2269 class, used the ExamCram2 book and used the Self Test practice software and still failed the first time.
You absolutely must read up on:
COM+ Partitions
COM+ Partition sets
Certificates
Terminal Servers and GPO Software installs
Don't focus on these 100%, that's what the main objectives are for, but do except a question to two.
I even had a good ol' fashioned disk quota question.
I also found Mike Meyers' Passport book on the 70-294 helpful, and in some ways a better overview than the ExamCram2 book
Here's a rip from MCSE World on my thoughts:
OUTSIDE READING IMHO is a must for this exam.
I took the Microsoft 2269 class, used the ExamCram2 book and used the Self Test practice software and still failed the first time.
You absolutely must read up on:
COM+ Partitions
COM+ Partition sets
Certificates
Terminal Servers and GPO Software installs
Don't focus on these 100%, that's what the main objectives are for, but do except a question to two.
I even had a good ol' fashioned disk quota question.
I also found Mike Meyers' Passport book on the 70-294 helpful, and in some ways a better overview than the ExamCram2 book
Sunday, March 13, 2005
Another DirXML tweak
Turns out I still needed to tweak DirXML further for my environment. The templates used by administrators to create new users in eDirectory were creating a "Other User" name that would become the "user name" in AD.
Check out the Novell TID here.
Check out the Novell TID here.
Wednesday, March 09, 2005
Worst week ever or "So you want to use DirXML?"
Have you ever heard of the VH1 show Best Week Ever ? Well, that definitely wasn't my last week. Whew! I thought getting DirXML to work and staying on top of participating in a slew of job interviews and Sarbanes Oxley meetings was going to kill me.
I survived and thought I'd share a few of the oddities I hit in my endeavors.
Still being a hybrid Novell NDS/eDirectory and Microsoft AD shop, we were wanting a way to sync the passwords since the pace of our Exchange 2003 migration is preventing our Desktop support to join the PC's to the domain. If Outlook 2003 would behave consistently for us on password changes for non-domain PC's, it would be a non-issue. Microsoft's solution appears to be their PEWA tool from the Exchange 2003 Resource Kit. Neither MIIS, nor Microsoft's tool from their Services for NetWare is an option, as we wanted to password sync to also work from NDS/eDirectory to AD. Leaving the Novell DirXML Starter Pack the only option.
Tricky to setup with all the caveats, but it can work in a 2003 AD environment , but must be installed on a 2000 member server. Also, it doesn't handle UPN's out of the box either, you must add a stylesheet. Another one that caught me off guard was that even though I had the sync set to one-way from NDS to AD, a delete in AD would delete the NDS object. Further points of interest were that NMAS must be disabled on the Novell Client. Contrary to the Novell DirXML documentation, I found that changing the password from ConsoleOne would change the password in AD, with the exception being the initial account creation. Lastly, I manually manipulated placement rules to handle the fact that the NDS/eDirectory environment had two high level Organization (O's) that contained multiple Organizational Units (OU's) that I wanted to sync to AD. Whew!
Oh yeah, I changed the blog name. It's pretty cheesy, but at least more accurately reflects where this thing is headed I think.
I survived and thought I'd share a few of the oddities I hit in my endeavors.
Still being a hybrid Novell NDS/eDirectory and Microsoft AD shop, we were wanting a way to sync the passwords since the pace of our Exchange 2003 migration is preventing our Desktop support to join the PC's to the domain. If Outlook 2003 would behave consistently for us on password changes for non-domain PC's, it would be a non-issue. Microsoft's solution appears to be their PEWA tool from the Exchange 2003 Resource Kit. Neither MIIS, nor Microsoft's tool from their Services for NetWare is an option, as we wanted to password sync to also work from NDS/eDirectory to AD. Leaving the Novell DirXML Starter Pack the only option.
Tricky to setup with all the caveats, but it can work in a 2003 AD environment , but must be installed on a 2000 member server. Also, it doesn't handle UPN's out of the box either, you must add a stylesheet. Another one that caught me off guard was that even though I had the sync set to one-way from NDS to AD, a delete in AD would delete the NDS object. Further points of interest were that NMAS must be disabled on the Novell Client. Contrary to the Novell DirXML documentation, I found that changing the password from ConsoleOne would change the password in AD, with the exception being the initial account creation. Lastly, I manually manipulated placement rules to handle the fact that the NDS/eDirectory environment had two high level Organization (O's) that contained multiple Organizational Units (OU's) that I wanted to sync to AD. Whew!
Oh yeah, I changed the blog name. It's pretty cheesy, but at least more accurately reflects where this thing is headed I think.
Monday, February 21, 2005
Lapse in time.
Okay, so it's been a while since my last post. Between work and trying to move a household of my mom's stuff into an apartment I've been pretty busy.
In trying to reschedule the 70-294 exam I had the joy of finding that Prometric had not used my exisiting MCP ID, rather they created a new one. Now I'm going through the pains of trying to get Microsoft to merge them so I can re-schedule the exam and get going again.
I'm also learning the joys of Microsoft hot fixes, as I came to find out after setting up a new Active Directory site on our production forest. Several dcdiag /e tests later and I was wondering what the heck happend. Turns out it's a known bug in a 2003 functional forest (KB832628). (If you are not one of the lucky one's with a way to obtain the fix, leave a message in the blog and I'll help you out.)
In trying to reschedule the 70-294 exam I had the joy of finding that Prometric had not used my exisiting MCP ID, rather they created a new one. Now I'm going through the pains of trying to get Microsoft to merge them so I can re-schedule the exam and get going again.
I'm also learning the joys of Microsoft hot fixes, as I came to find out after setting up a new Active Directory site on our production forest. Several dcdiag /e tests later and I was wondering what the heck happend. Turns out it's a known bug in a 2003 functional forest (KB832628). (If you are not one of the lucky one's with a way to obtain the fix, leave a message in the blog and I'll help you out.)
Saturday, February 05, 2005
Delayed trendy
Okay, so I go out to study with my wife at the local coffee shop and lug the laptop along so of course I connect to the internet since they have a free wireless hotspot and of course I come here to update my blog.
Damn I sure do feel kinda cheesey sitting here composing. It's actually kind of interesting though to conversation drop on those around me, especially if they are drinking. ;-)
Well, so far I'm at least trying to update this blog frequently, but I don't feel like I'm making much of a useful contribution since this blog lacks any real focus. For now I think I'll keep updating and see where it goes.
In the end I may just try for an IT Professional blog or a MCSE blog.
I will add some more url's I found that have been helpful in studying:
GP Answers.com
MCSE World
Damn I sure do feel kinda cheesey sitting here composing. It's actually kind of interesting though to conversation drop on those around me, especially if they are drinking. ;-)
Well, so far I'm at least trying to update this blog frequently, but I don't feel like I'm making much of a useful contribution since this blog lacks any real focus. For now I think I'll keep updating and see where it goes.
In the end I may just try for an IT Professional blog or a MCSE blog.
I will add some more url's I found that have been helpful in studying:
GP Answers.com
MCSE World
Friday, February 04, 2005
Towel over your head
'K, so I've been pondering exactly what I'm doing with this blog. I was inspired by the Microsoft product-related blogs I stumbed across.
Active Directory Cookbook Blog
MS Exchange Blog
However, I still don't know if this is going to be a bunch of personal stuff, purely an IT professional blog or some hybrid.
Maybe it's purely a distraction from the work grind and something to occupy the last 20 minutes of the work day on a Friday. Heck I haven't even tried to point any friends or colleagues to this link.
Active Directory Cookbook Blog
MS Exchange Blog
However, I still don't know if this is going to be a bunch of personal stuff, purely an IT professional blog or some hybrid.
Maybe it's purely a distraction from the work grind and something to occupy the last 20 minutes of the work day on a Friday. Heck I haven't even tried to point any friends or colleagues to this link.
Thursday, February 03, 2005
Sunk it!
Well, I was tired of waiting on taking the Microsoft 70-294 exam so I jumped in head first only to sink. I won't say my score, but to me it was well off the mark.
I found the situations in the exam to be much more complex than those that were presented in examples in the Microsoft class, ExamCram2 books or the Selftest study software I used.
I'm going back to the books now, but it may take a while for me to get my confidence back up.
I found the situations in the exam to be much more complex than those that were presented in examples in the Microsoft class, ExamCram2 books or the Selftest study software I used.
I'm going back to the books now, but it may take a while for me to get my confidence back up.
Wednesday, February 02, 2005
Are ya Blackberry'n Yet?!?
After being asked 5 times a day by everyone at work, the Blackberry Enterprise server is up and running. Neat device, especially with products such as sonicadmin out there to handle remote server administration. I can really see though how this could just become a toy or a status symbol for certain users.
Time wil tell.
Time wil tell.
Thursday, January 27, 2005
First Bloggin'
Okay it's been a lousy day for me, but one more closer to Friday. I've been taking a class on Exchange 2003 all week and trying to study for the 70-294 exam at the same time. *whew* I'm ready for a break.
So what do I do? Start a blog .. uh, okay.
So what do I do? Start a blog .. uh, okay.
Subscribe to:
Posts (Atom)
Posts
