Notes from this evening's Exchange 2003 study:
- If possible, install Exchange on a server that does not also run Active Directory.
- You can set permissions on groups of servers by using Administrative groups.
- You can prevent individual accounts from using Outlook Web Access.
- Mailboxes are not created until they are logged into or receive a message.
- You can limit the message size that users are allowed to send and/or receive. I can think of two organizations where I need to implement this setting!
12/27/07
12/26/07
Exchange 1
I've finished studying for 70-620 and plan to take the exam within two weeks. I've started studying for 70-284 (Exchange). This evening's study covered the installation. Exchange 2003 can use up to 3GB of RAM.
12/13/07
Prevent users from clearing IE history
What do you do when you suspect that a user is going to bad sites on a company laptop, but they've cleared their history in Internet Explorer and deny any wrongdoing? You use group policy to prevent them from clearing their history! The setting is in User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> "Disable Changing History Settings" or "Disable Configuring History". Of course, there are other considerations as well (anonymous web proxies or alternate browsers), but this is a neat setting to enable.
Vista 1
Well into studying for 70-620 "Configuring Windows Vista". It's informative and easy. I've enjoyed learning how to use the breadcrumbs while browsing the file structure; finding out what the Windows Defender does (spyware/malware scanner); and basically just becoming a lot more comfortable w/ the OS overall.
12/7/07
Domain trusts
Wow. I set out to establish a domain trust between ServerB and ServerA. The computer name and domain name of ServerA have both been renamed in the past. I ran into problems: the trust wizard thought I was trying to establish a trust w/ the same domain that it was running on (ServerB's domain name matched ServerA's former domain name). When renaming the domain earlier, I had forgotten to run netdom /clean and netdom /end. Before discovering this oversight, I used netdom to update ServerA's FQDN, did a search-and-replace on my DNS files to remove all references to the old domain name, tried tinkering w/ NTDSUtil and ADSIEdit, and felt very frustrated!
After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.
After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".
Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.
After resolving that issue, I received a different error message stating that my target was "not a valid Windows domain". This was solved by adding conditional forwarding to the DNS server in each domain. Now I could establish a trust relationship.
After the two-way trust was setup, all was well for users on ServerB. However, when ServerA users tried to browse ServerB by name, an error occurred "Logon Failure: The target account name is incorrect". Running nslookup on ServerA revealed a problem w/ DNS ("Can't find server name for address x.x.x.x: Timed out"). I manually recreated a reverse lookup zone in DNS on ServerA (now nslookup reported "...Non-existant domain"), ran ipconfig /registerdns, and restarted the NetLogon service. That fixed the DNS problem (hurray!), but not the "Logon Failure".
Eventually, I found that a computer account for ServerB was present in ADUC on ServerA. Deleting that account solved the problem! This exercise has taken about five hours over two days.
12/5/07
Rename a domain
This evening I renamed the domain in a single domain, single DC environment. Thanks to msexchange.org for their article.
- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute
This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).
Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.
I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.
Lastly, restarted an XP workstation and verified that it was automatically updated.
Hurray!
- Raised forest functional level to Server 2003
- Made a System State backup
- Executed rendom /list
- Edited the XML file, replacing references to the old domain name w/ the new
- Executed rendom /upload, rendom /prepare, rendom /execute
This completed successfully and triggered an automatic reboot w/ the message "The directory service is shutting down". After the reboot, I ran rendom /clean, rendom /end (this is important!).
Group policy objects are updated with gpfixup /oldDNS:GOLD.local /newDNS:PLATINUM.local /oldNB:GOLD /newNB:PLATINUM.
I still had a problem w/ the GPMC, but I opened it from within ADUC, edited a policy, exited GPMC, and then was able to re-open GPMC w/out any difficulties.
Lastly, restarted an XP workstation and verified that it was automatically updated.
Hurray!
12/1/07
70-294 - Passed!
I passed 70-294 (42 questions) at Davenport University in Grand Rapids this afternoon. Group policy and AD sites were the primary focus.