Wednesday, November 19, 2008

MS Exchange server FAQ3

What's the difference between online and offline defrag?

Online Defragmentation

The online defragmentation process involves automatically detecting and deleting objects that are no longer being used. This process provides more database space without actually changing the file size of the databases that are being defragmented.?

Offline Defragmentation

Offline defragmentation involves using Exchange Server Database Utilities (Eseutil.exe). Eseutil is an Exchange Server tool that you can use to defragment, repair, and check the integrity of Exchange Server databases.

When would you use offline backup?

offline backups will result in consistent database files. When Exchange services are being gracefully shut down, all transactions are being committed to the database. Resulting databases will be consistent, marked consistent or clean shutdown, depending on what version of Exchange you are running.

What are the 4 types of Exchange backups?

Online and offline back up

When backing up Exchange Server databases, there are four backup types available:

  • Normal (or Full) The normal backup process backs up the directory or Exchange store in its entirety, as well as the log files. To restore from a normal backup, only one normal backup is needed. A normal backup marks the objects it has backed up so that incremental and differential backups have context. This is accomplished by backing up the entire database and all the log files, and then purging the log files.
  • Copy The copy backup is the same as a normal backup except no marking takes place to give incremental and differential context. This means that performing an incremental backup after a copy backup is equivalent to performing it before a copy backup. Use a copy backup to get a full backup of the directory or Exchange store without disturbing the state of ongoing incremental or differential backups.
  • Incremental An incremental backup backs up the subset of the component that has changed since the last normal or incremental backup. Then it marks these objects as backed up. To restore from incremental backups, each incremental backup since the last normal backup and the normal backup are needed. An incremental backup backs up only the log files, and then purges them.
  • Differential A differential backup backs up changes in the directory or Exchange store that have occurred since the last normal backup. To restore from differential backups, one differential backup and one normal backup is required. A differential backup backs up only the log files but does not purge them

What is the Dial-Tone server scenario?

Dial tone portability allows a user's mailbox to be moved without having access to any of the mailbox content. This allows an alternative server to house the mailboxes of users who were previously on a server that is no longer available.

  • Streamlining the creation of dial tone mailboxes on alternate servers.
  • Ensuring the users access to the new mailbox, by automatically reconfiguring Microsoft Office Outlook 2007 client profiles.
  • Allowing for the merger of the recovered historical data and the dial tone mailbox data by means of a wizard, or sequence of management shell tasks.

What is DS2MB?

The DS2MB process copies entire sub trees from Active Directory, without changing the shape of the sub tree. This is a one-way write from Active Directory to the metabase; the metabase never writes to Active Directory.

What is DSAccess service? What is it’s the primary function?

DSAccess implements a directory access cache that stores recently accessed information for a configurable length of time. This reduces the number of queries made to global catalog servers.

What is Forms Based Authentication?

Forms-based authentication (or FBA for short) is a mechanism in Exchange 2003 Outlook Web Access that allows the user to have a more customizable experience of the OWA logon page and usage.

What is the RUS?

The Exchange Recipient Update Service is an important component for a properly functioning Exchange organization. Typically it runs in the background without issue but when problems occur, mail flow suffers and it is important to get it fixed!

What are Exchange Recipient types? Name 5.

Exchange 2003 recipient is a Windows 2003 user account with a mailbox.

· Mailbox-enable user

· Mail-enabled user

· Contact

· Distribution Group

· Query-based Distribution Group

· Security-enabled group

· Mail-enabled Public Folder

In Exchange server 2007

What are Query Based Distribution groups?

A query-based distribution group provides the same functionality as a standard distribution group. However, instead of specifying static user memberships, you can use an LDAP query (for example, "All full-time employees in my company") to dynamically build membership in a query-based distribution group. This reduces administrative costs because of the dynamic nature of the distribution group. However, query-based distribution groups have a higher performance cost for queries whose outcome produces many results.

What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP.

SP2 is a cumulative update that enhances your Exchange Server 2003 messaging environment with:

  • Mobile e-mail improvements
  • Better protection against spam
  • Mailbox advancements

What are the main differences between Exchange 5.5 and Exchange 2000/2003?

Exchange 5.5 does not integrate with the NT4 domain or the Windows 2000/2003 Active Directory in a meaningful way. A single user could be associated with several different mailboxes. Exchange 2000/2003/2007 integrates tightly with Active Directory, and there is a 1:1 relationship between mailboxes and AD user accounts.


There are other differences, depending on whether you have a standard or enterprise version as it relates to maximum database size, but the directory integration is probably the biggest difference.

Different Version of Exchange server 2003

Exchange Server 2003 Standard Edition

Exchange 2003 Standard Edition is designed to meet the messaging and collaboration requirements of small and medium corporations and for specific messaging server roles or branch offices.

  • One storage group can be created on a server
  • One mailbox store database and one public folder store database that can be accessed by using MAPI and Outlook Web Access
  • Maximum 16-gigabyte (GB) database limit per database (75 GB with Microsoft Exchange Server 2003 Service Pack 2)
  • Exchange clustering is not supported
  • X.400 connector is not included

Exchange Server 2003 Enterprise Edition

Exchange 2003 Enterprise Edition is designed for large enterprise corporations. With Exchange 2003 Enterprise Edition, you can create multiple storage groups and multiple databases. Exchange 2003 Enterprise Edition provides an unlimited message store that removes the constraints on how much data a single server can manage.

  • Four storage groups
  • Five databases per storage group
  • 16 terabyte database limit, limited only by hardware
  • Exchange clustering is supported
  • X.400 connector is included

Distribution list is a term sometimes used for a function of email clients where lists of email addresses are used to email everyone on the list at once. This can be referred to as an electronic mailshot. It differs from a mailing list, electronic mailing list or the email option found in an Internet forum as it is usually for one way traffic and not for coordinating a discussion. In effect, only members of a distribution list can send mails to the list.

The Global Address List (GAL) also known as Microsoft Exchange Global Address Book is a directory service within the Microsoft Exchange email system. The GAL contains information for all email users, distribution groups, and Exchange resources.

The Exchange Server Database Utilities (Eseutil.exe) is a tool that you can use to verify, modify, and repair an Exchange database file. When a database is corrupt or damaged, you can restore data from backup or repair it using Eseutil.

Routing Group A group setup within Exchange to connect to another mail server.

MIME Multipurpose Internet Mail Extensions It defines non-ASCII message formats.

MAPI Messaging Application Programming Interface It's the programming interface for email

What is the Send As permission?.

"Send As" allows one user to send an email as though it came from another user. The recipient will not be given any indication that the email was composed by someone other than the stated sender.

How can I send an automatic reply to a person posting to my distribution list?

Create a mailbox, add a rule to that mailbox with the reply you want and add that mailbox to the distribution list.

How can I block emails from a specific domain name?

Open the “Exchange Admin” program, click on “Connections”, go to “Internet Mail Server” and then click on the “Connections” tab. If you have server pack 3 installed you will see a “Message filtering” button, click the button and finally click on “new”, finally insert the particular domain name in this format “@domain.com”. For the change to take effect you must stop/start the IMS in “Services” (Found in Control Panel).

How can I block emails from a specific email address?

Open the “Exchange Admin” program, click on “Connections”, go to “Internet Mail Server” and then click on the “Connections” tab. If you have server pack 2 installed you will see a “Message filtering” button, click the button and finally click on “new”. Insert the particular email address and you are done. For the change to take effect you must stop/start the IMS in “Services” (Found in Control Panel).

What reporting tools are available that can measure Exchange 5.5 usage?

- Promodag Reports – http://www.promodag.com

- Mail Essentials – http://www.gfi.com/mesindex.htm

- MailWatch - http://www.mailwatchex.com

- Seagate Crystal Reports - http://www.seagatesoftware.com

Can an Information store be restored on another server?

The answer is yes (that is it can be restored on another other than the one it was backed up from) This is typically the last method or recovering a mailbox or a message. The server where the IS is restored has to be one that is not in use and it should not be connected to the same organization. Remember that this restores only the IS and not the Directory.

What is the hierarchy of permission on Public Folders?

Administrator can grant permissions to other users on specific public folders or allow them to create top level public folders. A owner of a public folder (even if he is not the administrator) can allow other users create sub-folders.

What is the difference between the ‘Send on Behalf" and "Send As" permissions on a mailbox?

Send on Behalf permission enables another user to send messages on behalf of the mailbox owner. Delegate’s name appears in the message. Send As permission is lot more serious as one user can send message and the recipient of that message would see as if the message has been sent by the original mailbox owner. Whereas the "Send on behalf" permission can be given from Client or the Administrator program, "Send As" permission can be given only be the administrator.

What is Address Space?

The connectors and the gateways create paths for sending messages outside. The path a connector uses to send a message outside is represented by an address space. A connector must have at least one address space.

What is Replication conflict in case of Public Folders?

A conflict occurs when a message is modified in two or more replicas of the public folder, where each of the modifications are made before the other can replicate.

Can I display the name of the public folder in the Global address list so that the users can post messages by selecting the name?

Every Public folder has an email address and the entry of the public folder is hidden in the Global address list. Double click on the public folder and select the Advanced tab. Uncheck the "Hide from address book" option.

What is ISINTEG Utility?

This utility checks the integrity of the IS. It locates and removes the errors from the Private and Public Information stores (PRIV.EDB and PUB.EDB). This is required to be used when the database is damaged and IS doesn’t start.

What is ESEUTIL Utility?

This utility defragments, repairs and checks the integrity of the Information store (IS) and Directory. This is used very often in case of disaster recovery processes. It should be used under experienced hand. Utility is available in the Windows NT ssytem32 directory.

Some of the users are complaining that their Auto forwards & Auto replies are not reaching the Internet recipients but there is no problem with the local recipients. What’s wrong?

Most probably the options for Auto replies and auto forwards to Internet is disabled under the IMS properties. By default the settings are such that these are disabled. So the auto replies would not reach the Internet recipients but would work locally without any problem.

What is the use of Server Monitor?

Server Monitor can be used to monitor the Exchange server services viz Message transfer agent (MTA). It can be configured so that notifications are sent when the service has gone down.

What is the use of Link Monitor?

Link monitor can be used to verify the connections between various servers and other foreign systems. Link monitor is included in the administrator program.

What is Alerter Service?

This is a handy tool by which e computers / users can be alerted of some specific event in the Exchange server viz. low disk space. This can be set from Control Panel / Server. Click on the Alerts button and type the computer or the user name to send the alerts.

Why should the IMS message size limits be set?

This could be required because the company has a policy on the message size for security reasons. Also when the bandwidth is scarce, it is a handy tool to ensure that most of the messages are delivered rather than a queue is formed due to one large message. Set the maximum message size limit in the General tab of the IMS property page. This limit is applicable for any message that IMS processes.

PRIV.EDB seems to grow all the time. Even when the mailboxes are deleted there is no change in the file size. What’s wrong?

There is nothing wrong, except that the physical storage space is not released by this database when the objects are deleted viz. a mailbox. This is required to be defragmented before it is too large and a lot of space is wasted. ESEUTIL utility can do this job. Read more about this utility before attempting defragmentation.

What are the PRIV.EDB & PUB.EDB files?

These are the Exchange server databases for the Private Information Store and the Public Information Store respectively.

Can I change the Exchange Organization name?

It can not be done easily and must be avoided. If the need for change is properly evaluated and understood then most probably it would be sufficient to alter the Display name. To do so, select the organization object and use the properties dialog box.

How does the Antivirus API Scan Attachments?

This article is intended to help Exchange Server administrators understand the architecture of the new antivirus application programming interface (API) that is introduced in Exchange Server 5.5 Service Pack 3 (SP3), and possible effects that any third-party software that uses the antivirus API may have. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q263949&ID=kb;en-us;Q263949

Is it possible to connect exchange servers through a VPN connection?

Yes, it is possible.

What components of Exchange can I move off the exchange server machine?

Start with the IMS. Set up a workstation-class machine as an Exchange server, create an IMS, follow the relevant steps to move the SMTP service to another server, then remove the one from your mailbox server. It's a good place to start, and it's a good thing to do because the IMS has been known to stop mailbox servers from time to time.

Start with the IMS. Set up a workstation-class machine as an Exchange server, create an IMS, follow the relevant steps to move the SMTP service to another server, then remove the one from your mailbox server. It's a good place to start, and it's a good thing to do because the IMS has been known to stop mailbox servers from time to time.

How do I move a single Exchange server to a machine with the same name?

Check the following document available in the Microsoft Knowledge Base about the recommended way this should be done:

http://support.microsoft.com/support/kb/articles/q155/2/16.asp

Is there a way to encrypt information being passed between two sites using the Exchange site connector?

The RPC connection between Site Connectors (as opposed to x.400 or SMTP connectors) is already encrypted via RPC API calls. However, it's not industrial-strength encryption; more security through obscurity. If this is not sufficient, setup a VPN. VPN in this case is recommended at firewall level so the servers have nothing to do with the actual VPN itself.

The X400 Connector for Exchange 5.5 is discontinued. Is there anyway how we connect multiple exchange servers over the Internet without this connector?

Either you can utilise the IMS aka the internet mail connector. You would need to configure a directory replication connector at each end for directory replication in this case. Otherwise the other option is to upgrade to the Exchange 5.5 Enterprise edition

I check against all the files on my exchange server 5.5 regularly. The only file that changes everday is the Mapisvc.inf in c:\winnt\systems32

Mapisvc.inf is the file that holds the various services that you can install and how they are configured. In Outlook, when you click Tools>Services>Add, that list of available services comes from the mapisvc.inf file. You can manually edit it if you want, to remove services you don't want the users to install (MS Mail, etc for example)

How do I convert an .ost file into a .pst file for recovery?

There are several third party products that can help with this. One of them is detailed at the following link: http://www.officerecovery.com/exchange/index.htm

I have a Windows 2000 server running exchange 5.5 sp3 and deleted some files I shouldn't (log files) and the information store won't start

Download the Exchange 5.5 Disaster Recovery white paper at the following link: http://www.microsoft.com/exchange/techinfo/BackupRestore.htm

Is it possible to configure Exchange to put in a 'reply-to' address for a Distribution List? So if someone hits 'reply' to a DL post, that reply goes to the list and not to the sender?

You can add send-as permissions to the DL for the originating user, and that will allow the named people to send as (therefore have the Return Address) the DL.

When a user logs in Outlook Web Access, it says that the password will expire in 0 days, and to change it under options. This error does not go away, even after the password changes, nor when the password is set to expire.

The are the following documents available in the Microsoft Knowledge Base about this issue:

http://support.microsoft.com/support/kb/articles/Q190/4/33.ASP

http://support.microsoft.com/support/kb/articles/Q238/4/44.ASP

http://support.microsoft.com/support/kb/articles/Q236/9/09.ASP

I am using Outlook 2000 and when my .pst file reaches the 2Gb size limit the .pst file becomes unusable

Microsoft advise you to look out for third party software that can get your data back. However a quick and efficient method is to install Outlook 98, and open the .pst file using Outlook 98. This way you can split the .pst file in smaller .pst files that can be read by Outlook 2000.

When I set up the 'Out of Office assistant' in Outlook, the auto reply is only generated once. After the first reply I do not get anymore replies.

The Out of Office reply is generated once per sender per out of office period. So if you get the message once, you won't get it again until the user turns off Out of Office, and then turns it back on again.

How do I import a local 'Contacts' list to a Public folder?

Use the File/Import option of Outlook to import all contacts into a folder locally. Then manually copy all the created entries from the local folder to the public folder.

When adding a new mailbox, this error appears: "The object xxx with the directory name 'xx' already exits. Enter a unique alias name on the General property page for this mail recipient"

Check for mailboxes with the same directory name. This is how exchange makes associations to mailboxes. You may have changed the alias but a duplicate directory name still exists. The directory name can be found under the "advanced" tab of the users' mailbox properties check this for duplicates. You can also specify a specific directory name instead of taking the default alias name as the directory name in your mailbox creation.

How do I export an Exchange/Outlook address book to a CSV file?

In Exchange Administrator: Tools &gr; Directory Export

Deleting a group of emails from Outlook 2000 hangs the system, how can this be fixed?

This is a problem brought about by SP3, therefore SP2 and below should not have this problem. Solution; Run Optimizer.

How can I search the Excahgne DS and find which Exchange mailbox has a particular STMP alias assigned to it?

1) Run Microsoft Exchange Administrator

2) Click on Global Address List

3) Make sure View/All is checked.

4) Make sure View/Hidden Recipients is checked.

5) Make sure "E-Mail Address (Internet) is a displayed column. If not, add it by choosing View/Columns

6) Highlight all rows in the display

7) Choose File/Save Window Contents and save file as "c:\ex1.csv" for example

8) Make sure View/Hidden Recipients is unchecked.

9) Highlight all rows in the display

10) Choose File/Save Window Contents and save file as "c:\ex2.csv" for example

11) Use a tool like Notepad to search the resulting .CSV files for the address you are looking for.

When message pass through the MTA, is there any cache for storing the message?

Yes, the cache is \exchsrvr\metadata

Contents of the .stm File Are Not Scanned When Using Antivirus API, is there a workaround for this?

The antivirus API that is present in Exchange 2000 Server does not contain the capability to properly scan the contents of the streaming media (.stm) file. Because Internet-based clients store the message content in the .stm file in native MIME format, the content is not scanned when the message is accessed by any other client, including MAPI-based clients. For more information about the conditions that must be present for the antivirus API to properly scan message attachments, see the "More Information" section later in this article. More info: http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q286638

MAPI-Based Tasks Do Not Work with Virus API Anti-Virus Software Running on the Exchange Server Computer, is there a workaround for this?

This issue can occur if these MAPI operations gain access to a large number of attachments that have not been scanned by using the current virus signatures. The MAPI operations do not determine that the attachments are waiting to be scanned; therefore a timeout error message is displayed if the scans are not completed to make the attachments available to the MAPI request in a sufficient amount of time. More information at: http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q264731

What enhancements have been made to the virus scanning application programming interface (API), which Exchange 2000 Server Service Pack 1 (SP1) contains for Exchange administrators and independent software vendors (ISVs)?

This article describes the enhancements to the virus scanning application programming interface (API) that Exchange 2000 Server Service Pack 1 (SP1) contains for Exchange administrators and independent software vendors (ISVs). This article describes new features,

behavior changes, and troubleshooting suggestions. http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q285667

What are the new Performance Monitor counters to assist in troubleshooting virus scanning application programming interface (API)?

Exchange 2000 Server Service Pack 1 (SP1) provides Exchange administrators with Performance Monitor counters to assist in troubleshooting virus scanning application programming interface (API) issues. This article contains a list of the counters and a description of each counter. http://support.microsoft.com/directory/article.asp?ID=kb;en-us;Q285696

What new events have been introduced with Exchange 2000 Server SP1 which relate to the new Virus Scanning API 2.0?

Exchange 2000 Server Service Pack 1 (SP1) introduces many new enhancements to the virus scanning application programming interface (API). One of these enhancements is new virus scanning API-specific event logging. This article contains a list of the new events that are introduced with Exchange 2000 Server SP1 and describes how to enable those events. http://support.microsoft.com/directory/article.asp?ID=kb;en-us;Q294336

Is there any software to interface a Palm device with Exchange?

Please check the following link: http://www.palm.com/support/faq/csemailfaq.html

I am trying to put all the contacts under a Public Folder to be accessable using the LDAP protocol. I checked the DS Configuration and the protocol, both were enabled and the port 389 is also correct. Still I am only able to do an LDAP on only the domain Windows 2000 users information but if I try to search a public record then its not accessable.

LDAP can only be used to access directory information, contacts in a Public Folder are not part of a directory, so they aren't accessible.

Where does the time stamp come from in an OWA (Outlook Web Access) 2000 originated message?

In the OWA 2000 options, the user can specify a time zone which is the source of the time stamp.

In Exchange 5.5 you could route domains to another domain through the internet mail connector. For instance, suppose I have "company.com" and I have all my email addresses set up for "company.com". Then I buy the domain "mycompany.com." I used to be able to route all email that went to "mycompany.com" to "company.com" without adding the additional emails to my users. Is this still possible in Exchange 2000? If so,where?

How it worked in 5.5

In Exchange 5.5, if you wanted to route messages for abc.com and xyz.com to one Exchange org, you could: - add the additional domain name to the Routing tab of the IMS - tell it to treat mail for xyz.com as ; then any messages delivered to your Exchange users that had an SMTP domain of xyz.com would be delivered.

How it works in Exchange 2000

You cannot add a local domain. There is Domains node in the UI. The only way to end up creating domains is to: 1. Add recipient policies 2. Put the domains as an address space on an SMTP connector.

In Exchange 2000 where can you set an administrative email address, such that if an email is sent to a recipient that does not exist or is misspelled, the email message will be forwarded to the exchange administrator.

Go to the properties of your virtual server and go to the 'Messages' tab. Add an entry to "Send a copy of NDR's to".

I have installed Exchange 2000 on my server and setup the SMTP connector. I send a test message from another system to administrator@mydomain.com and it bounces back with an error claiming the system cannot "relay" for administrator@mydomin.com".

The SMTP Connector has nothing to do with inbound mail. Inbound mail is handled by the SMTP Virtual Server.

1. The domain needs to exist as an SMTP rule in one of the Recipient Policies.

2. The address needs to be valid for the user.

3. The SMTP Virtual Server needs to be configured to accept inbound mail from Anonymous senders. This should be the default in RTM, but was not the default earlier. There were also issues with this when Win2K SP1 is not installed.

After that, you need to check the event logs/turn up logging to figure out what's happening.

How can I check if my Anti Virus product is protecting against all threats?

Unfortunately, you can rarely be completely secure. However, the least you can do is check for known threats. A free test zone can be found at: http://www.gfi.com/emailsecuritytest . If your anti virus product catches all the tests you are secure - at least from the known ones.

Do Exchange Anti Virus products protect against Email exploits?

Some do, some don't. Most anti virus products protected against known viruses only - therefore if an e-mail virus/attack uses an existing exploit in a new way, it could very well be that your anti virus product will not detect it. Mail security for Exchange 2000 has an exploit engine built in.

Do Anti virus products based on VS API scan e-mail at gateway level?

No, anti virus products using VS API will only scan the information store. Therefore, mail will not be scanned at the perimter of your network, but rather when it reaches the stores. If you wish to have gateway level scanning you need to invest in a separate gateway anti virus product.

What is the recommended way to do Anti Virus on Exchange 2000?

It is recommended that Exchange 2000 you use a product that supports the new Virus API. The virus api has been specifically designed for Anti Virus products to integrate into. Some of the products that integrate via VS API are Mail security (www.gfi.com/mailsecurity), Panda software (www.pandasoftware.com) and Trend Micro Scanmail (www.antivirus.com)

What’s the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. .

What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

Where are group policies stored? %SystemRoot%System32\GroupPolicy

What is GPT and GPC? Group policy template and group policy container

.

Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.

You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.

What’s contained in administrative template conf.adm? Microsoft NetMeeting policies

How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.

You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

How frequently is the client policy refreshed? 90 minutes give or take.

Where is secedit? It’s now gpupdate.

You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.

What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

How do you fight tattooing in NT/2000 installations? You can’t.

How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.

What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.

Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

Where exactly do fault-tolerant DFS shares store information in Active

Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

Can you use Start->Search with DFS shares? Yes.

What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

Is Kerberos encryption symmetric or asymmetric? Symmetric.

How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.

What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

What’s the number of permitted unsuccessful logons on Administrator

account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.

How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.

Questions

Q: I don't see Admin and Routing Groups
A: The display of Admin and Routing groups isn't enabled as default. You need to enable it by hand.
Right click on your organisation name right at the top of ESM and choose Properties. Enable both boxes. Apply/OK and you should see the extra options.

Q: What happens if I don't take the * out of "Address Space".
A: All of your email is sent out via the ISP email server. While this isn't a problem, some people prefer to send most of their email direct.

Q: How can I find my ISPs Smart Host?
A: Look on their web site for the SMTP server. Another good trick is to look for their instructions for Outlook Express. This will usually have their SMTP server listed. Otherwise you may have to call them to find out what it is. While you are on the phone, check whether you need to authenticate when sending only.

Q: My ISP requires authentication to use their SMTP server
A: You need to add a username and password to the SMTP configuration. On the properties of the connector click on the "Advanced" tab. Click on the "Outbound Security" button. Change from anonymous to basic authentication. Click on the "Modify" button and enter the username and password as required.

Q: Why not specify the smart host in the SMTP virtual server?
A: While this option would work if you wanted to send all email out through the ISP email server it can cause problems. The key issue is if you have more than one Exchange server. Configuring a smart host on the SMTP virtual server breaks replication between the servers.

Q: I already have a connector to send email through our front-end server/spam server.
A: If you are using a third party server then you will need to look at the configuration to see how to direct email to another machine.
If you already have a connector to route email through a front-end server then add the new connector as indicated above, but only add the Front-End server in "Local Bridgeheads".

Q: Is this an alternative to getting reverse DNS configured?
A: No - you should still get your ISP to make a reverse DNS entry for you if possible. This is good practise for a machine connected to the Internet. We have more information on configuring your DNS here.

Q: How can I use a connector to bypass my ISPs block on SMTP traffic and use a third party SMTP Server? I don't see where I can set the port.
A: If you need to use an alternative port for SMTP traffic, then adjust the SMTP virtual server first. Another option would be to create another SMTP virtual server, on the same IP address as your main server. Then change its port. Once set, change the SMTP virtual server being used as the bridgehead in the SMTP Connector. By using an additional SMTP virtual server you can leave the default on port 25, which is good for use with additional Exchange servers.

Q: Can I use more than one SMTP Connector with the wildcard?
A: If you have access to two SMTP server that you can relay email through then you could add both on separate SMTP virtual servers. Both SMTP connectors would need to have the cost set as *. However you could also set both smart hosts on the same connector separated by a semi-colon (as indicated above).

No comments:

Post a Comment