Thomas's questions

First caveat: I did not design this network. Most of my recent networking experience is with ASAs; configuring NAT & ACLs there is pretty easy and straightforward. In this case, the engineer who installed the 2911 chose it because, in his words, the ASA didn't support the features he wanted - though I never got a straight answer when I asked which features specifically. In any case, I'm stuck with the 2911 for the time being and configuring ACLs is anything but straightforward.

We have a Cisco 2911 router as our edge device. NAT is set up and working just fine. There are currently no ACLs applied to the external or internal interfaces, so NAT just "works". However, we need to expose LDAPS on one of our servers to the public interface and restrict this to a specific source IP.

The NAT rule for this is the easy part:

ip nat inside source static tcp 192.168.x.x 636 x.x.x.2x 636 extendable

But then we need to restrict this to a specific subnet so we aren't exposing LDAP to the world. And this is where I get in over my head. The moment I apply an ACL to the interface, it kills all traffic, effectively shutting the interface.

ip access-list extended outside-inside
permit tcp x.x.x.x 0.0.15.255 host 192.168.x.x eq 636

interface GigabitEthernet0/1.10
ip access-group outside-inside in

My conclusion is that when there are no ACLs applied to the interface, the router has some implicit rules that allow outbound traffic and associated inbound traffic and which permit traffic based on PAT rules. And that by applying the ACL to the interface I am essentially disabling these "built-in" implicit rules, so I have to create these rules manually to allow outbound traffic and associated inbound traffic. (This isn't how it works on ASAs at all, and it's been 18 years since I took the CCNA so...) I have tried the following with no success:

ip access-list extended outside-inside
evaluate ipoutbound

ip access-list extended inside-outside
permit ip any any reflect ipoutbound

interface GigabitEthernet0/1.10
ip access-group inside-outside out

and

ip access-list extended outside-inside
permit ip any any established

but these aren't working at all and traffic is halted on the interface.

I've tried reading Cisco's documentation, but of course it only shows some basic syntax examples for creating ACLs and is not clear at all on what's happening in this case or why. If I do not apply any ACLs to the interface, then outbound traffic works just fine and the only permitted inbound traffic is either associated with an outbound session or an explicit PAT rule; but this would expose LDAP to the internet at large and that's no bueno.

For reference, the following standard acl is also applied globally.

access-list 10 permit 192.168.x.0 0.0.0.255

So, with an existing NAT/PAT rule ip nat inside source static tcp 192.168.x.x 636 x.x.x.2x 636 extendable, how do I restrict access to this service without stopping all other traffic?

We have a customer with a Windows Server 2016 domain controller. It's a small business so their server infrastructure consists of a Hyper-V host and this DC. The DC hosts file shares and Azure AD Connect for syncing identity with Office 365.

We monitor for event ID 4625 and have an alerting threshold to help us identify potential brute force attacks against the network.

In October of last year we began receiving alerts that the failed logon alert threshold had been exceeded. Upon investigation we have the following description of the problem:

• The failed logon events occur organically whenever our VSS (Datto) backups run or whenever AADC syncs
• Backups succeed and AADC syncs normally with no errors
• There are two accounts that fail to log on:
  • SERVERNAME$ (e.g. the SYSTEM account) whenever the backups run
  • AAD_* whenever AADC runs
• The event STATUS is 0xC000006D - failed username or password
• The event SUB STATUS is 0x0 - Status OK
• The SYSTEM logon failure can be easily replicated by running vssadmin list writers

The list of troubleshooting over the last several months is long. This is not a comprehensive list:

• Uninstall RRAS and WID (including deleting WID folders to ensure permissions are set correctly when roles are reinstalled)
• Clearing SYSTEM credential cache (with psexec & rundll32 keymgr.dll,KRShowKeyMgr - no credentials cached)
• Log in to WID with SQL Server Management Studio and verified database permissions (for LOCALSERVICE and NETWORKSERVICE accounts)
• Adjusting permissions on various registry keys (this did get rid of unrelated CAPI2 & WIDWRITER errors in the application event log)
• Running DCDIAG & reviewing application event logs and clearing up any errors & warnings (including DNS warnings, adding SPNs, and reregistering AD DNS entries, and running a D4 authoritative restore of DFSR to clear up warnings from the server migration)
• Monitoring with sysinternals ProcessMonitor to identify any access denied or other errors (this got me on to adjusting permissions on folders & registry entries to make sure that both LOCALSERVICE and NETWORKSERVICE (the service accounts running the WIDWRITER & other VSS services) had access)
• Verifying service startup type and logon accounts for VSS services & writers, AADC, etc.
• Stopping services and running tests (stopping AADC sync service resolves all logon failures. That's how I narrowed it down to AADC)
• Uninstalling AADC
• Run a repair on SQL Express Local DB
• Calling Microsoft Support using our MS partnership support contract - who said "there's no loss of functionality and you don't have an actual user who can't log on, so we can't help you, sign up for Premier support!" (I'm sorry, does SYSTEM not count as an important user????)
• Banging my head against several walls and many other things

A useful thing learned during all of this

• When uninstalling and reinstalling AADC, running vssadmin list writers continually during the installation process, the errors begin immediately after the SQL components are installed, before the installer has even finished running.
• When SSMS is installed and I log in to a database, I also get failed login events for the dom admin account I logged in with, though my SSMS session seems unaffected.

The problem is clearly related to AADC because I can stop the AAD sync service or uninstall AADC and all failed logon events go away. But uninstalling AADC & deleting AADC folders & cleaning out AADC user accounts & clearing AADC registry entries to try and get a truly fresh install has no effect, the errors return immediately when I reinstall AADC.

At this point I'm at my wits end and I don't know what else to do or where else to even look. I'm hoping someone out there in the aether knows more than I do (likely) or has experienced this before and found a fix.

One final note - the server's DNS name is 9 characters long, meaning that it does not match its NETBIOS name. I don't think this is the cause, but if necessary I can rename the server. It's just a bit of a headache to do for an in-production DC & file server.

I was onboarding a new Surface for a VIP and to get it on the intranet to join it to the domain I entered my own RADIUS credentials at the Windows 10 logon screen. Got the device prepped and onboarded and now I've discovered that Windows remembers these credentials even if I delete the WiFi profile.

Things I have tried

• Delete stored WiFi profile using the Win10 Settings UI when signed in as myself
• Delete stored WiFi profile using a CMD window running as SYSTEM (using psexec)
• Check stored credentials using rundll32 keymgr.dll,KRShowKeyMgr from a SYSTEM CMD prompt
• Delete stored WiFI profile & check stored credentils using rundll32 keymgr.dll,KRShowKeyMgr from a CMD prompt running as PUBLIC (psexec -> SYSTEM cmd prompt, runas /user:Public)

Every one of these steps along the way, I log out and try reconnecting to RADIUS and it just connects without prompting me for credentials, which means it has stored my user credentials somewhere. This also means that when I deliver the laptop to the end user, he won't be able to enter his credentials to connect to RADIUS WiFi from the logon screen until I change my AD password. I cannot "Forget" a WiFi network from the logon screen.

This is in a production AD domain environment. We don't push out RADIUS via GPO, but if that's a solution we can set it up easily enough.

I have a shared mailbox in Office 365 with a shared calendar. Users are granted Publishing Author permission to the calendar folder using Exchange Online PowerShell and these permissions are confirmed using Outlook during troubleshooting.

The problem is that a new user we're setting up can only see the Default permissions, despite being granted the same permissions as everyone else. The user hasn't signed in yet so I'm able to log in to OWA using their account and it shows only the free/busy status for this calendar. If I update the Default permission to show full details, their OWA calendar view updates immediately to reflect the change. But changing their explicit permissions (Publishing Author, Editor, Publishing Editor) makes no difference at all. SharingPermissionFlags is $null for all users with access rights (including Default). So far no other users have reported any problems viewing or accessing the calendar, so this appears isolated to this one new user.

Based on my testing, I don't think this is an issue with folder permissions differing from calendar permissions, though it certainly looks like it. The behavior is exactly as though OWA/Exchange Online doesn't even recognize the user has explicit permissions at all. I conclude this because changing the permissions on the Default user affect this user's view.

In the below (sanitized) screenshot, the first user after Anonymous is unable to view any calendar item details, they can only see availability. All other users have access as expected. Once I set the Default permission to "Reviewer", they can see all details and interact with the calendar as expected. These are Office 365 mailboxes and both the target calendar and the user have Office 365 E1 licenses.

Something else that is extra weird is that when I set the Default permission to "AvailabilityOnly", this user cannot view or interact with the calendar beyond free/busy status. However, when I set the Default permission to Reviewer, this user can fully interact with the calendar with the explicit PublishingAuthor permission we've granted. If I set the Default permission back to AvailabilityOnly, the user again cannot view or interact with the calendar beyond seeing free/busy status.

Has anyone else experienced this and been able to resolve it?

We have a DFS infrastructure with 3 servers and 93 replicated folders. When I run a health report from the DFS Management console, the status of one of these folders is listed as "uninitialized". This folder has previously replicated normally.

Rebooting all 3 DFS servers resolves the "uninitialized" state and the folder appears to begin replicating normally. However, it will fall back into an "uninitialized" state rather quickly, usually within a week.

I've been monitoring this folder in DFS and it does appear that vast numbers of changes will hit this folder in very short periods of time - i.e. the replication backlog will jump up to over 100,000 entries in the early mornings during the weekday. Ordinarily, the backlog goes down quickly over the next couple hours, so I haven't worried about it.

However, this "uninitialized" status now means no replication is taking place at all on servers where the folder has this status. Which means now we have a problem. I haven't tracked down specific files or causes, but I've sent out inquiries to desktop team to help identify what's causing the backlog.

I have found no event log errors related to this folder or status. I thought maybe the high number of file changes on the volume might be causing journal wrap errors, but I haven't found any event logs related to USN journal wrap. The folder does have consistent sharing violations, but these would all ultimately resolve themselves once the files were closed prior to this "uninitialized" problem.

My research has turned up nil, except for possible configuration xml corruption, but in those cases the problem was only with sysvol replication.

My only hypothesis is that DFSR is automatically setting the status to "uninitialized" when the number of differences passes beyond a certain threshold. But I'm not able to test this hypothesis and I can't find any documentation to back it up. And even if it's true, I don't know how I would go about "reinitializing" the folder.

The servers involved are:
A: Sending server, 2008r2, staging quota 25 GB, status: Normal
B: Receiving server, 2008r2, staging quota 175 GB, status: Uninitialized
C: Receiving server, 2012r2, staging quota 25 GB, status: Normal

All three servers are pulling double duty as AD domain controllers. All 93 replicated folders are in the same replication group, so deleting and recreating the RG would be time-prohibitive. When this problem first occurred, a small handful of other folders also showed this status, but only this one folder has had the problem recur after rebooting. The affected folder is 202 GB in size with 547,252 files.

What is causing the folder to become "uninitialized" and how do I resolve this?

-Edit- Some more information. The receiving server rebooted midnight yesterday (~36 hours ago). This brought the folder into "Normal" status and a backlog began generating. When I checked it yesterday, the backlog on this folder was 205,662 files. When I checked today, the backlog is 579,447 files. The folder presently has only 551,706 files. The backlog is bigger than the folder size. The DFS health report says 851,592 files have been received in this folder. So far, no other folders are having a problem like this.

I don't know if the backlog is causing replication to fail, or if replication is failing and causing the backlog, or if there's some underlying database or journal log corruption causing both failed replication and a backlog. Nor do I know how to resolve the problem in either case.

Right now there's a single replication group for 93 folders. I'm about ready to blow it away and configure 93 replication groups. If that doesn't solve the problem, at least it will make it easier to troubleshoot.

We have a customer with a Windows Server 2008r2 RDS farm consisting of 2 session hosts and a single connection broker. We have a GPO that configures session timeouts both as a computer policy and a user policy with loopback processing (merge) which is linked to the OU containing the Session Hosts. The "Active Session" timeout is set to disabled both on the computer policy setting and the user setting. RSOP confirms the GPO is applied to the hosts, both local group policy and the registry confirm the setting is applied. Active Directory user objects are configured with all session timeouts to "Never".

However, active users are still getting disconnected at exactly 8 hours. They can immediately reconnect to their session with no issues.

The 8 hours is woefully exact, to the second. It occurs for multiple users on the network. There is nothing abnormal in the Connection Broker logs nor in the Session Host logs. It's behaving exactly like an 8 hour active session timeout is configured.

Users are connecting from their personal computers off the network through an RDS Gateway. There are no conflicting GPOs. Settings in local computer group policy are untouched.

Since we have a GPO and since AD user objects are configured, what could possibly be overriding my GPO?

I just had a problem with some newly created shared mailboxes not getting properly configured in ProofPoint using an LDAP import. I narrowed the problem down to this AD attribute msExchUserAccountControl being set to 2 (disabled), and the import profile using that attribute to filter out disabled accounts.

I know that when creating a shared mailbox the AD object itself is disabled (AD attribute Enabled = False), and that's a big part of the reason to use shared mailboxes, but why is the mailbox also disabled on the AD object?

We have an ADFS 2.0 instance set up. We use it for 3rd party web app single sign-on. Everything works beautifully with the existing app, App1 with SAML 2.0, including IWA pass-through when users are redirected to our ADFS server.

I just configured a second Relying Party Trust for another application, App2, using SAML 2.0. We're using all of the default ADFS settings, including endpoints. On this application's SAML configuration page, I've told it that our SAML endpoint is "https://adfs.mydomain.com/adfs/ls/". Everything works fine, except that users are prompted for credentials; ADFS is not using IWA for these logins.

I'm testing from a local domain-joined workstation using IE9. Internal DNS points to our local domain-joined ADFS server, external DNS points to our DMZ ADFS proxy. "*.mydomain.com" is in the Trusted Sites zone in IE by GPO and is applied. IWA is enabled in IE. IE clears its cache/cookies/history every time I close it. Both applications are using SP initiated sign-on and both send their assertions to the same endpoint URL on our end.

If I attempt to log in to App2 on a clean session, I'm presented with an ADFS login page. If I enter credentials, I'm logged into the app and can proceed.

If I attempt to log in to App1 on a clean session, I'm immediately redirected to ADFS, IWA is passed through, and I'm logged into the app and can proceed.

If I attempt to log in to App2 in the same session after logging in to App1, I'm redirected to ADFS, the existing ADFS login session initiated by App1 is used, and then I'm immediately redirected to the App2's assertion consumer service URL and given an error page.

My best guess is that I'm missing something in the RPT configuration. All that the SP has given me is their consumer service endpoint URL using a POST binding. I had to guess at the claim rules. The SP doesn't use encryption.

App2 Customer service has been... difficult. Their tech support is overseas, so I only get responses once a day around midnight local time. Most of their responses are standard "copy and paste from the KB". They prefer IdP initiated sign-on, but say they support SP initiated - which seems to be true, since SSO does work on a clean session after logging in on the ADFS login page.

Does anybody know what I'm missing?

About 9 months ago I became sys admin over Active Directory for a company. Today someone submitted a ticket pointing out that our DNS had a stale entry for an authoritative server. My investigation found that in 2012 a branch office had been closed and the domain controller in that office had been decommissioned without running dcpromo and removing the DNS role. I also found about a dozen and a half other static DNS entries from the same subnet that office ran on, which subnet is no longer used by the company.

This isn't the first time I've encountered static DNS entries that are years out of date. Most of these belong to our engineering unit, who will stand up a server in their lab, request us to add it to DNS, then kill the server and never tell IT about it. The majority of these are lab servers that are never joined to our AD domain, so I can't check DNS against computer accounts in AD.

How can I isolate and remove all of these stale static entries?

We're running Active Directory at a 2008r2 functional level. All of our DCs are 2008r2.

We have AD DS security auditing enabled on a Windows Server 2008r2 functional level domain. We use a third party tool to alert us to changes to our administrative group memberships. We recently deleted several service accounts that were members of the Domain Admins security group, but no one was alerted by our third party tool.

I'm trying to determine if there's a fault in our auditing configuration, a fault in the third party tool, or if Windows simply does not log "Member removed" events for security groups when a user in a security group is deleted.

To be more specific, we are looking for a security log event for "A member was removed from a security-enabled [Universal|Global|Domain-Local] group." This is the event that initiates the alert in our application. In this case, the "member" user account was deleted without being explicitly removed from the security group. There is an event logged for "A user account was deleted."

In this case I suspect that Windows will not log the "A member was removed from a security enabled ... group" event because the user account was deleted without being explicitly removed from the security group. I would like to confirm this hypothesis. If my hypothesis is true, then we need to adjust our processes. If my hypothesis is false, and Windows should log this event, then either our auditing is failing or misconfigured, or the application is failing.

Auditing "Account Management" is enabled by GPO. The Admin security groups have the "Success" auditing events added to their security properties. The security log size on our domain controllers is 128mb. I've searched the security event log on the DC for events 4733, 4729, and 4757 and found none, however the event log recycles after only a few hours with all of the activity on our domain.

These alerts have worked in the past for explicit member added and member removed events and no configurations have changed (that I'm aware of, and I'm the AD sys admin).

Maybe as an AD sys admin I should already know the answer to this question.. but nobody knows everything :)

I also asked this question on TechNet, but got no useful responses.

I'm running ADFS 2.0 in Windows 2008r2, connected to a SQL Server 2005 database server. Right now the ADFS server has 5623 TCP connections open to the SQL server (checked via netstat - counted with powershell). This many connections is impacting our SQL server and preventing backups from running properly.

Going off of this question, it seems that ADFS may not be closing its SQL connections, however the connections are all in the "Established" state. This became an issue once before several months ago; if I recall correctly, I resolved it by resetting the NIC (to forcefully kill all active connections). This time around I'm looking at restarting the ADFS services first.

But the question is why is this happening in the first place, and how can I troubleshoot the root cause? I've done quite a bit of research and can't find anything that would point the finger at ADFS - such as a bug or something.

I'm taking over for a prior admin who created several DFS namespaces in our Active Directory infrastructure. The prior admin did not document any of the structure of our DFS, so I don't even know what my DFS namespace servers are. I was able to find one, by logging into file servers one by one until I found a server running the DFS Namespace service - when what to my wondering eyes should appear but 2 namespaces, only one of which is a Domain namespace.

I've been tasked to document our DFS infrastructure, but that task seems impossible if I can't find my namespace servers to begin with.

We are running Windows Server 2008r2 fairly consistently across our entire environment. We have a total of 6 domain namespaces.

:EDIT:
So far I have searched laboriously through the DFS Management MMC Snap-in. I've also tried using DFSUtil. I've also done the obligatory internet searching, with no useful results. I should note that, until I started this job 8 months ago, I had never used DFS before, and until this assignment, I've only done some minor maintenance - adding new folder targets etc. So it's possible I've missed something obvious.

This question kind of got me thinking about fault tolerance in DHCP, so I did a little digging in my current environment and discovered that we only have 1 DHCP server per major site in our company with no redundancy. All of our DHCP servers are virtual with VMWare high availability and regular backups using Quantum VMPro, so in the event of almost any catastrophic crash of our DHCP servers we can still recover inside of an hour.

This would lead me to think that a redundant DHCP server for failover is, well, redundant. But most of my prior experience is in the small business sector where this kind of situation just never comes up. Big business is very different.

Most of our file servers are in the same configuration, except for the few remaining physical server clusters that haven't gotten caught in our virtualization efforts yet.

So in a virtual environment, what are the decision points for adding server redundancy? Examples: When would I add a virtual DHCP standby server? Or create a virtual failover cluster for file servers? I understand that this is probably difficult to answer without enumerating the specific needs of an organization, but I think it's possible to describe a few example situations that would help an SA to be prepared before the need arises.

I'm strictly concerned about fault tolerance and failover - load balancing in this context is totally unrelated.

We have our organization's primary domain (with AD) example.com. In the past, previous admins have created several other zones - such as dmn.com, lab.example.com, dmn-geo.com etc - as well as subdomains and delegates all of which are for different engineering groups. Our DNS right now is a bit of a mess. And of course this causes problems when someone at a workstation in example.com needs to connect to a system in any of these other zones/subdomains, or vice versa (partially because zone transfer and delegation aren't properly configured for most of them).

Our production DNS is integrated with Active Directory, but engineering systems should be isolated from AD.

We're discussing ways of reorganizing DNS and consolidating all of these different entries. I see three different avenues we can take:

• Create a new zone i.e. 'dmn.eng'. This could either be managed by IT, using our DNS servers or engineering using their nameservers.
• Create a new delegate eng.example.com, consolidate engineering DNS into that subdomain, and let the engineers manage the nameserver for the delegate.
• Create a new subdomain eng.example.com with no delegation and manage DNS for the subdomain ourselves.

I favor creating a delegate subdomain and letting the engineers have full control over their own DNS structure within that subdomain. The advantage is that if their DNS doesn't work, it's most likely not my fault ;). However, there is still some ambiguity about responsibility when something doesn't work and it will require coordination with engineering to set up, configure, and administer.

If we do not delegate the subdomain, that means a lot more work for production IT handling non-production DNS (which we've essentially been doing a lot of already). The advantage is that we have full control over all DNS and when something doesn't work there is no doubt about whose responsibility it is to fix it. We can also add delegates, such as geo.eng.example.com, to give engineering more flexibility and control when they need it.

I am really uncertain about the necessity or benefits of creating a new zone, dmn.eng.

So what are the industry best practices and recommendations for situations like this? What solution would be the simplest to implement and provide seamless name resolution between engineering and production? What are some potential benefits or pitfalls to each solution that I may be missing?

To add a little more information, we're a fairly large manufacturing company. These engineers work in R&D, Development, and QA. Labs frequently have their own subnets or whole networks, DHCP, etc. In regards to organization and technology, they are kind of their own little world.

We want to maintain some level of network isolation for engineering labs and networks in order to protect our production environment (reference an earlier question regarding engineers who added engineering DHCP servers as authoritative AD DHCP servers - that should not be able to happen). However, a user at a workstation in a lab will need to access a resource in our production network, or a user at a workstation on our production network will need to connect to a lab system, and this happens with enough frequency to justify a sort-of unified DNS.

The existing delegates already have DNS servers managed by engineering, but there is no communication between the engineers in the different labs where these servers are set up, so the most common problem is failed name resolution between subdomains. Since the engineers own those delegate servers, I can't correct the NS entries to get them talking to each other - hence the advantage of non-delegated DNS wholly owned by IT. But managing DNS for production and engineering is a headache, especially as engineering can make DNS changes on a daily basis. But as BigHomie mentioned in his answer, this probably means engineering will have to hire (or designate) a real DNS admin; and that person and I will have to become fairly well acquainted.

I don't necessarily like the idea of creating a new zone with arbitrary an top level domain name or suffix either, but we already have 5 other zones with arbitrary names so consolidating into a single one is still an improvement. I do know that other companies exist that do have separate top level zones for different groups in their organization, so I'm curious about when that is appropriate and what the advantages/disadvantages of that approach are.

FYI, I've only been at this company for a few months and the previous AD/DNS admin left the company, so I have nothing to reference as to why any of the existing DNS structure exists.

We're rearranging our current office in order to save money on the lease. This will remove a dozen or so conference rooms from use at the end of this month.

I've been asked to configure these resource mailboxes so that they will not accept any requests after March 31st. I thought there was an option in the EMC to edit the resource policy to do something like this, but I might have just been confused about the Booking Window option. In any case, is there an easy way to accomplish this that doesn't require manually creating a "Not available" meeting in each of these calendars?

In our environment we are running Exchange 2010 with NetBackup 7 and Symantec eVault. We have global 25 year retention and no purging policies (insane, but that's what the boss wants). We use eVault to simplify and expedite any legal requests for information.

We discovered recently that for several months, July 2013 - October 2013, multiple mailboxes were not being vaulted in eVault - specifically those for exiting employees. Each of these should have an existing vault up to July. We need to restore the mailboxes from backup with NetBackup and then reconnect them to an AD user object and let eVault vault them so that their vault is complete.

Here's where we run into trouble. Ideally, we want to be able to restore each mailbox exactly as it was before it was deleted in Exchange. The purpose being that eVault will then vault the restored mailbox connected with the existing vault, making a single complete vaulted mailbox. But NBU 7 doesn't support granular restore, so we are required to restore an entire database to get to a single mailbox. But that means creating a recovery database for the restore, which means we have to create a new destination mailbox for the recovered mailbox. This means that eVault would create a new vault store for the recovered mailbox which would not be connected to the existing vault for that user. That means 2 mailboxes to search for a single user, should legal require access.

What I would like to do is restore the database, and then connect the mailbox we need to an AD user object, move the mailbox to its original database, and let it get vaulted. Of course, you can't connect mailboxes in a recovery database, nor can you move a disconnected mailbox.

Does anyone know of any way to restore a mailbox to its original state, with original IDs, after the mailbox and AD user have been deleted?

Perhaps someone here knows eVault better than I do and can tell me if it identifies mailboxes/vaults based on the Exchange GUID or AD GUID or SID? If it identifies by AD, then we would have to restore the AD user object as well as the mailbox - and this job is already annoying as we have over 100 users to restore.

If I need to perform a procedure on an Exchange public folder, such as changing permissions, but I don't have the full path to the public folder (which is required in the -identity parameter for most public folder commands), how do I get that full path?

Some resources I have found have suggested using the powershell get-publicfolder -recurse and filtering the results, but in a large organization with thousands of public folders that command can take hours, if it finishes at all.

The process for terminating users at the company I'm presently working for includes remotely wiping any ActiveSync devices and then removing the ActiveSync relationship. I'm writing a PowerShell script to automate the process and, when I send the remove-ActiveSyncDevice cmdlet after sending the clear-ActiveSyncDevice cmdlet, I get a warning that "the device is waiting to be wiped".

If I remove the device, does that cancel any pending wipe commands?

I've done as much web searching as I can in order to find the answer and I'm just having no luck. I would assume that Exchange would give me a more informative warning if removing the device would cancel the wipe request, but since there's so little detail in the warning I just can't be sure.

:edit:
Just thought I would add a bit more detail regarding the research I've already done.
MS Technet article on remove-activesyncdevice
MS Technet article on clear-activesyncdevice

I have done numerous web searches with multiple search engines using keywords I would expect for this query. I have also searched the Exchange TechCenter on Technet (I have not yet asked this question there). I've also asked several of my colleagues at work, all of whom assume that the wipe command is still processed after removing the partnership, but none of them have any references to back that up.

Back story.
So we had a development engineer (who just happened to have access to a domain admin account) who set up a handful of DHCP servers on our domain. This caused headaches, as the new DHCP servers were authorized on our domain and made authoritative.

These servers are temporary and are being moved to another third-party site. We've cleaned up the headaches and worked out a timeline to unauthorize them before the move. My job is to unauthorize the servers when the time comes to move them and to clean up any leftovers.

One server has already been decommed (role removed and removed from domain). That means this has to be my order of operations (for the first server):
1. Remove DHCP serve role from rogue server.
2. Remove rogue server from our domain.
3. Unauthorize rogue server in DHCP mmc.
I would prefer to unauthorize the server before removing the role from it. I can do so with the other 2 servers that are moving at a later date. Moving on...

Another sys-admin was working this before me, she expressed concern that AD would sync AD information/objects with the DHCP servers. I'm not aware of AD syncing anything to a DHCP server, but this other sys-admin mentioning it has me (and my manager) worried. My manager wants to be completely sure that there is no AD data on the rogue servers once they are decommed and moved out, including any references to the domain account that the DHCP service was running under. It seems rebuilding the servers (to cleanly eliminate any security worries after moving them off-site) is not an option. I do not (yet) know which version of Windows Server they are running.

So the question(s):
What needs corrected or cleaned up with the order of operations?
Is there any AD data (including logs, though their location is usually pretty standard) that I need to clean up from the decommed DHCP servers?
Will there be any references to the domain account that the DHCP service ran under and where will I find those to clean them?

I have two separate web servers with two different internal IP addresses on a network with only one public IP address. One is Windows Small Business Server 2011 and the other is a new e-mail encryption gateway appliance.

I have subdomains configured for remote.domain.com and securemail.domain.com both pointing to the same public IP. I need both of these subdomains to point to the correct internal server both on port 80.

I've configured forward lookup zones on the SBS server pointing to the appropriate IP addresses. I have a SonicWall NSA 220 firewall. I had firewall rules to redirect 80 to the SBS server, but I've set up an overriding rule to redirect 80 to the gateway appliance until I can get both services operating concurrently.

I referenced this thread, but my situation is different enough that the responses to it don't apply.

Thanks in advance!