Kara Marfia's questions

Our organization is very comfortable with the idea of homing the IIS portion of a user app in the DMZ, which authenticates them to connect inside. This is clearly not the roadmap for RDS 2012. We're not going to get the go-ahead to create any kind of DC in the DMZ, and putting a domain member out there seems to defeat its purpose entirely.

I'm really at a loss for a direction at this point, as putting the Gateway role in the DMZ as a domain member seems to be the closest MS-supported approach to this problem. Is there any way to have my cake (force the users to authenticate before passing them on to LAN servers) and eat it, too (keep AD out of my DMZ)?

Thanks for any input.

Deployment on LAN works without isue. When I add the Gateway role to a DMZ workgroup server, there seems to be no way to refer back to the CB on the LAN, though all communication between the two servers is open, and ping, RDP, WMI, etc all function between the two.

All servers are 2012R2, all ports are open for testing. Documentation for this scenario seems to all focus on 2008.

Should this work?

It's common knowledge on SF that your backups are only as useful as your ability to restore them. So you've revised and documented your backup schedule. You check the logs and/or receive notifications of the results for each backup job.

Now you want to make sure you're never caught with your LTO-pants down, and you're going to do spot-restores from time to time. I realize this will vary DRASTICALLY based on the size & types of data, but I'd like to find out how people are tackling this. Or is primarily just a training issue - making sure that you (or your people) have experience in each necessary restore?

We have lots of questions on how to restore a particular technology type. I'm more interested in how you satisfy yourself that a quick recovery is certain.

Motivated initially by this article, there doesn't seem to be any reason to leave 16-bit execution enabled at all, but particularly on my DMZ, where anything that shrinks the attack surface just makes my day happier.

Disabling this is a snap in group policy - Computer Configuration/Policies/Administrative Templates/Windows Components/Application Compatibility/Prevent access to 16-bit applications

However, does anybody know where to find this in a non-domain joined computer, with only Local Security Settings? Or elsewhere?

Possible Duplicate:
Precached Windows Logins?

I swear I've seen clever solutions to this on SF before, but my search-fu is weak this Monday. Remote user's drive has failed, and I need to ship him a new one. It'd be ideal if I could get his profile to load on this end before shipping. I'd like to avoid changing his password to log him in myself, as he's technologically crippled, and it'll take him a month to get the password reset on his Blackberry.

Edit They're not roaming profiles. I'd just like him to be able to log in to a domain account so that after firing up the VPN, he won't have to re-authenticate to each system.

The only clever fix I could remember was to have the user remote desktop in to load the profile, but he's got no access.

This is referenced in various virtual directories within IIS on our Exchange 2003 server. Googling leads me to believe it's a holdover from Exchange 2000, but that path doesn't function in any way that I can find.

In case it helps, what I'm trying to do is enable replication for public folders to the Exchange 2007 server. Troubleshooting steps for the error I'm getting indicate a problem with the IIS settings for the Exadmin virtual directory. This odd path seems like a good thread to follow.

(tagging is sparse at the moment because I'm not sure to what I'm going to attribute this scrap of history)

Edits... This isn't a SBS server, and we don't have any (though there may have been before my time). It's a 2003 Server with Exchange 2003. There's no M:\ drive, nor anything mapped on that server, though I see this mentioned frequently. Public Folders appear to be functioning, as well as other IIS components (such as ActiveSync) which reference this odd creature.

Just kicking this idea around, and wanted to see if you'll be so kind as to point out the problems I don't see.

If I set up this new HyperV host as a normal domain member, the benefits are obvious. I can manage it through SCVMM, and it's got its own NIC, so the traffic should theoretically be isolated from the dirty, filthy DMZ NIC the VMs will be using.

Obviously I'll want to set up the virtual network as Private, to isolate the host from them completely. I'm trusting the documentation on this - is that naive?

I could be overthinking things, because the thought of having my LAN and my DMZ both plugged into the same physical box makes me twitch, but I don't have any concrete reasons why.

Thanks for your thoughts.

I've got 2 APC Smart UPS 3000's, one of which has the management card (AP9617). They're both currently being used purely for battery backup, and since we've had repeated power issues in this building, I'd love to get some of the servers to shut down gracefully before the juice runs out.

The media is long gone, and documentation seems a bit sketchy on the APC site (I imagine this guy's been long discontinued). I'll see if I can break it down into some straightforward questions.

• What options does the Net card give me? I grabbed the network shutdown software from the APC site, and it refuses to get past the first screen without a 2nd IP address. This is a bit baffling. (I'm able to log in and configure the card directly from its IP, but the options there seem focused entirely on notification)

• Regarding the non-card unit, I'm assuming the RJ54 port labeled USB is only going to work with the cable provided (which was thankfully left in the bag). Am I correct in the disappointing assumption that I can use this to instruct exactly one server to shut down? Any software I should pick up to enable this? I believe 2008 server has already started disaplying a laptop-esque battery meter in the systray.

• Any germane points I've overlooked are most welcome! I'm not afraid to study up anywhere you point me, but I seem to have started chasing my tail.

[edit] I should mention that my primary goal is to get the 2 production virtual servers set to shut down. The DMZ virt server would be a stellar secondary goal. Anyone else I can connect is tertiary (but would still be lovely). Thanks in advance for any pointers!

With the new Exchange boxes going in, I'd like to do some thorough testing on smartphone features, as well as being able to provide salesman-proof documentation (I'm a dreamer). We've got drastic smartphone-creep, and people have been allowed to expect connectivity on everything from iPhones to Q's to Blackberries. (thanks, boss!)

Rants aside, has anyone else out there been cursed with supporting every smartphone on the planet, and are there good emulators out there to allow testing/documentation?

So far, what's out there seems aimed at developers, and I suspect this would make more sense if I were starting with the SDK and working my way outward. Currently, I seem to be in this repeating pattern of downloading & installing a lot of square pegs & round holes.

(using the beginner tag as I have zero idea about these things...)

post-RTFM edit - is this doable without installing Visual Studio and the SDK? I truly don't want to develop, just test. I'm a big Google-fail on this one.

I tend to err on the side of paying too much for quality stuff, but $180 for a standard replacement battery for a Dell laptop makes the $80 knockoffs look pretty tempting. I wouldn't consider it (batteries really aren't something I want to take a chance on getting a refurb with) - but I was so surprised to learn how popular off-brand server rails are, that I thought I'd fling the question out there and see what stuck.

I know that Exchange needs to hold onto sync status information for mailboxes, so I'm hoping I can use a related property to know who's using a smartphone to check mail.

We're still on Exchange 2003 so far. It seems like the nicest method would be a saved query in ADUC, which I could hopefully use to create a distribution group? But whatever you've got is better than what I have, so thanks in advance.

I'll confess this is an area where I'll give it 10-20mb and toss out an "email is not intended for file transfer" whenever a user gripes about having to use FTP.

But a shiny new mail server deserves a rational approach... so what is a non-voodoo method for determining an appropriate limit for attachment size?

(Wavering on whether this is a wiki, or if there's a method that's Just That Good.)

I thought there would be some good guidelines independent of environment, but specifics were called for - so 50 mailboxes, exchange 2007, AD, hardware is TBD. Clients are a 2007/2003 mix, I figured I'd set sent/received to match, just to keep things simple.

I'm attempting to figure out the power/cooling draw for some old servers that I'd virtualized.

Starting with info in this question, I've taken the 880W the old boxes appeared to be drawing (according to the APC logs), and gotten 2765 BTUs/hr, or 1 ton of cooling every 4.34 hours.

At this point I'm scratching my head as to how to figure the cost for cooling. I'm sure that depends on what I'm using to cool. I'd imagine that ambient temperature counts for something at this point, but I'm not sure if it's significant.

[edit] What I'm missing - I believe - is any idea of what 1 ton of cooling costs. Is that a sensible thing to shoot for, or am I barking up the wrong tree? [edit]

In any case, any pointers on what info to gather next, what to do with it, or what's wrong with the above figuring (if applicable) is most welcome.

SCVMM is unable to handle this conversion - just tells me flat out that my Proliant 3000 (yes, go ahead and laugh) isn't a P2V option unless I upgrade it to 2003 server for an online conversion.

Just wondered if anyone had already skinned this cat before I get started.

[edit] I should mention that the eventual destination is a HyperV server, so I'll be putting the poor VM through a SCVMM conversion to VHD, in case that has any impact on the answer.

Update The .vmdk from the Converter works phenomenally ... in vmware player. Converting with either vmdk2vhd or SCVMM results in a machine that freezes during windows load, or a blue screen.

Reading up teaches me that VMWare machines boot to SCSI, and hyper V CANNOT boot from SCSI, which is what the converter is supposed to remedy. So far I've tried removing scsi devices before the conversion (didn't help) and replacing the %windir%\system32\hal.dll with one from a functioning VM of the same OS/patch (no joy).

Any thoughts/ideas?

Based on “Organizational issues” — sore spots of IT? I think it would be fair to say that system administrators need to determine if a place is worth working at. There is a similar well known test by Joel for programmers.

What are the 12 questions system administrators should ask at an interview in order to help them decide if it's a good place to work at?

Following Joel's rules:

1. Questions should be platform and technology agnostic
2. Questions should elicit a simple response such as yes or no

EDIT: Please post one question at a time so we can see what users are voting for.

Old server is windows 2000, and the original setup guy's answer to pretty much everything was C:\ --> Everyone --> Full Control. However, there WAS a setup doc, that seemed to work up to a point.

• Created a local admin com user
• Created COM+ applications referencing that user and some dll's supplied with the site
• Installed .net versions 1.0, 1.1, 2.0 (I've tried running under each version, no change in error)

Server object error 'ASP 0178 : 80070005' Server.CreateObject Access Error /Include/fnLookups.asp, line 10 The call to Server.CreateObject failed while checking permissions. Access is denied to this object.

Line 10 appears to be:

set objClient = Server.CreateObject("fooUser.CfooUser")

I trundle off to the System log and I have:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {280D5CF7-80A4-40AC-844C-FE3653F02FF1} to the user mydomain\myusername SID (mySID). This security permission can be modified using the Component Services administrative tool.

This is progress of sorts, it's picking up the COM app and my ID just fine. I added myself to the "Access Permissions" and "Launch & Activation Permissions" of the My Computer object in dcomdnfg - but my barking seems to be directed at the wrong tree.

I ran through mskb198432 as well as I could, though it seems directed at an earlier version, but no joy there, either.

Any ideas are welcome.

Edit - list of suggestions tried

• Ruled out the x64 difference, running in x32 with the same issue.
• ruled out file permissions
• "give Everyone Local Launch and Activation permissions to be sure it's a COM permissions issue" - done, no joy
• IIS5 Isolation mode enabled

Edit - Is there anything I can look into on the old windows 2k server that may lend some insight?

We're in the middle of P2V'ing most of the network, so the current backup method is likely the worst - the backup agent is still installed on the guest OSs, and the backup device is dutifully pulling them onto tape, one file at a time.

I suspect there's a clever way to script (PowerShell?) a suspend on the VMs, then backup of the .vhd files, and unsuspend the VMs. This seems like it would provide big speed benefits, while losing file-level restore (might be best for things like DCs and app servers).

What methods/policies have you hammered out?

Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a higher tolerance for mixing in some numbers and special characters than they had 5 or 10 years ago.

I'm looking for rules of thumb and/or resources I can use to back up my proposed policy changes. Or even anecdotal info from those with more experience.

(I'm far from a security guru, so if that's just to vague to deal with, let's narrow the question to apply just to internal Windows networking passwords, though I'd be interested in what people are doing in terms of VPN and web service policy)