mclark1129's questions

I'm experimenting with using OUs in my network's Active Directory and group policy. However, I'm having a little trouble figuring out the right way to structure my OUs so that I can have individual departments, but also have a higher level management users gain all rights of the departments lower on the organization's hierarchy.

Let's say I have 4 organizational units

• Sales
• Marketing
• Accounting
• Executive

Each department has their own drive mapping, which I set up through individual group policies within the department OUs. However, the one exception to this structure is the Executive department. These are the leaders of the company, so I would like users in this OU to get access to ALL of the drive mappings, not just a single drive. However, since an OU can only have one parent, I don't know how I could set this up so that the Executive OU can inherit the drive mapping policies from all departments.

One thought would be have individual policies for each drive mapping, and then simply link the drive mapping policies to each department I wanted to have access. In this case, the Executive OU would have 4 links, one for each drive mapping. While this makes sense to a certain extent, it doesn't sound like the most maintainable solution. Everytime a department was added, or if additional policies were granted to an existing department, I would need to duplicate this link in the Executive OU as well.

The other thought I had would be to simply use Security Groups as the objects in each OU, and assign departmental users to the security group instead of the OU (e.g DOMAIN\Marketing). However, this does not appear to work the way I expect. Group policies only seem to be applied to a user once they have been added to the appropriate OU, and it does not matter what Security Group they are in.

The only other solution I can think of is to simply move the department policies out of OUs and instead rely on Security Filtering to apply the policies to different Groups. However, this does not seem to be the way that most examples and tutorials handle managing their policy objects, instead favoring these departmental OUs like I've listed above.

What is the proper way for me to structure my Group Policy objects to accomplish what I am after?

I have a very small network with a handful of users and machines. I would like to control which users can access which machines by using Group Policy.

Here is a basic overview of my current setup.

All machines are in the Domain Computers group Two computers are in the Management Computers group. These are used for management employees that have access to more sensitive data.

All users are in the Domain Users group Two users are in the Management Users group. These users have access to everything Domain Users do as well as additional file shares.

I have a Default Computer Policy that I use to apply global settings to all machines on my network. This includes settings such as firewall exceptions for Remote Desktop, and adding Domain Users to the local Administrators group for the machine. This policy applies to the Domin Computers group. I am also setting the Allow log on Locally and the Allow Log on through Terminal Services rights to apply to Domain Users

I have a Management Computer Policy that I would like to use to override specific settings that are in the default computer policy. Namely, I am setting the Allow log on Locally and the Allow Log on through Terminal Services rights to only include the Management and Administrators groups.

All of these policies are enabled and linked to my root domain, I am not using any OUs. I've read that for a network this small, OUs are overkill and should not be necessary. I have set the link order on this domain so that the managment policies are at the top, and the normal user policies are below, ending with the Default Domain Policy.

I would expect that the Log On settings in my Managment policy would override my default computer policy. However, when I look in the Local Security Policy for a computer in the Management Computers group I see the groups specified in my default settings, not the Management Policy. I have tried using gpupdate /force and also restarting the maching, and it does not do the trick. I am able to log in using a user that is just in the Domain Users group.

What am I misunderstanding here, and what should I do to accomplish what I'm going for?

I've set up a virtual network in Windows Azure to host two Linux VMs (Centos / OpenLogic). I've registered a local DNS (local as in the cloud, not my personal network) inside the virtual network. I configured both VMs to use the virtual network and I am able to SSH into the boxes no problem. However, these boxes are not able to resolve external addresses (IP or DNS) and as a result, I am unable to use the package manager to install tools on these boxes. Is there a way that I can configure my virtual network to have an external gateway so that my VMs can access the outside world?

I'm trying to set up a test lab in Windows Azure for a SQL Server 2012 Standard Failover Cluster. When deploying a SQL Server 2012 VM through the gallery, the instance that's created is pre-installed as a standalone instance. From what I understand, there's no way to migrate that into a FCI so I would have to install it that way from scratch.

Is it possible to deploy a SQL Server VM as a Failover Cluster Instance, or even deploying a plain Server 2012 and installing SQL Server from scratch after the fact? All while staying within the licenseing provided to me through Azure?

I have recently upgraded my Poweredge T105 server to use a SAS 6/ir RAID controller. Unfortunately, I did not realize at the time that adding the card would cause the BIOS to complain about a missing hard drive fan. This warning requires that a user press F1 to continue, which is disastrous in a server environment.

I have searched all over found that the specific part I need is a Dell FY606 fan. However, I have yet to find a suitable retailer that covers this part. I have contacted Dell and they do not have this part in stock. Are there any alternative models of a fan that I could use in place of an FY606? Seems like a pretty straightforward part, just a fan that connects to a 4-pin power connector on the motherboard.

Possible Duplicate:
Can you help me with my software licensing question?

I am currently running a trial of SBS 2011 Essentials that has expired. Most of the results I see for SBS 2011 on the internet are for OEM DVDs. Can I use the product key from that to activate my trial, or do I need a different kind of license for it to work?

Thanks,

Mike

I have been trying to set up an SSTP VPN to my SBS 2011 server and have been battling certificate issues the whole way. I've been able to generate a new certificate for my external vpn address, import it into my client machine, and added my server as a Trusted Certification Authority. Now I get the error:

Error 0x80092013: The revocation function was unable to check revocation because the revocation server was offline.

When I checked the CRL distribution points on the certificate I saw that the only urls were to my internal address, so I added another one that points to my external address (leaving the original internal urls intact). I generated a new certificate, deleted the existing one from my client and imported the new one, and restarted RRAS and verified that SSTP was using my new certificate but I am still getting the same error.

When I view the details the certificate that I imported I see that the new external CDP appears in the list (something to the effect of http://mydomain.com/CertEnroll/MYSERVER-CA.crl) . When I put that into a web browser I get a message saying the CRL import was successful, which lets me know that the URL is accessible from the outside and is online.

I feel like this is the last stop between me and a secured VPN, what am I missing here?

I am running Exchange on an installation of SBS 2003 and I have recently run into a problem where random spam queues began showing up in my SMTP queues. I was first alerted to it because my antivirus software was telling me my server was infected, but luckily I think it's just because the spam contains malicious attachments. One weird thing is that all of the messages in the queue appear to be from '[email protected]' to address on the spammer domain. Does this mean that they are trying to get me to email them sensitive information from my server? At any rate, I need to figure out how to secure my server so that the only people who can send email from my server are authenticated domain users. Does anyone know the best way to lock this down so that only domain accounts can send email, and no one else? Users need to be able to send mail both in and out of the office. Remote email is done through Remote Web Workplace and ActiveSync to smartphones. I am using the Microsoft-Server-ActiveSync web application in my default web site in IIS 6, in case that is providing any security holes for spammers to get through.

Any help is greatly appreciated.

Is it possible to set up a VPN server on a machine running Server 2008 R2, when you only have one NIC? I'm trying to connect to my server with the following setup

Windows 7 -> Internet -> Linksys WRT54G -> Server 2008 VPN

It seems no matter what I try I just can't establish a connection to the server, receiving a variety of 800 and 806 error messages depending on the type of VPN connection it is trying to establish.

I've tried forwarding port 1723 to my server, and have verified that all of the VPN passthrough options are enabled. On my server, the firewall shows port 1723 (PPTP-In) is opened and enabled. Of course, that may be misleading as I've already run into an issue where port 21 was showing as enabled, but it really wasn't open until I ran a command from a command prompt running as Administrator.

This is really making me pull my hair out, I HATE having to leave 3389 open for RDP, or using FTP externally for remote access to files. If anyone has any advice on how I can get this done I would greatly appreciate it.

UPDATE: Even by placing my server in the DMZ, the PPTP connection does not work. Does this mean that the problem is related to my server configuration, and not my router firewall? Is there any additional logging or debugging I can do to more specifically locate the point of failure?

I have a SBS 2003 server with Terminal Services enabled. Currently I am able to RDP to my server by going to www.mydomain.com. I would like to restrict RDP access to my network to be over VPN only. However, I am worried I will accidentally disable RDP to my server completely. How can I configure remote access to only be available when connected to a VPN?

I am running a vsFTP server using virtual users. I chroot each user to their own personal subdirectory. For ease of use I would like to make my usernames case-insensitive, but I am having some trouble because the server always resolves their chroot directory using the exact casing they enter. Obviously this doesn't work because *NIX filesystems are case-sensitive. Is there a way I can specify a value to be lowercase inside of vsftpd.conf (E.G. ToLower($USER))? This way no matter if a user enters JSMITH or jsmith, they will always be chrooted to jsmith/?

I am looking for an affordable remote backup solution for my small business network. I've tried the Seagate Blackarmor 220 in the past and I HATE IT! Essentially the only option it provides me for remote backup is standard FTP (not even SFTP) and even that is spotty and unreliable.

I've been looking into the Synology line of NAS drives, specifically the DS211. What I really like is that it runs rsync, so I would be able to do really good incremental backups using DeltaCopy for Windows and could do my backups over a secure connection. Does anyone have any experience using Synology NAS drives for this purpose?

Also, I plan on this remote drive just living at my house on my home network. It would be behind a home Linksys router, using a 5Mbps / 384kbps broadband connection. Would this setup be sufficient if the incremental backups are relatively small? On average, I estimate the increments would likely be around 50MB. Even in extreme cases, I would expect that the backups would remain under 200MB. My ISP offers a 30Mbps / 2Mbs connection for an additional $20 / month. Based on my needs, and small budget, would this added cost be necessary or would the upgraded connection be a little overkill?

After a power outage, my CentOS server began having a problem where many of the system commands became corrupted. As a result I have been getting messages saying "cannot execute binary file" on critical commands such as rm or mv. Using the linux rescue cd I managed to replace a few of the files to get me back to a mostly working state, but I am still running into issues with lesser-critical commands such as sed or tar. Rather than find and replace each file that may be broken individually, I would like to just go ahead and completely replace or repair these system commands to their default state. I have tried running the upgrade process from my CentOS disc, but this only caused a problem with my initrd file and did not correct any issue with my system commands. Can anyone suggest where I can find a package to reinstall these files without having to reinstall CentOS?

I am using duplicity to create nightly backups of my server over FTP. I wrote a script that does both a local and remote backup and logs the output results. When I run this script as the root user, it executes just fine. However when I set it as a cron job and run it, the script executes but the ftp portion fails. Shortly after I get an error message saying "ncftpls - command not found, please install ncftp 3.1.9 or later" but it is installed! Is there some reason that cron job would not be able to find a command that exists on the machine? Does it have it's own PATH or something like that?

Any help is greatly appreciated,

Mike

I have been pulling my hair out trying to implement a remote backup solution for my Windows server on very limited resources. My off-site storage is a NAS drive that only has FTP capabilities, not SFTP or SSH, so I also require something that will encrypt the files as it transfers them over the Internet. There is not much of a budget for software, and most of the standard server backup solutions run in the hundreds of dollars. So far all of the cheap solutions that I have tested are unreliable or just don't work at all. So far, the closest I have gotten has been Ace Backup 3, but I have been unsuccessful in getting it to backup all of my files properly. Can anyone recommend a solution that would:

1. Perform nightly incremental backups to FTP
2. Compress and encrypt files for transfer
3. Send e-mail notifications
4. Be reliable and provide a method for verifying the backups
5. Cost under $100

This is driving me nuts, and I would love to have it off of my plate! Any help you can give me is greatly appreciated.

Thanks,

Mike

I am using duplicity to perform backups on my server. Right now duplicity is encrypting the backup using a GPG public-private key system. I would prefer to encrypt the backup files using just a passphrase, so I don't have to try and keep up with secret keys. How can I configure the backups to be encrypted this way?

Thanks,

Mike

I have been having a problem recently where some of our mail is not getting to clients. I looked into the Message queue on my SBS2k3 server and noticed that several recipients are showing up in the queue with a state of "Retry". When I highlight the recipient, the additional queue information says "An SMTP protocol error occured". How can I find out more specifically what error occured, and how could I then go about correcting it?

Recently one of our client machines was infected with a virus and I believe was spamming addresses in the user's contact list. Since then our server has been appearing on blacklists and it has been causing our e-mail to be blocked and returned by many clients. The virus has since been cleared, what can I do to get our server off these blacklists so that we will have more reliable e-mail service? Will I have to change my IP address?

Thanks,

Mike

I am running a small network (5 clients) on a server running SBS2k3. I'd like to be able to set up a NAS in a remote location in order to schedule nightly, incremental backups on the server drives. I'd also like to run a full backup once a week. Can anyone recommend a good NAS drive that would help me accomplish this? One that comes with it's own software I can install on my server is a plus. NT backup just isn't robust enough to meet my needs.

I have been looking at both the Seagate Blackarmor series or the DROBO line of backups, what comments / experiences might you have had with either one of those lines?

Thanks,

Mike