- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Mar 21, 2002 (Vol. 7, #23 - Issue #354)
How We Migrated to Exchange 2000
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Winners In The Security Software Space
  2. TECH BRIEFING
    • How We Migrated to Exchange 2000 (Part 1 of 2)
  3. NT/2000 RELATED NEWS
    • InfoSec 2002 Excellence Awards
  4. NT/2000 THIRD PARTY NEWS
    • How SonicAdmin Resolved Downtime Remotely
    • New Wireless StarAdmin V2.6.3 Now Available
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • BizTalk Server 2000 Developer's Guide for .NET
  SPONSOR: Windows & .NET Magazine Network
Need Help with Your Storage Investment?
Planning and managing your storage deployment can be costly and
complex. Check out the Storage Administration Web site on the
Windows & .NET Magazine Network for the latest advice, news,
and tips to help you make the most of your storage investment.
You'll find eye-opening articles, white papers, a technical
forum, and much more!
Visit Windows & .NET Magazine Network for more information.
  EDITORS CORNER

Winners In The Security Software Space

Yesterday I drove over to Orlando and visited the InfoSec Show. The word InfoSec is short for Information Security and it was a good opportunity to check the state of the Industry. Pretty good actually. They had about 80 exhibitors, well over a thousand attendees and both were good quality. Everyone seemed to be happy.

This show is organized by the MIS Training Institute, you can find them at the http://www.misti.com site. Misti organized something very similar to the W2Knews Target Awards, and they recognized companies with the best products in their fields. Awards were given based on both quality of the tools and how wide the customer base was.

There were actually many hundreds of security tools out there. Some that caught my eye I'll mention briefly. First was a cool combo of two small radio devices. One is credit card sized and you wear it. The other is plugged into the system. You walk up to the PC, and you get automatically logged in with your username and password. You walk away (10 feet) and it logs you off and locks the system. Nifty indeed. They are over at: http://www.ensuretech.com.

Some quotes I picked up: "Enterprise Security needs to be done from the trenches, but you also need the 50,000 feet perspective at the same time". "We monitor who did what, when and where and which permissions they changed". "The War in the Wire, Infosec in the face of Terrorism". "You get an on-line order worth $1 million. But how do you know it's legitimate?"

That last one is from the people from RSA Security with their Keon product. Keon was an Excellence Award winner and provides a PKI server. What is PKI? Public Key Infrastructure. And what the heck is that? In a nutshell, an environment that establishes trustworthy identities, communications and transactions, and manages the related encryption keys. The code sits on a server and makes sure everything about the identities, communications transactions is kosher. You get an order and can trust it's indeed legit. Check Keon at http://www.rsasecurity.com.

The full Winners List is down at the NT/2000 Related News section.

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: PREVENT DOWNTIME
LIMIT DOWNTIME AND DATA LOSS WITH DOUBLE-TAKE
Failure to protect your mission critical data can sink your business.
Double-Take delivers real-time protection for your NT/W2K Servers. A
whole department sitting on their hands is extremely expensive. With
Double-Take you can mirror critical data to a target server, and Double-
Take will fail over if your source server goes down. 2001 Editor's
Choice of both Windows 2000 and Network Magazine. Download a 30-day
eval copy now and start protecting your data and apps.
Visit PREVENT DOWNTIME for more information.
  TECH BRIEFING

How We Migrated to Exchange 2000 (Part 1 of 2)

Last article I did went over the basics of moving Sunbelt over to an Active Directory. Since that article we've been working almost entirely on moving to Exchange 2000. I knew that moving to E2K was supposed to be more difficult than moving to AD but I didn't realize just how true that was until I got into the thick of it.

To start, we have a small Exchange organization here in the states. There are less than 100 user mailboxes, about 20 resource mailboxes, a couple dozen public folders, and about 15 distribution lists. The server does processes quite a bit of email, in excess of 400k messages per week due to all of the list traffic. This was hosted on one server running Exchange 5.5 SP3 and has in general been an extremely stable platform for us.

As always, the procedure began in the testing lab. We created a new AD specifically for the testing. This AD was composed of one AD controller, an NT4 SP6a Exchange 5.5 SP3 server, and a couple Win2K servers. After much reading and research online we found that doing an in place upgrade was usually not the best way to move to Exchange 2000. We decided to go with what Microsoft calls a "Swing Upgrade" as it involved the least amount of down time and could be performed over a period of time instead of all at once. The theory behind this is that you move the mailboxes from a 5.5 server to a E2K server and back to the source server after rebuilding it with E2K.

First step, switch to Native Mode on AD. Simple, press a button and you're done. The only negative point to doing this (that we could find) was that we would no longer be able to have any NT4 DCs in the AD. No problem, we pushed the button (Active Directory Domains And Trusts, right-click and go to Properties on the domain). Going native isn't required but is recommended. Doing this in the test environment and doing this in the production environment was the same, nothing special. Just a single event in one of the logs that said that the directory was now in native mode.

Second step, clean up the 5.5 server. You need to make sure that you don't have a bunch of extraneous mailboxes laying around. If you have 3 mailboxes that have the same primary account you will end up with problems. In Exchange 5.5 there is no problem with multiple mailboxes being owned by a single user. In AD a user object can have only one mailbox attribute. Microsoft has a utility called NTDSNoMatch, also known as NTDSAtrb, that will help look at the 5.5 directory. This tool can be found on the E2K SP1 and SP2 CD in server\support\utils\I386 and is documented a bit here:
http://www.w2knews.com/rd/rd.cfm?id=020321TB-NTDSNoMatch

In a nutshell, you need to update Custom Attribute 10 to "NTDSNoMatch" on these resource mailboxes. Pay special attention to getting all of the mailboxes. In the test environments we didn't have any problems, our Exchange server was fairly clean to begin with. In our production environment we missed 1 hidden mailbox and that resulted in some interesting results that I'll detail in step 3.

Third step, install the Active Directory Connector (ADC). The ADC takes the data that is stored in the Exchange 5.5 directory and copies it to the AD and visa-versa. It will take your mailboxes that are in the 5.5 directory and match them up with the user in AD based upon the primary user account. If the account already has a mailbox then the default action is that the ADC will create a disabled user account that matches the mailbox name. This is why the NTDSNoMatch is very important. Once you actually install the ADC and turn on the replication it's fairly unforgiving and in initial testing we "munged up" our AD a few times. Our techs come up with the best way to describe non-optimum scenarios :)

It just goes and if you have junk on the 5.5 server you get junk to the power of n in the AD. There is also a lot of data about the ADC on Microsoft's site, a pretty good reference was in Technet, "Exchange 2000 Migration: Deploying the Active Directory Connector Within Microsoft". I would recommend reading this and at least a few others before playing with the ADC. Once we got the concept of the ADC we didn't have any problems with it in our test network.

However the production move did have a hiccup. Let us say that we have a user named Bob. Bob has a mailbox named "Bob" and a user in AD called "salesuser5". Bob also has another mailbox called "Junk" that is hidden and pretty much forgotten about. Both the Bob and Junk mailboxes have "salesuser5" as the primary account. Once we installed and setup the ADC we found out why step 2 was important. One of Bob's two mailboxes was associated to "salesuser5", the other got a new user account that is disabled (default function of ADC). Of course the "Junk" mailbox was found first and was associated with "Bob" AD account thereby updating it to be "Junk" but still have "salesuser5" as a login.

Then the "Bob" mailbox was found and made into a new AD account that was disabled but "salesuser5" had permission to. Confused yet? I know that we were, however Bob didn't even know until we started putting his account(s) together and made him log off during the process of finding out what the heck happened to his account. That having been said, sorry about the problems "Bob" :)

Another interesting point about the ADC, there are 3 different versions that I've been able to find mention of. There is one on the W2K server CD that is somewhat limited in its functionality. Another is located on the E2K install CD. The latest and greatest and the one that we used was part of E2K SP2.

Cleaning up the directory on Exchange 5.5 and then cleaning up after running the ADC are directly related. The longest part of the upgrade really revolves around these 2 steps. The more you get done in the 5.5 directory the less you'll have to clean up in the AD. We only had the one mailbox that was missed, but then again we only have ~100 mailboxes total. It's easy to see that in larger organizations this could quickly become ugly. I'm out of time to write this and I'm still doing the last parts of the upgrade, I'll go into more in the next article :)

Greg Kras MCP+I MCSE
Sunbelt Software Technical Services Manager

  NT/2000 RELATED NEWS

InfoSec 2002 Excellence Awards

Here is the List of Finalists. You can compare this with an Oscar Nomination. They may not win, but are definitely the leading tools in their space. I have indicated with three asterisks at the end of each line, the products that actually were chosen as the winners. You will see some familiar names that were recognized as best-of-breed tools.

INTRUSION DETECTION SYSTEMS

  • RealSecure ? Internet Security Systems
  • Dragon ? Enterasys Networks ***
  • Tripwire ? TripWire Inc.

    FIREWALLS

  • Check Point Firewall-1 ? Check Point Software Technologies
  • PIX ? Cisco Systems
  • Nokia Appliance (with Check Point FireWall-1) ? Nokia ***

    ANTIVIRUS/MOBILE CODE TOOLS

  • McAfee Antivirus ? McAfee (Network Associates)
  • Symantec Norton Antivirus ? Symantec ***
  • Trend Micro Antivirus ? Trend Micro

    VPNs

  • VPN-1 Gateway ? Check Point Software Technologies
  • Cisco VPN Concentrator ? Cisco Systems
  • Contivity VPN Switch - Nortel Networks ***

    ENTERPRISE SECURITY MANAGEMENT/CENTRALIZED MANAGEMENT

  • Check Point SVN ? Check Point Software Technologies
  • VigilEnt Security Manager ? PentaSafe Security Technologies ***
  • Symantec ESM ? Symantec

    ACCESS CONTROL/AUTHORIZATION

  • SiteMinder ? Netegrity
  • Tivoli Policy Director ? IBM ***
  • ClearTrust ? RSA Security

    VULNERABILITY ASSESSMENT

  • Retina ? eEye Digital Security
  • SafeSuite ? Internet Security Systems ***
  • SAINT Vulnerability Assessment Tools

    SECURITY FREEWARE/SHAREWARE

  • Nmap
  • l0phtcrack
  • nessus ***

    AUTHENTICATION ? SOFT FORM FACTOR

  • Entrust PKI ? Entrust Technologies ***
  • VeriSign PKI ? VeriSign Inc.
  • KEON - RSA Security ***

    AUTHENTICATION ? HARD FORM FACTOR

  • RSA SecurID ? RSA Security ***

    E-MAIL SECURITY

  • PGPmail ? PGP Security (Network Associates Inc.) ***

    http://www.w2knews.com/rd/rd.cfm?id=020321RN-InfoSec_Awards

  •   THIRD PARTY NEWS

    How SonicAdmin Resolved Downtime Remotely

    This story was contributed by Sean Sliwinski, Vice President of Information Technology at Capture Resource, Inc.

    "We are not a large company and I do not have a staff of ten techs that can take care of just about any issue with the systems as they arise. We also run a 24 hour shift, 6 days a week here, which makes the system uptime just that more important.

    "It is the beginning of February, and I find out that I have to make a trip to San Francisco at the beginning of March. Concerned about support, 3000 miles away, I was wondering how I was going to get this done. I remembered seeing a couple of products on the Sunbelt Software website during a previous visit. Which I had not given much thought to the first time, other than to think that it was an interesting concept. Anyway, there happened to be two remote management products aimed at giving the admin, when out of the office, full control over the most critical parts of the systems.

    "I looked them over, downloaded them, and begin researching the equipment requirements. Once I had the PocketPC 2002, the CDPD Modem, and an IP account with a wireless company, I pursued the products further. I tried both and determined that 'sonicadmin' would better suite my needs. I even purchased the x10 equipment that sonicadmin supported. Which if you are not familiar with x10, they create many products, of which sonicadmin supports the power switches, which act as a light switch would, but can be attached to computers. Sounds funny, but when the system locks, the only way to reset it is to turn the power off, and how are you going to do that from the road?

    "To make a long story short, San Francisco, Thursday night, about 5pm PST, and I get a call on my cell phone that there is a problem at the shop. I know that it is 8pm EST there, and I cannot get someone there to take care of this issue. I take out my PPC, connect up to my CDPD account, and login to the sonicadmin server. Here I am looking out my 41st floor of the hotel window, staring at the San Francisco Bay, and with a couple of quick pen strokes, send, problem solved! Thank you again both sonicmobility and Sunbelt Software for making one more piece of my job a bit easier to handle."

    Well, there you have it. "System Admin On The Go". Check out:
    http://www.w2knews.com/rd/rd.cfm?id=020321TP-SonicAdmin

    New Wireless StarAdmin V2.6.3 Now Available

    The importance of uninterrupted operations of a company's systems and networks cannot be overstated. But who maintains your systems after business hours without carrying a laptop and staying near dial-up locations? You have the incredible task of filling in this gap with few tools available. StarAdmin is a cheap and effective solution to ensure that your systems are up and running all the time and to take immediate action whenever there is a problem.

    New in StarAdmin v2.6.3!

  • Admin works in more places & environments that ever:
  • New GSM/GPRS WAP device support - worldwide applicable
  • Very Large Network Support - new listing/searching features for large server farms
  • Automated PQA generator for use with PalmOS and Go.Web browsers
  • StarAdmin now works on all new Windows OS platforms: NT, 2000, XP and .NET

    StarAdmin has new features:

  • Enhanced Multi-Domain Management - on-the-fly domain switching, manage any domain Users and Print Servers
  • Manage the Audit Log using the Audit-Log Viewer - View, Filter, and Export Logs
  • User Management now includes managing Groups
  • Access to Hidden File System Shares can now be enabled
  • Menu display is configurable to optimize display on the particular wireless handheld you are using

    StarAdmin is more secure:

  • Automated SSL Configuration during installation makes using SSL with StarAdmin a snap
  • Configurable Session Time-Out automatically logs users off after a period of time

    StarAdmin is easier to configure:

  • Configure StarAdmin SQL Database settings
  • Configure StarAdmin DNS settings
  • Configure StarAdmin SMTP settings
  • New Installer routine makes installations on Windows 2000/XP/.NET systems a snap

    Some Happy Users:

    "StarAdmin from StarRemote Wireless is a great management product for use with PocketPCs that address [the] key enterprise customer need to reduce systems downtime and improve the productivity of their workforce."
    - Douglas Dedo, Marketing Manager, Mobility Division, Microsoft

    "The only reason I can attend trade shows is because I am keeping an eye on my systems using StarAdmin while I am away."
    - StarAdmin Customer with a large U.S. Hotel Chain

    "I have been using the product and I have to say that you are geniuses. In all though, it is an incredible product and I couldn't be happier."
    - StarAdmin Customer with a large U.S. Law Firm

    Here is the link:
    http://www.w2knews.com/rd/rd.cfm?id=020321TP-StarAdmin

  •   FAVE LINKS

    This Week's Links We Like. Tips, Hints And Fun Stuff

  • A true virtual keyboard that can be projected on any surface. I want one!

  • http://www.w2knews.com/rd/rd.cfm?id=020321FA-Virtual_Keyboard
  • Geek is becoming more chic, and chic more geek. The latest "IT fashion"

  • http://www.w2knews.com/rd/rd.cfm?id=020321FA-IT_Fashion
  • Tres kewl... And I want some of these too. One for the fridge, oven, tv...

  • http://www.w2knews.com/rd/rd.cfm?id=020321FA-Ethernet
  • Unbelievable what they come up with: Wipe Out Terrorism Custom Printed Toilet Paper at:

  • http://www.w2knews.com/rd/rd.cfm?id=020321FA-Toilet_Paper
      PRODUCT OF THE WEEK

    BizTalk Server 2000 Developer's Guide for .NET

    BizTalk Server 2000 is part of the .NET family of Enterprise Servers designed to work together to provide e-business solutions. The .NET Enterprise Servers are based on open Web standards, such as XML, to allow an organization to integrate and orchestrate their applications and service needs into a single comprehensive solution. This book shows how to use BizTalk Server 2000 to create, integrate, manage, and automate business processes for the exchange of business documents.

    http://www.w2knews.com/rd/rd.cfm?id=020321BW-BizTalk