Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Mar 21, 2002 (Vol. 7, #23 - Issue #354)
How We Migrated to Exchange 2000
This issue of W2Knews contains:
- EDITORS CORNER
- Winners In The Security Software Space
- TECH BRIEFING
- How We Migrated to Exchange 2000 (Part 1 of 2)
- NT/2000 RELATED NEWS
- InfoSec 2002 Excellence Awards
- NT/2000 THIRD PARTY NEWS
- How SonicAdmin Resolved Downtime Remotely
- New Wireless StarAdmin V2.6.3 Now Available
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- BizTalk Server 2000 Developer's Guide for .NET
SPONSOR: Windows & .NET Magazine Network
Need Help with Your Storage Investment?
Planning and managing your storage deployment can be costly and
complex. Check out the Storage Administration Web site on the
Windows & .NET Magazine Network for the latest advice, news,
and tips to help you make the most of your storage investment.
You'll find eye-opening articles, white papers, a technical
forum, and much more!
Visit Windows & .NET Magazine Network for more information.
Winners In The Security Software Space
Yesterday I drove over to Orlando and visited the InfoSec Show. The
word InfoSec is short for Information Security and it was a good
opportunity to check the state of the Industry. Pretty good actually.
They had about 80 exhibitors, well over a thousand attendees and both
were good quality. Everyone seemed to be happy.
This show is organized by the MIS Training Institute, you can find
them at the http://www.misti.com site. Misti organized something very similar to the W2Knews Target Awards, and they recognized companies with the best products in their fields. Awards were given based on both quality
of the tools and how wide the customer base was.
There were actually many hundreds of security tools out there. Some
that caught my eye I'll mention briefly. First was a cool combo of
two small radio devices. One is credit card sized and you wear it.
The other is plugged into the system. You walk up to the PC, and you
get automatically logged in with your username and password. You walk
away (10 feet) and it logs you off and locks the system. Nifty indeed.
They are over at: http://www.ensuretech.com.
Some quotes I picked up: "Enterprise Security needs to be done from
the trenches, but you also need the 50,000 feet perspective at the
same time". "We monitor who did what, when and where and which
permissions they changed". "The War in the Wire, Infosec in the face
of Terrorism". "You get an on-line order worth $1 million. But how
do you know it's legitimate?"
That last one is from the people from RSA Security with their Keon
product. Keon was an Excellence Award winner and provides a PKI
server. What is PKI? Public Key Infrastructure. And what the heck
is that? In a nutshell, an environment that establishes trustworthy identities, communications and transactions, and manages
the related encryption keys. The code sits on a server and makes
sure everything about the identities, communications transactions
is kosher. You get an order and can trust it's indeed legit. Check
Keon at http://www.rsasecurity.com.
The full Winners List is down at the NT/2000 Related News section.
(email me with feedback: [email protected])
SPONSOR: PREVENT DOWNTIME
LIMIT DOWNTIME AND DATA LOSS WITH DOUBLE-TAKE
Failure to protect your mission critical data can sink your business.
Double-Take delivers real-time protection for your NT/W2K Servers. A
whole department sitting on their hands is extremely expensive. With
Double-Take you can mirror critical data to a target server, and Double-
Take will fail over if your source server goes down. 2001 Editor's
Choice of both Windows 2000 and Network Magazine. Download a 30-day
eval copy now and start protecting your data and apps.
Visit PREVENT DOWNTIME for more information.
How We Migrated to Exchange 2000 (Part 1 of 2)
Last article I did went over the basics of moving Sunbelt over to an
Active Directory. Since that article we've been working almost
entirely on moving to Exchange 2000. I knew that moving to E2K was
supposed to be more difficult than moving to AD but I didn't realize
just how true that was until I got into the thick of it.
To start, we have a small Exchange organization here in the states.
There are less than 100 user mailboxes, about 20 resource mailboxes,
a couple dozen public folders, and about 15 distribution lists. The
server does processes quite a bit of email, in excess of 400k messages
per week due to all of the list traffic. This was hosted on one server
running Exchange 5.5 SP3 and has in general been an extremely
stable platform for us.
As always, the procedure began in the testing lab. We created a new
AD specifically for the testing. This AD was composed of one AD
controller, an NT4 SP6a Exchange 5.5 SP3 server, and a couple Win2K
servers. After much reading and research online we found that doing
an in place upgrade was usually not the best way to move to Exchange
2000. We decided to go with what Microsoft calls a "Swing Upgrade"
as it involved the least amount of down time and could be performed
over a period of time instead of all at once. The theory behind this
is that you move the mailboxes from a 5.5 server to a E2K server
and back to the source server after rebuilding it with E2K.
First step, switch to Native Mode on AD. Simple, press a button and
you're done. The only negative point to doing this (that we could find)
was that we would no longer be able to have any NT4 DCs in the AD.
No problem, we pushed the button (Active Directory Domains And Trusts,
right-click and go to Properties on the domain). Going native isn't
required but is recommended. Doing this in the test environment
and doing this in the production environment was the same, nothing
special. Just a single event in one of the logs that said that the
directory was now in native mode.
Second step, clean up the 5.5 server. You need to make sure that you
don't have a bunch of extraneous mailboxes laying around. If you have
3 mailboxes that have the same primary account you will end up with
problems. In Exchange 5.5 there is no problem with multiple mailboxes
being owned by a single user. In AD a user object can have only one
mailbox attribute. Microsoft has a utility called NTDSNoMatch, also
known as NTDSAtrb, that will help look at the 5.5 directory. This tool
can be found on the E2K SP1 and SP2 CD in server\support\utils\I386
and is documented a bit here:
In a nutshell, you need to update Custom Attribute 10 to "NTDSNoMatch"
on these resource mailboxes. Pay special attention to getting all of
the mailboxes. In the test environments we didn't have any problems,
our Exchange server was fairly clean to begin with. In our production
environment we missed 1 hidden mailbox and that resulted in some
interesting results that I'll detail in step 3.
Third step, install the Active Directory Connector (ADC). The ADC
takes the data that is stored in the Exchange 5.5 directory and copies
it to the AD and visa-versa. It will take your mailboxes that are in
the 5.5 directory and match them up with the user in AD based upon
the primary user account. If the account already has a mailbox then
the default action is that the ADC will create a disabled user account
that matches the mailbox name. This is why the NTDSNoMatch is very
important. Once you actually install the ADC and turn on the
replication it's fairly unforgiving and in initial testing we "munged up"
our AD a few times. Our techs come up with the best way to describe
non-optimum scenarios :)
It just goes and if you have junk on the 5.5 server you get junk to
the power of n in the AD. There is also a lot of data about the
ADC on Microsoft's site, a pretty good reference was in Technet, "Exchange
2000 Migration: Deploying the Active Directory Connector Within Microsoft".
I would recommend reading this and at least a few others before playing
with the ADC. Once we got the concept of the ADC we didn't have any
problems with it in our test network.
However the production move did have a hiccup. Let us say that we
have a user named Bob. Bob has a mailbox named "Bob" and a user in
AD called "salesuser5". Bob also has another mailbox called "Junk"
that is hidden and pretty much forgotten about. Both the Bob and Junk
mailboxes have "salesuser5" as the primary account. Once we installed
and setup the ADC we found out why step 2 was important. One of Bob's
two mailboxes was associated to "salesuser5", the other got a new user
account that is disabled (default function of ADC). Of course the
"Junk" mailbox was found first and was associated with "Bob" AD account
thereby updating it to be "Junk" but still have "salesuser5" as a login.
Then the "Bob" mailbox was found and made into a new AD account that
was disabled but "salesuser5" had permission to. Confused yet? I know
that we were, however Bob didn't even know until we started putting
his account(s) together and made him log off during the process
of finding out what the heck happened to his account. That having
been said, sorry about the problems "Bob" :)
Another interesting point about the ADC, there are 3 different versions
that I've been able to find mention of. There is one on the W2K server
CD that is somewhat limited in its functionality. Another is located on
the E2K install CD. The latest and greatest and the one that we used
was part of E2K SP2.
Cleaning up the directory on Exchange 5.5 and then cleaning up after
running the ADC are directly related. The longest part of the upgrade
really revolves around these 2 steps. The more you get done in the
5.5 directory the less you'll have to clean up in the AD. We only had
the one mailbox that was missed, but then again we only have ~100
mailboxes total. It's easy to see that in larger organizations
this could quickly become ugly. I'm out of time to write this and I'm
still doing the last parts of the upgrade, I'll go into more in the
next article :)
Greg Kras MCP+I MCSE
Sunbelt Software Technical Services Manager
NT/2000 RELATED NEWS
InfoSec 2002 Excellence Awards
Here is the List of Finalists. You can compare this with an Oscar
Nomination. They may not win, but are definitely the leading tools
in their space. I have indicated with three asterisks at the end of
each line, the products that actually were chosen as the winners.
You will see some familiar names that were recognized as best-of-breed tools.
INTRUSION DETECTION SYSTEMS
RealSecure ? Internet Security Systems
Dragon ? Enterasys Networks ***
Tripwire ? TripWire Inc.
Check Point Firewall-1 ? Check Point Software Technologies
PIX ? Cisco Systems
Nokia Appliance (with Check Point FireWall-1) ? Nokia ***
ANTIVIRUS/MOBILE CODE TOOLS
McAfee Antivirus ? McAfee (Network Associates)
Symantec Norton Antivirus ? Symantec ***
Trend Micro Antivirus ? Trend Micro
VPN-1 Gateway ? Check Point Software Technologies
Cisco VPN Concentrator ? Cisco Systems
Contivity VPN Switch - Nortel Networks ***
ENTERPRISE SECURITY MANAGEMENT/CENTRALIZED MANAGEMENT
Check Point SVN ? Check Point Software Technologies
VigilEnt Security Manager ? PentaSafe Security Technologies ***
Symantec ESM ? Symantec
SiteMinder ? Netegrity
Tivoli Policy Director ? IBM ***
ClearTrust ? RSA Security
Retina ? eEye Digital Security
SafeSuite ? Internet Security Systems ***
SAINT Vulnerability Assessment Tools
AUTHENTICATION ? SOFT FORM FACTOR
Entrust PKI ? Entrust Technologies ***
VeriSign PKI ? VeriSign Inc.
KEON - RSA Security ***
AUTHENTICATION ? HARD FORM FACTOR
RSA SecurID ? RSA Security ***
PGPmail ? PGP Security (Network Associates Inc.) ***
THIRD PARTY NEWS
How SonicAdmin Resolved Downtime Remotely
This story was contributed by Sean Sliwinski, Vice President of
Information Technology at Capture Resource, Inc.
"We are not a large company and I do not have a staff of ten techs
that can take care of just about any issue with the systems as they
arise. We also run a 24 hour shift, 6 days a week here, which makes
the system uptime just that more important.
"It is the beginning of February, and I find out that I have to
make a trip to San Francisco at the beginning of March. Concerned
about support, 3000 miles away, I was wondering how I was going to
get this done. I remembered seeing a couple of products on the Sunbelt
Software website during a previous visit. Which I had not given much
thought to the first time, other than to think that it was an
interesting concept. Anyway, there happened to be two remote management
products aimed at giving the admin, when out of the office, full
control over the most critical parts of the systems.
"I looked them over, downloaded them, and begin researching the
equipment requirements. Once I had the PocketPC 2002, the CDPD Modem,
and an IP account with a wireless company, I pursued the products further.
I tried both and determined that 'sonicadmin' would better suite my needs.
I even purchased the x10 equipment that sonicadmin supported. Which if
you are not familiar with x10, they create many products, of which sonicadmin
supports the power switches, which act as a light switch would, but
can be attached to computers. Sounds funny, but when the system locks,
the only way to reset it is to turn the power off, and how are you going
to do that from the road?
"To make a long story short, San Francisco, Thursday night, about 5pm
PST, and I get a call on my cell phone that there is a problem at the
shop. I know that it is 8pm EST there, and I cannot get someone there
to take care of this issue. I take out my PPC, connect up to my CDPD
account, and login to the sonicadmin server. Here I am looking out my
41st floor of the hotel window, staring at the San Francisco Bay, and
with a couple of quick pen strokes, send, problem solved! Thank you
again both sonicmobility and Sunbelt Software for making one more piece
of my job a bit easier to handle."
Well, there you have it. "System Admin On The Go". Check out:
New Wireless StarAdmin V2.6.3 Now Available
The importance of uninterrupted operations of a company's systems
and networks cannot be overstated. But who maintains your systems
after business hours without carrying a laptop and staying near
dial-up locations? You have the incredible task of filling in this
gap with few tools available. StarAdmin is a cheap and effective
solution to ensure that your systems are up and running all the
time and to take immediate action whenever there is a problem.
New in StarAdmin v2.6.3!Admin works in more places & environments that ever:
New GSM/GPRS WAP device support - worldwide applicable
Very Large Network Support - new listing/searching features for
large server farms
Automated PQA generator for use with PalmOS and Go.Web browsers
StarAdmin now works on all new Windows OS platforms: NT, 2000,
XP and .NET
StarAdmin has new features:Enhanced Multi-Domain Management - on-the-fly domain switching,
manage any domain Users and Print Servers
Manage the Audit Log using the Audit-Log Viewer - View, Filter,
and Export Logs
User Management now includes managing Groups
Access to Hidden File System Shares can now be enabled
Menu display is configurable to optimize display on the particular
wireless handheld you are using
StarAdmin is more secure:Automated SSL Configuration during installation makes using SSL
with StarAdmin a snap
Configurable Session Time-Out automatically logs users off after
a period of time
StarAdmin is easier to configure:Configure StarAdmin SQL Database settings
Configure StarAdmin DNS settings
Configure StarAdmin SMTP settings
New Installer routine makes installations on Windows 2000/XP/.NET
systems a snap
Some Happy Users:
"StarAdmin from StarRemote Wireless is a great management product
for use with PocketPCs that address [the] key enterprise customer
need to reduce systems downtime and improve the productivity of
- Douglas Dedo, Marketing Manager, Mobility Division, Microsoft
"The only reason I can attend trade shows is because I am keeping
an eye on my systems using StarAdmin while I am away."
- StarAdmin Customer with a large U.S. Hotel Chain
"I have been using the product and I have to say that you are
geniuses. In all though, it is an incredible product and I couldn't
- StarAdmin Customer with a large U.S. Law Firm
Here is the link:
This Week's Links We Like. Tips, Hints And Fun Stuff
A true virtual keyboard that can be projected on any surface. I want one!
Geek is becoming more chic, and chic more geek. The latest "IT fashion"
Tres kewl... And I want some of these too. One for the fridge, oven, tv...
Unbelievable what they come up with: Wipe Out Terrorism Custom Printed
Toilet Paper at:
PRODUCT OF THE WEEK
BizTalk Server 2000 Developer's Guide for .NET
BizTalk Server 2000 is part of the .NET family of Enterprise
Servers designed to work together to provide e-business solutions.
The .NET Enterprise Servers are based on open Web standards, such
as XML, to allow an organization to integrate and orchestrate
their applications and service needs into a single comprehensive
solution. This book shows how to use BizTalk Server 2000 to create,
integrate, manage, and automate business processes for the exchange
of business documents.