Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Mon, Mar 25, 2002 (Vol. 7, #24 - Issue #355)
Exchange 2000 Migration Part 2
This issue of W2Knews contains:
- EDITORS CORNER
- More Phone Cracking Going On
- TECH BRIEFING
- NT/2000 RELATED NEWS
- So, What Are The Key Configuration Aspects Of That Box?
- NT/2000 THIRD PARTY NEWS
- New Product: Office To Go!
- Witch Hunt For Remote Control Tool In U.S. Military
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Hack Proofing Your Network (2nd Edition)
Receive a free copy of the analyst white paper, Maximizing
the Business Impact of Desktop Management. The white paper,
researched and written by Enterprise Management Associates,
the first technology analyst firm to specialize in management
software and services, discusses current trends and solutions
in the Desktop Management arena. Click here for your free copy:
Visit Marimba for more information.
More Phone Cracking Going On
Read this and you will understand why I'm again making you aware of this issue.
"After reading your article on having your phone system hacked, I
forwarded it to my boss. We both thought it was interesting, and
that's as far as it went. This past Monday, someone called our front
desk on our 800 number posing as an SBC Ameritech technician. He
claimed he was running tests and asked to be transferred to a
certain extension. Our receptionist obliged.
"Apparently there is some extension on our phone system that when
transferred to, gives you control of a trunk line. It's an older
ROLM system, maintained by Siemens. AT&T called about a half hour
later asking why we had been making calls to Yemen, and if we had
authorized it. Completely caught us off guard. The thing that
bothers me is that we are powerless to do ANYTHING to our phone
"Everything (even voicemail boxes) needs to be done by Siemens,
at a premium price off course. What other back doors are there
into our phone system??? And how did AT&T know to call us? Like
I said, they called a half hour after it happened. No phone company
I've ever dealt with is that quick.. it can take a month just to
get a line installed! Is Big Brother really watching that close?
Anyway, just thought I'd share our experience. Thankfully, we are
very close to purchasing a new phone system."
Lesson Learned: Textbook example of social engineering. All
personnel need to be trained in security, procedures and what to
do in cases like this. Next time it's the password of her machine
instead, and your network is compromised.
This week's XBOX Winner: William Nipper from Matthews, North Carolina!
Don't forget to update your profile and recommend your friends to
(email me with feedback: [email protected])
SPONSOR: SCAN AND PATCH
SCAN AND PATCH SECURITY HOLES WITH UPDATEEXPERT
Do you have a reliable tool to secure your network with the latest
updates? UpdateEXPERT is a software patch vulnerability assessment tool
that scans your network for missing hotfixes, and FIXES discovered
weaknesses for increased network protection. Supporting Windows
NT/2000/XP, SQL Server, IE and other mission critical applications,
UpdateEXPERT helps enforce software security policies, enables you to
scan for patches, validates your installations for peace of mind, and
installs updates to all networked machines without an agent.
Visit SCAN AND PATCH for more information.
Exchange 2000, Part Deux
Alright, now that the AD was populated with the Exchange 5.5 directory
information we moved on to the next step.
Fourth step, run ForestPrep and DomainPrep. It is recommended that you
run ForestPrep and DomainPrep individually prior to installing E2K
although in some cases you can get away with having them run during
the setup. ForestPrep's purpose is to extend the scheme of 2K's directory
to contain all of the E2K information. We chose to just run them first
so that we wouldn't run into any problems, we just built our AD and
didn't want to destroy it.
ForestPrep is executed by running the E2K setup.exe with the
"/ForestPrep" flag. In our organization it took roughly 30 minutes
to run. Since our AD is relatively small and all involved servers
local we didn't have to wait long for replication of the changes to
complete. Rooting around a bit using ADSI Edit, part of the support
tools located on the Windows 2000 Server CD, we saw the entries for
E2K existed. More information on this can be found in Microsoft's
After we were satisfied with ForestPrep having been run we ran DomainPrep,
same as running ForestPrep except that you use "/DomainPrep". This
runs in a matter of seconds, both in our test and production environments.
However, we did encounter a problem with this step. In testing, all
was fine and DomainPrep had run correctly. In production it seemed
to run fine until after we had E2K installed and had nothing but weird
errors in the event log and problems with information stores not
mounting correctly and mailboxes not being accessible.
After several hours of trying to find anything anywhere as to what we
did wrong we started going back and checking our prior steps. At this
point we found out about a tool called "policytest.exe", located in
\support\utils\i386 of E2K SP2. Its purpose is to see if DomainPrep
finished its job on all the domain controllers in the local domain.
To our surprise none of the DC's had been updated by DomainPrep...
We still don't know why that was. We ran the DomainPrep a second time
and ran policytest to see if it had completed, no problems this time
around. (The problems that we had with the E2K box went away but we
still uninstalled and re-installed E2K just to make sure). The moral
of this: run policytest after running DomainPrep.
Here is a good article that goes into more detail of the ForestPrep
and DomainPrep functions:
Fifth step, actually install E2K. Funny enough, this is probably one
of the quickest and simplest parts of the processes. Standard type of
install, just pick a few options, agree to a license agreement, say
where you want it to go and hit the finish button. SP2 and various
hotfixes were also pretty typical. As long as all the prior steps
were done correctly in our production and test environments we had no
problems. In test we just kept forgetting that we had to have SMTP
and NNTP installed prior to the E2K install, simple enough to add them in.
Sixth step, moving the mailboxes and public folders. This part was
pretty easy as well, just open up AD Users and Computers on a machine
that has the E2K management tools loaded, right-click on the mailbox
enabled user, select "Exchange Tasks". You can select multiple users
for this step if you like, we didn't at first as we wanted to benchmark
the moving procedure.
In our testing it would take about 30 minutes per 400 megs of email,
depending upon the number of messages and other loads present on
the source 5.5 server. During the mailbox move the user will not be
able to use Outlook and it took about 5-10 minutes after the mailbox
was moved for the user to be able to get back into their email.
The nice thing was that no one had to touch the user's profile, it
automatically updated with the new server name. We did find that if
you immediately made a permission change to the user's mailbox after
moving it the 5-10 minute wait was no longer needed, they could hop
right in seconds after the mailbox was moved. We moved all of our
mailboxes over the course of about 3 days.
The public folders aren't really moved, they are replicated. You'll
find the public folders located in E2K System Manager under "Administrative
Groups", "SITE", "Folders", "Public Folders". Right-click the various
folders and select "Properties" and go to the "Replication" tab.
From there you can specify the servers that you want to replicate
the public folders to. There are also some that do not show up by
default. You need to right-click on the "Public Folders" and select
the "View System Folders" option. From here you need to set "OFFLINE
ADDRESS BOOK" and "SCHEDULE+ FREE BUSY" to replicate. This last bit
of data is something that I gleaned from Microsoft's Q284148 article
which I'll go into later in this write-up.
Seventh step, setup a connector on the new server for inbound/outbound
email. Up to this point all of our email was still going in and out
of the 5.5 server's IMC. Since E2K is based on SMTP it was a fairly
simple task to get a connector setup on the new server using the E2K
System Manager. First make sure that you right-click the Exchange
organization at the very top of the System Manager, go into properties,
and check of the "Show Routing Groups" option.
Once this was done we jumped into the "Routing Groups" and setup the new
SMTP connector. Now all inbound email was still going to the 5.5 server
and all outbound email was going out on the E2K server. Prior to allowing
email to come into the server we made sure that we installed Antigen on
the new server, a really effective and reliable anti-virus software package
by http://www.Sybari.com (we don't sell it, but we like it :).
Now that we're safe
from the hordes of incoming viruses (over 500 per day) we started at
looking to how to get inbound mail to the new server. Instead of changing
MX records and modifying firewall configurations we decided to give the
5.5 a different I.P. address, take its old I.P. address away, and add
that I.P. address to the new server. This took about 2 minutes and worked
like a charm.... except for any domain that didn't end with
"sunbelt-software.com". A quick poking around and we realized that we needed
to put in a Recipient Policy to allow email for the other domains, this
is in the Exchange System Manager under Recipients. Now everything really
Eighth step, clean-up. At this point the old 5.5 server was doing nothing
but contribute to our electric bill. However, it was listed in several
places still. Microsoft has a very important article that I mentioned
earlier, Q284148, that goes into the process of removing this server.
However, we encountered problems removing Site Replication Services
listing from the Exchange System Manager. The old 5.5 server was still
listed in ESM under Servers and nothing seemed to remove this. A bit of
poking around in Sunbelt's Exchange Admin list uncovered a way to remove
this from the AD using ADSI Edit tool. This is where we found and deleted
the 5.5 server: Configuration Containers > Services > Microsoft Exchange
> CN=XXXXXX > Administrative Groups > CN = XXXXXX > Servers
Also, we had to delete the old connectors that were still showing up in
the ESM. The were located here: Configuration Containers > Services >
Microsoft Exchange > CN=XXXXXX > Administrative Groups > CN = XXXXXX >
Routing Groups > CN = XXXXXX > CN = Connections
After deleting these items from the AD we were able to remove the Site
Replication Service listing from the ESM and life was once again good.
Now we had the option of going E2K Native Mode, this will not show up
if there is even a hint of a 5.5 server in the AD.
Ninth step, rinse and repeat. Since the swing server we had used for
this procedure was an older server that had been put out to pasture we
beefed up the old 5.5 server and are currently in the process of moving
all the mailboxes back. Since it's E2K to E2K, and I feel like this is
all I've been doing for 3 weeks, it's pretty simple and a familiar process.
Overall, I've become a bit more impressed with E2K than I was when we
started the processes. Using IIS's SMTP engine allows for a much
higher volume of Internet email without bogging. Over the next few weeks
we'll probably get to play with some of the fun stuff :)
Greg Kras MCP+I MCSE
Sunbelt Software Technical Services Manager
NT/2000 RELATED NEWS
So, What Are The Key Configuration Aspects Of That Box?
How many times have you walked up to a system in your office and
needed to click through several diagnostic windows to remind
yourself of important aspects of its configuration, such as its
name, IP address, or operating system version? If you manage multiple
computers you probably need BGInfo. It automatically displays relevant
information about a Windows computer on the desktop's background,
such as the computer name, IP address, service pack version, and more.
You can edit any field as well as the font and background colors, and
can place it in your startup folder so that it runs every boot, or
even configure it to display as the background for the logon screen.
Because BGInfo simply writes a new desktop bitmap and exits you don't
have to worry about it consuming system resources or interfering with
other apps. BgInfo works on 95 and higher, and Windows NT 4.0 and
higher. Best is: it's freeware from Sysinternals and very useful.
THIRD PARTY NEWS
New Product: Office To Go!
"Beyond Blackberry". Need a full-fledged wireless solution (that
doesn't cost thousands of dollars just to install) and not only
allows you to control your servers, handle your email, but also
gives you web browsing, email attachments, faxes, paging and instant
messaging as well? Read on! [offer valid for USA & Canada only]
Now, this is a great tool for system admins that are on the move
a lot. (Especially when you have a remote MMC tool like StarAdmin
or SonicAdmin running on it too.) We have them in 5-, 10- and 20-packs. It's called the Airespring "Office-To-Go"[tm] Mobile Wireless Productivity Suite. It uses the same always on, nationwide wireless packet switched data network that UPS runs their package tracking off. But it's not really for just the IT department. You should also think of your roadwarrior colleagues that will save bundles of time and be so much more productive.
"Always-On" Access To Your Desktop E-mail
You get a copy on your wireless device of every e-mail that goes
to your desktop. After you read it, you can reply, forward, delete
or do anything you would normally do with your e-mail. There is no
change in your e-mail address. When you send a message from your
wireless device, it comes from your regular e-mail address so the
recipient would have no way of knowing if it came from your desk
or your wireless device.
You can also compose and send new e-mail directly from your device.
This allows you to stay in touch all day, no matter whether you are
in or out of the office. Integrates with the standard mail servers
based on POP3, IMAP4, MAPI etc... (Supports MS Exchange, Lotus Domino
Notes, Novell Groupwise too).
No Effort Required
Since your wireless device and the network are always on, you do not
need to do anything special to get your e-mail. You will be automatically
alerted every time you have incoming e-mail. Best of all, if you turn
off your device, your e-mail will be stored and will be sent to you
as soon as you turn your device back on.
Nation's Largest Wireless Data Network
The network works all over the continental United States, Alaska, Puerto
Rico and the US Virgin Islands and covers 98% of the US population.
So no matter where you go, your service will go with you. Best of all,
since it's all one seamless network, there are no roaming or additional
charges for leaving your home area. Make sure you come back to Sunbelt after you have checked if your area is OK!
The Office To Go 8 in 1 solution ? puts your office in your pocket!
Airespring's Office-To-Go Mobile Wireless Productivity Suite takes you
far beyond just e-mail. Check out the following features:
This is a bundle. You buy the RIM hardware plus a monthly subscription
package based on your needs. A really powerful remote offering that
you cannot get anywhere else. Already own a Blackberry? Yes you can
just get the above service when your current subscription runs out.
Remember, you heard it first at Sunbelt! Check out this page for details,
and then fill out the Questions Form. Our Reps will get in touch with
you to get you a quote.
- E-mail. (see description above)
- Attachments. View and respond to any e-mail attachment you receive,
including Microsoft Word, Excel, Powerpoint and Adobe PDF files.
- Wireless IM (Instant Messaging). Use the Corporate IM solution to
send instant messages to other employees directly from your wireless
handheld. This service bypasses your e-mail service and the internet
for instant, direct two-way communication between individuals or groups
- Web Browser. With the integrated full HTML compatible web-browser,
you can go to any site on the internet. Trade stocks, get news,
entertainment, financial info, etc It gives you TOTAL access to the
internet using an "Open URL" web browser for full access to the Internet.
- Off Line Form Storage and Fill Out
- Fax Machine. A fax machine in the palm of your hand - send and receive faxes, to and from anywhere in the world. Printer. You can use the print feature to print any e-mail or document on the nearest fax machine. Now,
wherever you have a fax machine, you have a printer!
- Mobile Organizer. A complete organizer and Personal Information Manager Synchronize with your desktop and most popular PIM's like Outlook and
many others. See the webpage.
- Pager. You can receive numeric or text pages from anyone, anywhere
with a telephone via a toll-free number and your unique PIN code.
- Remote Access to your desktop via a browser-based tool very much
Witch Hunt For Remote Control Tool In U.S. Military
The Security Wire Digest sent out this blurb and I thought that it
was strange, as the product in question is not a Trojan at all.
"U.S. Army and Navy computer administrators are scanning Windows systems
to find and remove an unauthorized, commercial remote-control program
called RemotelyAnywhere, according to a Newsbytes report. Both branches
of the military have distributed high-priority memos warning that the tool,
if launched, could expose Department of Defense systems to security breaches.
The $99 program allows remote users to access files through a Web browser.
Evidence of program installation includes the presence of RAMIRR.DLL,
RAHOOK.DLL, RA_SSH1.DLL and RA_SSH2.DLL files."
I asked the CEO of the company that sells the product to comment. He said:
And I quote:
"I take great offense at the sensationalistic characterization of
RemotelyAnywhere as a "trojan". RemotelyAnywhere is a commercially-available piece of software, used by Fortune 100 companies, major financial institutions and numerous branches of local, state and federal government, that allows secure remote administration of a computer. It is no more a trojan than RAdmin or VNC or PCAnywhere.
"The fact is that the hackers did not use RemotelyAnywhere to gain access
to these computers. They installed illegal copies of RemotelyAnywhere
only after the machines had been compromised. So to portray RemotelyAnywhere
as a trojan is extremely misleading. Our list of satisfied customers is
very extensive, but due to concern for their privacy, we do not divulge
their identities. Suffice it to say it is an impressive list". - end quote -
Lesson learned: Do not judge too quickly when someone accuses a piece of
software as malware. It might be that some one cracked it and uses it for
their own nefarious purposes.
This Week's Links We Like. Tips, Hints And Fun Stuff
ThinkGeek has some pretty cool t-shirts. Guess which one I bought?
Very useful, the NTBUGTRAQ archives to check out known issues and their
background, or check on false alerts. From the BugMaster Russ Cooper:
Need to check out virus infections or hoaxes? It's a good practice to
check first the McAfee's VIL site over at:
This non-commercial site is dedicated to spreading the word about the
Aluminum Foil Deflector Beanie. It also explains the historical difference
between the American "aluminum" and the British "aluminium".
PRODUCT OF THE WEEK
Hack Proofing Your Network (2nd Edition)
By Ryan Russell (and a bunch of other security gurus). Ryan Permeh from
eEye has written the chapter on buffer overflows for this new edition.
Ryan's information alone is well worth checking out however the rest of
the book also has a lot of really great information. Definitely check this
book out if your interested in the topic of security. "The only way to
stop a hacker is to think like one". This bestseller is now updated.
This is one of these "Stu's Warmly Recommended" ones.