Author Archive for Greg

Exchange 2007 needs command line to set FQDN of external host name on Send Connector

Published
by
Greg
on August 22, 2008
in Internet, Networking and Windows Server
. Comments

In Exchange 2007, you have a nice little GUI to set your FQDN on your Send Connector. (Mine is called Outbound, as shown below.)

You can see my FQDN, set under the Hub Transport/Send Connectors of the Exchange Management Console.

However, if you send mail out to an external address, you’ll notice in the headers that your internal server name is still listed! What!? What’s the point of the GUI?

You have top open Exchange Management Shell, and type in a command to solve this. It’s easy.

As shown above, you just type in the command:

set-sendconnector “Outbound” –fqdn mail.1stbyte.com

Replace “outbound” with the name of your send connector, and of course, change to your own FQDN, not mine.

It will come back in error, or success. If success, you can check your headers on and external account right away.

Have fun!

Configure Word 2007 for Blogging to Wordpress 2.6

Published
by
Greg
on August 22, 2008
in Internet
. Comments

Had to spend a few minutes reminding myself how to configure this. Easy as pie! Even works with images now!!! Yay!

While in a “New Blog” in Word 2007, click the Manage Accounts buton. (A wizard will probably start the process the first time you do this, but here’s the manual way.) This assumes you already have a WordPress blog setup, of course. I tested this with my own WordPress installation, on my own web host, so I am not sure if this works the same with “Wordpress.com”, but I would assume so.

In the Blog Accounts, you can click New or Change.

In the next screen, enter your domain URL and make sure it ends with /xmlrpc.php.

Add your username and password, and for me, I like to Remember, but that’s up to you.

Then click Picture Options.

Make sure you have selected “My Blog Provider”, and click OK.

Then you’ll be back at the New WordPress Account windows, just click OK.

You should see a message that “Account created successfully” or something like that. If not, the errors are not very helpful, but when I did get one, it was just that I didn’t enter the right password. And remember, this will be the username and password IN YOUR WORDPRESS system, NOT your hosting system. (stupid mistake I made, I knew better!)

One thing I don’t see how to do, is select the account I want to publish to within Word, besides the obvious “default” setting. Maybe I need to do that in each doc. I will post when I test it.

EDIT: Duh! Right in Word, at the top of the doc is an Account selection. Just select the account for the blog, if you have more than one.



 

 

test

Published
by
Greg
on August 22, 2008
in Uncategorized
. Comments

See how they run

 

DFS links to shares on Windows XP SP2 do not work on local system

Published
by
Greg
on April 18, 2008
in Networking, PC Repair, Windows Server and Windows XP
. Comments

Well for the larger businesses out there, this may not be a useful tip. But for those of us that support small networks, like less than 50 or even 10 systems, utilizing shares on workstations is sometimes needed. For example, I have servers in most all of my networks, and their hard drives are fairly large, but I don’t want to save all my downloads and application CD’s on the server. With newer workstations loaded with larger drives than servers sometimes, I’d rather make use of that space there. Not with the main, business critical data, but only things that are not needed for backups or maybe read only archives. These 500+ GB drives give us a ton of space, and when you only have less than 10 people accessing this data periodically, this makes perfect sense. Constant read/write access with lots of users would require the server, rarely accessed stuff goes on a workstation.

Here’s the problem I ran into though. I like to use DFS and create a single shared, mapped drive for all the users. In there I might have a couple shares pointing to workstations. On XP SP2, this works fine, EXCEPT if you are accessing the DFS link from the system where the share resides. You will get an Access Denied error, even with all the correct permissions.

Here’s a registry fix that will overcome the issue.
(Remember, use the registry at your own risk. Back it up if you must. Heck, backup your whole system!)

Open this key on the XP system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters

Add a DWORD value:

EnableDfsLoopbackTargets

Change its value to 1.

Reboot the system.

Your share should now be working from DFS mapped drive from the local system. (the local system where the share is located.)

Find an email address that already exists in Active Directory

Published
by
Greg
on April 14, 2008
in Networking and Windows Server
. Comments

So you went to add a new address to a user account in Active Directory, and you got an error that this address already exists? Sucks huh? Especially when you don’t know where it could be? Here’s one way to track it down.

On your domain root in AD Users and Computers, right click, select Find. Select Custom Search, click the Advanced tab, and enter an LDAP query like so:

proxyaddresses=smtp:emailaddress@youwanttofind.com

(I am assuming you are not a complete NEWB and you know you should replace that email with the one you want.)

Then click the Find Now button. You should see a in the results below any object that may have this address on it.

New account does not appear in Global Address List but does in All Users

Published
by
Greg
on March 27, 2008
in Internet, Networking and Windows Server
. Comment

I’ve run into this a few times, thought I’d record the solution for once so I remember it.

After adding a new user account, the user does not show up in Outlook’s Global Address List, but does show in All Users. (If you click “To” in a new message, for example, and in the Select Names windows under “Show names from the:” drop down, you select All Users.) Even if I go into Active Directory Sites and Services and manually force replication it does not work. (under the NTDS Settings for each server) Normally, I would even go into Recipient Update Services and manually update, but this does not work either.

I found out that if you have Outlook in Cached Exchange Mode, the Global Address List does not update for up to 24 hours. I don’t know the details on that, but I can force it to update. This is on a per-machine basis, so doing this across the whole network won’t work. (Although, there may be a way to do this, I just don’t know how.)

Go into Outlook, go to Tools, Send/Receive, then click Download Address Book. Make sure you have Global Address List under the Choose Address Book drop down, and click OK. Problem solved.

By the way, I am using Exchange 2003 and Outlook 2003.

Folder redirection user permissions block access to Administrators

Published
by
Greg
on March 19, 2008
in Networking, Security and Windows Server
. Comments

When using Folder Redirection on a Windows 2003 server, the default policy is allow only ownership and permissions to the user. No admin account would have access to this folder. For example, you create a Group Policy to redirect user’s My Documents folders to a home directory on the server. Once a user logs on and this policy is applied, the folder is created with ownership of the user only, and file permissions granted for that user only, too.

This has presented a big problem for me, having come from Windows 2000, where this was not the case. As you might guess, when only the user has permissions specified, no administrator can get access to this folder for backup purposes. Our backups always failed.

Well then, on Windows 2003 Server, two default policies are in place making the user’s folders more secure. Nice, but I don’t care. I want backup rights by default. Go into the Group Policy where you would like to define the new policy. I made a new Organizational Unit and put all my computers in there, so I could define the policy at a lower level, instead of at the domain level. Once into and editing you policy, drill down to here:
Computer Configuration –
    Administrative Templates -
        System –
            User Profiles –

In here look for these two policies and enable them:
“Do not check for user ownership of Roaming Profile Folders”
“Add the Administrators security group to roaming user profiles”

Now this will allow Windows 2003 to behave more like Windows 2000 on the redirected folders. Unfortunately, there is one issue. It does not change permissions on previously created folders, only on newly created folders. That’s a pain, but not that big a deal, because I can probably script some folder moves and recreate them.

Resetting NTFS permissions are not taking effect on child objects

Published
by
Greg
on March 19, 2008
in Networking, Security and Windows Server
. Comments

Recently I went to reset a user’s home directory permissions on the server to allow them full control over each file/folder in their home directory. I setup all the normal accounts and of course the actual user account, with Full Control. I then went into Advanced and selected “Replace permission entries on all child objects” and hit apply.

This seemed to work fine, except the user complained that they could not access the documents in certain subfolders. When I checked those subfolders, the permissions were correct, except for her account had no permissions specified. Essentially this means, no perms, no access. So I tried again, same result.

The solution was simple, though, I can’t figure out why this was configured this way. At the root folder you wish to start inheritance, go into advanced under security on that folder. Go into Advanced again, and under Permissions, highlight the user in question, and click Edit. Under the detailed Permission Entry window, at the very bottom is a checkbox for:

“Apply these permissions to objects and/or containers within this container only.”

Uncheck that! And apply the permissions once more. All child objects should now have all the correct permissions! Yay!

I don’t understand why this is set this way. Is there a Group Policy in place I don’t know about? Did a previous IT guy change that? At least I have a solution. J

IE7 fails to automatically authenticate with enable integrated windows authentication checked

Published
by
Greg
on March 15, 2008
in Internet, Networking and Web Design
. Comment

In Internet Explorer 7, Tools, Internet Options, Advanced tab. The checkbox for “enable integrated windows authentication” is very confusing. You would think this means “just log me in with my windows credentials”, but no, there’s more to it than that. And what I found was, it simply enables “Negotiate”. It set’s this registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate

After some research, this actually means that IE will negotiate between NTLM or Kerberos authentication. In some situations, Kerberos will fail. I don’t understand well enough to explain this one. But that’s ok, because the point of all this is… I want IE to authenticate automatically on my Intranet! Anyway, if you uncheck this setting in IE, it will set Negotiate to disabled. (0) If Negotiate is disabled, IE will use NTLM by default. BAM! I can login automatically.

Wouldn’t it be much more helpful if Microsoft had labeled that for what it was? Like: Negotiate Kerberos or NTLM Authentication.

Word of caution… some Intranet apps might depend on Kerberos, so this might cause more problems down the road of you disable this on all your client systems.

Another note… IE6, as I understand it, does not behave this way. It has a similar setting to enable windows authentication and I believe it uses NTLM by default. I HAVE NOT TESTED THIS, and I don’t know for sure if this is true, but according to my Googling, this is the case.

I found this site with info regarding EnableNegotiate:

http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry

 

Here’s another blog you might find useful:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

 

 

 

Automatic Windows Authentication with Firefox network.automatic-ntlm-auth.trusted-uris

Published
by
Greg
on March 15, 2008
in Internet
. Comments

One of the main reasons I don’t use Firefox in an Intranet environment, is due to the logon prompt from IIS Windows Authentication. I keep having problems with IE7 on Vista losing the auto-NTLM auth, where it asks for my password, when it’s supposed to just log me in based on my domain logon! ARgh! So I started Google-ing and found out that Firefox can do this too!!! I never knew that, in all these years of Firefox use!

You have to set which sites are allowed to do this though. But that’s fine, not like I login with NTLM all over the place, just a couple sites from the Intranet. Go to about:config in Firefox, lookup all the “network:auth” items and you’ll see this one:

network.automatic-ntlm-auth.trusted-uris

Open that, and enter the website address. (even port if needed) BAM! That’s it!

For example:

webapp.servername.local:8080

This will use automatic NTLM logons based on your windows logon. But note: I do not know if this works if your machine is not a member of a domain.