Windows2003:Roaming profile on Laptop computers

Before the laptop joins the domain, the laptop user: kevin.smith has a local profile. In the local profile, outlook was set with pop3 account.

After the laptop joins the domain, Kevin Smith has a domain account: Kevin.Smith@TLCTest.local. This account has its profile set to [\\servername\share\kevin.smith] --roaming.

Please don't log on from laptop as kevin.smith yet!!!!

First, modify the laptop computer's local policy settings.
Local Computer Policy--Computer Configuration--Administrative Templates--System--User Profiles

• Prevent Roaming Profile changes from Propagating to the server: disabled
• Only allow local user profiles:disabled

In the domain controller, modify the default domain controller policy to grant Kevin.Smith "Allow Log on locally".

At the domain controller, log on as Kevin.Smith and log off Kevin.Smith. The roaming profile is created.

Then, from laptop computer, log on as Kevin.Smith. You will find the Kevin.Smith uses the roaming profile now. If you logged on as Kevin.Smith in the Laptop before you log him on to domain controller, kevin.smith is always using its local profile.

Copying local profile over the roaming profile

Log on as the administrator on laptop computer.
Copy Kevin.Smith's local profile over the roaming profile and don't forget granting the TLCtest.local\Kevin.smith the access permission.

However, the profile copying process will not copy the Local Settings folder in Kevin.Smith local profile. By default, outlook pst file is created under Local Settings folder.

If you know the pop3 account password, that would be easy. If not, you should manually copy the folder: %systemroot%\documents and settings\Kevin.Smith\Local Settings\Application Data\Microsoft\Outlook folder to Kevin.Smith.TLCTEST\Local Settings\Application Data\Microsoft\Outlook folder.

If Kevin.Smith has the signatures, you should copy the folder: %systemroot%\Documents and Settings\Kevin.Smith\Application Data\Microsoft\Signatures to the folder: Kevin.Smith.TLCTEST\Application Data\Microsoft\Signatures.

I assigned Kevin.Smith with FULL CONTROL to Kevin.Smith.TLCTest and granted Kevin.Smith@TLCtest.local the FULL CONTROL to Kevin.Smith.

But if the domain user name is different to the local user name, you must provide the pop3 password even though you do all the above steps.

Domain user name: blue
Local User name:Kevin.Smith


=========





Cannot change a local profile to roaming profile


User NIFCS\Twoodworth has logged in to domain for over a year. She uses local profile all the time. After I set her domain account profile path with [\\nifcs-main\profile\%username%] and recycle the logon/off process many times, she still uses the local profile --only. I cannot change it manually, as shown below.

Solution and danger:

Thank GOD, I copy the NIFCS\twoodworth local profile to another folder. Please turn on "Show Hidden Files/Folders" and copy everything from NIFCS\Twoodworth to another folder, in case something goes wrong.

After the account profile path is configured, logon/off the domain controller as twoodworth, then log on as administrator and notice the twoodworth roaming profile folder created.

Don't log on NIFCS\Twoodworth from her workstation, yet!!!!!!! If you do, NIFCS\twoodworth local profile will be overwritten. Danger! you lose your job.!

Find NIFCS\Twoodworth roaming profile folder, take ownership as administrators, make sure you tick "Replace owner on subcontainers and objects".

Then, you logon NIFCS\twoodworth from her workstation and logoff her. Her local profile will be uploaded to the server.

NTUser.dat file is very important. It keeps all the records of your profile. Don't take it lightly. Don't delete it. Don't create a new one from another computer for roaming profile.

Server2003: Distributed File System

Network Layout

Administrative Tools--Distributed File System console

Step 1:

Create a new root --> hosting server-->TLCsv167-->C:\Profiles

Add a new root target-->TLC25-->C:\Profiles

Step 2:

Create a hidden share on TLCsv167--C: drive

Create a hidden share on TLC25 --C: drive

In Distributed File System console, add a new link-->share

And then, add a new link target, then result will be:

Step 3:

Configuring replication

Do not configure the DFS root replication.

Only configure the link replication, as shown above.

Because the hidden shares, you cannot browse the shared folders directly from My Network Spaces. But you could browse them through the DFS root.

====

I use the DFS in user profile path.

Exchange2007: Customizing Default Globe address List

Outlook displays the global address list that meets the following criteria:
•The user has permissions to access this global address list.
•The user is a member of this global address list.
•This global address list is the largest of all of the other global address lists.


If you create more than one global address list, and if you want a user to use a specific global address list, make sure that the user is a member of the list, and make sure that the user has permissions to access only this list. You can create custom global address lists and add members to these global address lists.
===========


You can only create Global Address List from Exchange Management Shell.

New-GlobalAddressList -Name 'Shaw' -IncludedRecipients 'AllRecipients' -ConditionalCompany 'shaw'

New-GlobalAddressList -Name 'Telus' -IncludedRecipients 'AllRecipients' -ConditionalCompany 'Telus'

New-GlobalAddressList -Name 'TLC' -IncludedRecipients 'AllRecipients' -ConditionalCompany 'TLC'

Don't modify Default Global Address List

Mailbox users whose company attribute is Telus will automatically use the global address list: Telus.

Mailbox users whose company attribute is Shaw will automatically use the global address list: Shaw.

Mailbox users whose company attribute is TLC will automatically use the global address list: TLC.

Create the following mailboxes:

kaiming Liao
Rob Prince
Lina Zheng
Jane Liao
Jonathan Gao
Seungbum Yoo
Kevin Smith
Shane Brown
George Allistair
Alan King
Steve Paulie
Paul Bellitown
Scott Berger
Sarah Carl

$password=read-host "Enter password please!" –asSecureString
$firstName="George"
$lastName="Allistair"
$city="Vancouver"
$company="Telus"
$province="BC"
$department="Network"
New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'

The following mailboxes are from TLC company.

kaiming Liao
Rob Prince
Lina Zheng
Jane Liao

Seungbum Yoo

The following mailboxes are from Telus company.

Jonathan Gao
Kevin Smith
Shane Brown
George Allistair

The following mailboxes are from Shaw company.

Alan King
Steve Paulie
Paul Bellitown
Scott Berger
Sarah Carl

===

create some mail contacts:

$firstName='Catherine'
$lastName='Alcee'
$externalMail='Catherine.Alcee@cdimail.ca'
$OU='Terrace.com/test'
New-MailContact -ExternalEmailAddress $externalMail -Alias "$firstName.$lastName" -Name "$firstName $lastName" -OrganizationalUnit $OU -FirstName $firstName -LastName $lastName

Catherine Alcee belongs to TLC company.

$firstName='Cindy'
$lastName='Pepin'
$externalMail='Cindy.Pepin@cdimail.ca'
$OU='Terrace.com/test'

New-MailContact -ExternalEmailAddress $externalMail -Alias "$firstName.$lastName" -Name "$firstName $lastName" -OrganizationalUnit $OU -FirstName $firstName -LastName $lastName

Cindy Pepin belongs to Telus company.

==

Create some mail user objects:

$firstName='Leesa'
$lastName='Watt'
$externalMail='Leesa.Watt@cdimail.ca'
$UPN='Leesa.Watt@Terrace.com'
$OU='Terrace.com/test'

$password=read-host "Enter password please!" -asSecureString

New-MailUser -ExternalEmailAddress $externalMail -Alias "$firstName.$lastName" -Name "$firstName $lastName" -UserPrincipalName $UPN -OrganizationalUnit $OU -FirstName $firstName -LastName $lastName -Password $password

Leesa.Watt belongs to Shaw company.

$firstName='Tino'
$lastName='Vaswani'
$externalMail='Tino.Vaswani@cdimail.ca'
$UPN='Tino.Vaswani@Terrace.com'
$OU='Terrace.com/test'
$password=Read-Host "Enter password:"

New-MailUser -ExternalEmailAddress $externalMail -Alias "$firstName.$lastName" -Name "$firstName $lastName" -UserPrincipalName $UPN -OrganizationalUnit $OU -FirstName $firstName -LastName $lastName -Password $password

Tino.Vaswani belongs to Telus company.

=====

Get-GlobalAddressList Telus Format-List
IsDefaultGlobalAddressList : False
RecipientFilter : (Company -eq 'Telus' -and Alias -ne $null)
LdapRecipientFilter : (&(company=Telus)(mailNickname=*))
LastUpdatedRecipientFilter : (Company -eq 'Telus' -and Alias -ne $null)
RecipientFilterApplied : True
IncludedRecipients : AllRecipients
ConditionalDepartment : {}
ConditionalCompany : {Telus}
ConditionalStateOrProvince : {}

Update-GlobalAddressList Telus
$global=get-globalAddresslist Telus
Get-Recipient -RecipientPreviewFilter $global.RecipientFilter
Jonathan Gao UserMailbox
Kevin Smith UserMailbox
Shane Brown UserMailbox
George Allistair UserMailbox
Cindy Pepin MailContact
Tino Vaswani MailUser

Get-GlobalAddressList Shaw Format-List
IsDefaultGlobalAddressList : False
RecipientFilter : (Company -eq 'shaw' -and Alias -ne $null)
LdapRecipientFilter : (&(company=shaw)(mailNickname=*))
LastUpdatedRecipientFilter : (Company -eq 'shaw' -and Alias -ne $null)
RecipientFilterApplied : True
IncludedRecipients : AllRecipients
ConditionalDepartment : {}
ConditionalCompany : {shaw}
ConditionalStateOrProvince : {}

Update-GlobalAddressList Shaw
global=Get-GlobalAddressList Shaw
Get-Recipient -RecipientPreviewFilter $global.RecipientFilter

Alan King UserMailbox
Steve Paulie UserMailbox
Paul Bellitown UserMailbox
Scott Berger UserMailbox
sarah Carl UserMailbox
Leesa Watt MailUser

Don't modify the default global address list

In Active Directory Users and Computers, three global groups: ShawGroup, TelusGroup, and TLCGroup are created.

ADSIEDIT.msc utility

Because default Global Address List includes every mail object, we must deny the member from specific groups to access the Default Global Address List. The member of TelusGroup should access only Telus global Address list; whereas the member of ShawGroup should access the Shaw global Address list.

When a new user is created with a mailbox, please don't assign it to the specific group. After you setup the Outlook client, you assign the user to the specific group.

When you set up outlook clients, they must use the default global address list. If the user don't have permissions or is not a member of the default global address list, the outlook client cannot be set up.

After I deny all the three groups: TelusGroup, ShawGroup, TLCGroup, the new outlook 2003 client cannot be set up. After I allow ShawGroup to access the Default Global Address List, the outlook 2003 can be configured with new mailbox user. With outlook client configured, I deny the ShawGroup to access Default Global Address List.

With Outlook 2007, I didn't experience the odd problem.

Advice: use Outlook 2007 if you implement the multiple GALs.

The above deny permission method has a drawback. It makes the Default Global Address List disappears. New mailbox user cannot be set up in OUTLOOK.

====

How about address lists: ALL USERS, ALL CONTACTS,...?

Since I don't want them, there are several options.

First,

ADSIEDIT.MSC utility, locate the ALL ADRESS LISTS --Properties--Security Tab

AUTHENTICATED Users --Deny List Folder Content

Second,

From Exchange Management Console, I simply remove ALL Users, ALL Contacts, etc.

Third (irrecoverable),

Delete the ALL Address Lists from ADSIEDIT.MSC console. Outlook does not show ALL ADDRESS LISTS. I like that.

===

Whatever you do, if you access your mailbox by OWA, it can see all the address lists. It was solved. Searching for the blog.

Router: Port Triggering

Application communication process

Step 1, client software sends a request to Public Service with a specific port number

Step 2:

IRC service verified the sumitted username and password by making connection back to the client NAT router.

If your router does not configure the port triggering, the coming back traffic on port 113 will be dropped. When the NAT router is configured with the port triggering, the IRC service will establish a verification connection to client computer, which is behind the NAT router.

In the case of port triggering, you tell the router that when you make an outbound connection on any port 6660-7000, then it should allow inbound connections to that particular computer. This gives it more flexibility than static port forwarding because you do not need to set it up for a specific address on your network. You also gain security in a sense that that port is not left open when not actively in use.

The disadvantage of port triggering is that it only allows one client on the network to supply a particular service that uses a particular incoming port. Port triggering is unsuitable for putting servers behind a NAT router because it relies on the computer to make an outgoing connection before it can receive incoming ones; servers should use port forwarding.

From client side, the Application
Outgoing Port: trigger port
Reply Port: public port, that should be open during the communication session

For example, dialPad

The client side software uses port 7175, which should be put in the trigger port.

The service sends back traffic on ports, 51200,51201 and 51210, which should be put in the public port.

Router: Port Range Forwarding

Network Layout

The router is Linksys G Broadband router.

Web Server hosts a sharepoint site, which is listening port 8000. Router configuration is as follows:

http://192.168.1.1/

Application & Gaming menu

Application Name: Sharepoint

Start:8000

End:8000

Protocol:both

IP address:192.168.1.164 (the web server IP)

Enabled: checked

If you have a service that requires a range of port, you could set the Start and End port numbers accordingly.

Why do I use the port number 8000 instead of the default 80? It is because ISP provider at the customer side blocks 80. If it is open, I could use the port 80 and forward the port 80 number.

Linksys 4 port VPN router RV042: VPN Client Access

RV042

Network Layout

VPN Client Access

Create a VPN user

Export certificate for client

At the XP machine, install QuickVPN+Client+v1.2.8, which can be downloaded at http://www.linksys.com/

copy the certificate to the VPN client software folder, e.g. %programFiles%\Linksys\Linksys VPN Client.

Run the Linksys VPN Client:

Click Connect button,
The XP client machine can access the 2003 computer, which locates on 192.168.2.0/24 network.

Client to Gateway vs. VPN Client Access
Client to Gateway is not customer friendly. It requires the knowledge of IPSec configuration at the client side.
VPN Client Access is more flexible. For a global company with many VPN routers, administrator could copy the routers' certificates to the VPN client folder and configure many profiles. When the customer travels to different location, he or she activates the corresponding profile.

Linksys 4 port VPN router RV042: Client to Gateway

Network Layout

Working at RV042:

Firewall: uncheck "Block WAN Request"

VPN: Client to Gateway

Add a tunnel

Tunnel Name: Kaiming

Local Security Gateway Type:IP Only

IP address:192.168.1.182

Local Security Group Type: Subnet

IP address:192.168.2.0/255.255.255.0

Remote Client:IP Only

IP address:192.168.1.164

IP Sec Setup

Keying Mode:IKE with Preshared key

Phase1 DH Group:Group 1

Phase1 Encryption:DES

Phase1 Authentication:MD5

Phase1 SA Life Time: 28800

Perfect Forward Secrecy:checked

Phase2 DH group: Group1

Phase2 Encryption:DES

Phase2 Authentication:MD5

Phase2 SA Life Time:3600

Preshared Key:nifcs

==============

Windows 2003 Server

IP address:192.168.1.164

Before I set up the IPSec policy, the 2003 server cannot talk to 192.168.20/24 network. But it can access Internet.

MMC--Add a snapin--GPO edit--Local Computer policy

I modify the IPSec settings according to the RV042 VPN router's IPSec.

Locate the IPSec--new ip security policy wizard

========

When the 2003 server accesses the Internet, the VPN tunnel is not established. When I ping 192.168.2.100, the tunnel is established. The 2003 server can access the 192.168.2.0/24 network.

Exchange2007: understand the conditions in Dynamic Distribution Group

The filter conditions in Dynamic Distribution Group have the logical AND relation. What does it mean?
Let me create several mailboxes first;

$password=read-host "Enter password please!" -asSecureString

$firstName="George"
$lastName="Allistair"
$city="Vancouver"
$company="Telus"
$province="BC"
$department="Network"

New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'


Set-User -Identity "Terrace.Com/research/$firstName $lastName" -City $city -Company $company -StateOrProvince $province -Department $department


$firstName="Alan"
$lastName="King"
$city="Vancouver"
$company="Shaw"
$province="Alberta"
$department="Network"

New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'

Set-User -Identity "Terrace.Com/research/$firstName $lastName" -City $city -Company $company -StateOrProvince $province -Department $department

$firstName="Steve"
$lastName="Paulie"
$city="Vancouver"
$company="Shaw"
$province="BC"
$department="Marketing"

New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'

Set-User -Identity "Terrace.Com/research/$firstName $lastName" -City $city -Company $company -StateOrProvince $province -Department $department

$firstName="Paul"
$lastName="Bellitown"
$city="Vancouver"
$company="Telus"
$province="BC"
$department="Network"

New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'

Set-User -Identity "Terrace.Com/research/$firstName $lastName" -City $city -Company $company -StateOrProvince $province -Department $department

$firstName="Scott"
$lastName="Berger"
$city="Vancouver"
$company="Telus"
$province="BC"
$department="Marketing"

New-Mailbox -Name "$firstName $lastName" -Alias "$firstName.$lastName" -OrganizationalUnit 'Terrace.com/Research' -UserPrincipalName "$firstName.$lastName@Terrace.com" -SamAccountName "$firstName.$lastName" -FirstName $firstName -Initials '' -LastName $lastName -Password $password -Database 'USA\First Storage Group\Mailbox Database'

Set-User -Identity "Terrace.Com/research/$firstName $lastName" -City $city -Company $company -StateOrProvince $province -Department $department

//To include all members in both BC and Alberta provinces, you use comma as highlighted below: the comma represents the OR relation.

New-DynamicDistributionGroup -Name "NetworkSupport" -OrganizationalUnit 'Terrace.COM/Research' -DisplayName 'Network Support Group' -Alias 'NetworkSupport' -IncludedRecipients "MailboxUsers" -ConditionalStateOrProvince 'BC','Alberta'

$network = Get-DynamicDistributionGroup -Identity "NetworkSupport"
Get-Recipient -RecipientPreviewFilter $network.RecipientFilter

Name
---- -------------
Alan King
Kevin Smith
George Allistair
Steve Paulie
Paul Bellitown
Scott Berger

//ConditionalDepartment and ConditionalCompany parameters are the relation:AND

New-DynamicDistributionGroup -Name Marketing -OrganizationalUnit 'Terrace.com/Research' -DisplayName 'Marketing Group Canada' -Alias 'Marketing' -IncludedRecipients 'Mailboxusers' -ConditionalDepartment Marketing -ConditionalCompany Telus


$Marketing = Get-DynamicDistributionGroup -Identity "Marketing"
Get-Recipient -RecipientPreviewFilter $Marketing.RecipientFilter

Name
-------
Scott Berger

Linksys 4 Port VPN router: RV042--Gateway to Gateway configuration

Network Layout

RV042 at Terrace side:

To make a Gateway to Gateway VPN connection, I must disable "Block WAN Request".


For the IPSec configuration, I use the preshared password. All other settings are left alone.


Check the routing table: Setup Tab --Advanced Routing --At the bottom of the screen, Show Routing Table link.

The ping button is quite handy.
=========

Rupert Side:
VPN Gateway to Gateway:

Other configurations are same as terrace side vpn router. As you see from VPN Gateway to Gateway, the Local Group of the Terrace router is the Remote Group of Rupert router, visa versa.

In the above configuration, I configure the default gateway pointing to each other. I know we shouldn't do that. I need to find out the solution. The following IP address strategy is better.

Terrace Router: VPN tunnel

Rupert Router: VPN tunnel:

Local Group:192.168.3.0/255.255.255.0

Remote Group:192.168.2.0/255.255.255.0

Remote Gateway:192.168.1.182

Show routing table for Terrace router:

Notice the default gateway:192.168.1.1 and it is not 192.168.1.182 or 192.168.1.184, which is included in VPN tunnel configuration.

ActiveDirectory: SID Filtering

SID Filtering applies only to Forest Trust or External Trust. If you enable the SID Filtering within a forest, you break the transitive trust relation. So you should not enable the SID Filtering within the same forest.

You should enable the SID Filtering when you create a forest trust or external trust.

On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.

What does the SID Filtering mean?

Trusting domain: Contoso
Trusted domain Cpandl

The domain, Contoso, trusts another domain, Cpandl, an administrator of the Contoso domain can manually apply SID filter quarantining to the Cpandl domain, which allows all SIDs with a domain SID from the Cpandl domain to pass but all other SIDs (such as those from migrated SIDs that are stored in SID history) to be discarded.

Disable the SID Filtering (working on the domain controller of the trusting domain)
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /userD:domainadministratorAcct /passwordD:domainadminpwd

What is the SID history attribute?

Security principals in Active Directory have an attribute, called SID history, to which domain administrators can add users’ old security identifiers (SIDs). This is useful during Active Directory migrations because administrators do not need to modify access control lists (ACLs) on large numbers of resources and users can use their old SIDs to access resources.
However,administrators in a trusted domain can use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights.

Not everyone can edit the SID History attribute unless you know how to modify the binary structure.. There is no interface for it.

Exchange2007:Linked Mailbox

www.1ask2.com
How to create a Linked Mailbox in Exchange 2007?
A linked mailbox is a mailbox that is associated with an external account. Every mailbox must have a user account associated with it. However, the user account that will access the linked mailbox does not exist in the forest where Exchange is deployed. Therefore, a disabled user account that exists in the same forest as Exchange must be created and associated with each linked mailbox.



Make sure that your DNS configuration is correct.


On Tiger.VAN.COM domain controller, start the Active Directory Domain and Trust tool;

Right-Click VAN.COM --Properties --Trust

Click on New Trust button

Trust Name: Terrace.com

Direction of Trust: incoming trust

Sides of Trust: Both this domain and specified domain

Administrative Password for Terrace.com domain

Result:
This domain is VAN.COM, this is you are working on.

Create a user account: Kobe in VAN.COM first;

To create a Linked Mailbox, you need to work at USA.Terrace.com domain controller.



Exchange Management Console

New Mailbox -- Linked Mailbox type

New User: Kobe Bryant

Mailbox Settings


Alias:Kobe.Bryant


Database:USA\First Storage Group\Mailbox Database





Example 2:

Create a user account in Van.com, e.g. Andy Wilson



At USA.Terrace.COM:



By Exchange Management Shell

[PS] D:\>$credential=Get-credential
You should provide UPN name, e.g. administrator@VAN.COM.



[PS] D:\>$password=read-host "Enter Password" -asSecureString

Enter Password: *********

[PS] D:\>New-Mailbox -Name 'Andy Wilson' -Alias 'Andy.Wilson' -OrganizationalUnit 'Terrace.com/Users' -UserPrincipalName 'Andy.Wilson@Terrace.com' -SamAccountName 'Andy.Wilson' -FirstName 'Andy' -Initials '' -LastName 'Wilson' -Database 'USA\First Storage Group\Mailbox Database' -LinkedMasterAccount 'VAN\Andy.Wilson' -LinkedDomainController 'tiger.VAN.com' -LinkedCredential $credential

How do you access the Linked Mailbox?
From OWA, e.g. https://USA.Terrace.com/OWA
You must sign in as van\Andy.Wilson instead of Terrace\Andy.Wilson. The Terrace\andy.wilson account is disabled.

When you implement the Linked Mailbox? The resource forest scenario allows an organization to centralize Exchange in a single forest, while allowing access to the Exchange organization with user accounts in one or more trusted forests.

If you configure OUTLOOK client, please remember the mailbox and its associated account are in different forests.

ActiveDirectory: Trust

the trusting domain and the trusted domain

One-way trust

The users or computers in the trusted domain can access resources in the trusting domain.

For the diagram above, we have the following summary:

When you create a trust from the Account Domain (trusted), the type of trust will be "incoming trust".

When you create a trust from the Resource Domain (Trusting), the type of trust will be "outgoing trust".

Remember that Direction of Trust is the opposite to Direction of Access.

Scenario 1:

Users in the sales.wingtiptoys.com domain want to access resources in the Kerberos realm.

Sales.wingtiptoys.com domain is the Windows Server 2003 domain. When you create a trust by Active Directory Domain and Trust utility, you should select

On the Trust Type page, click Realm trust

On the Direction of Trust page, click One-way: incoming

===

For this trust to function, the administrator of the realm must complete the trust, using his or her administrative credentials and the exact same trust password that was used during this procedure.

--outgoing trust

Exchange2007: Full Name,UPN name, Display Name, Alias, Pre-windows 2000 name

So many names!!!

In Active Directory Users and Computers, The Name column shows the Full Name. Full Name must be unique. It identifies the user object in AD.

Display Name of the user object (mailbox) will show in Exchange Management Console. You could set two or more mailboxes with same Display Name.
Exchange Alias -- it is the mail object's nick name. As shown below, you could have the same alias for two or more mail objects.

By default, Display Name is the same as FULL NAME.

When you create a user object or mailbox object, you must provide the User Principal Name (UPN). By default, the Exchange Alias is derived from the UPN name. For example, based on Kevin.Smith@terrace.com, the alias will be Kevin.Smith.

I on purposely modify the Display Name and alias to make a point.

===
Name parameter and Identity parameter

[PS] D:\>$password=Read-host "Enter password" -AsSecureString
Enter password: *

[PS] D:\>New-Mailbox -Name "Jonathan Gao" -DisplayName "Jonathan Jun Gao" -UserPrincipalName Jonathan.Gao@terrace.com -Password $password -FirstName Jonathan -LastName Gao -SamAccountName JGao -Database "USA\First Storage Group\Mailbox database"

Identity:DisplayName --unique entries

[PS] D:\>Set-Mailbox -Identity "Jonathan Jun Gao" -DisplayName "Jonathan Jun2 Gao"

Identity:UPN name
[PS] D:\>Set-Mailbox -Identity "Jonathan.Gao@terrace.com" -DisplayName "xxx"

[PS] D:\>

Identity:Domain\samAccountName
[PS] D:\>Set-Mailbox -Identity Terrace\JGao -DisplayName "Jonathan Gao"
[PS] D:\>

Identity: LDAP name
[PS] D:\>Set-Mailbox -Identity "terrace.com/users/kevin smith" -DisplayName "Vancouver Kevin Smith"
[PS] D:\>

=====

Exchange Alias==must

It is used to automatically generate e-mail address.

Let's create a mail contact from USA.Terrace.COM.

[PS] D:\>New-MailContact -Name "Andy Wilson" -ExternalEmailAddress "andy.wilson@van.com" -DisplayName "Vancouver Andy Wilson" -Alias Van.Andy.Wilson

[PS] D:\>Get-MailContact -Identity "vancouver andy wilson" format-list alias,emailaddresses ,ExternalEmailAddress,PrimarySMTPAddress

• Alias: Van.Andy.Wilson


• EmailAddresses : {smtp:Van.Andy.Wilson@Terrace.com, SMTP:andy.wilson@van.com}


• ExternalEmailAddress : SMTP:andy.wilson@van.com


• PrimarySmtpAddress : andy.wilson@van.com

The example shows that an e-mail address is generated according to alias. I could send email to Van.Andy.Wilson@terrace.com, which is actually delivered to andy.wilson@van.com.

Remember that mailcontact cannot send e-mail out from your exchange. To achieve the sending function, you must create a mailbox and configure a forwarding address.

How do you use the Display Name? You could/should use the meaningful name for a mail object, such as, Alert Administrator Johnson Williams. Within the outlook, when you use the address list, the display name could help you to find the right person.

Windows2003:Set up printers connected to 64-bit OS

The TNDC corporation has the network shown below:

The two Canon multifunction copier/printers will be installed in Windows 2003 64bit server. All XP Professional 32bit workstations will automatically install the printer drivers when connecting the printers.

Steps:

1. download the packages

PS3_v420_Setup_x64 for CanonImageRunner 2200;

Extract it to folder

D:\drivers\canon imagerunner 2200\PS3v4.20\us_eng

32bit Folder and 64bit Folder

Run the setup.exe from 64bit folder. It will automatically detect the Canon ImageRunner printers.

2. install 32bit drivers for Windows 2000, XP, and 2003

Open the Printers and Faxes container

Files Menu--Server Properties--Drivers tab

Click Add button

Deselect 64 bit driver because it is already installed;

Select 32 bit drivers. The 32 bit driver for 2000/XP/2003 will be installed. When XP workstation is networkly connected to the Canon printer, the driver will be downloaded and installed automatically.

For Canon Imagerunner C3100, I at first thought the PS3_v420_Setup_x64 was for Canon imagerunner C3100. Because when I went to Canon.com for downloading the driver for Imagerunner C3100, it is in the list. The driver actually detects the C3100 printer and installs it without error. But no paper comes out when you print a document.

Later, I found out that the color multifunction copier/printer was using the UFR driver. What does the UFR stand for? I downloaded the instruction manual. It taught me a lesson about the PCL, PS, and UFR. Even though I install both PCL and PS driver many times, from the concerpt below, I have learned a little bit more about print driver.

PS (PostScript)It is the Adobe Systems PS 3 emulation driver. This PS (PostScript) driver is well suited for printing from Adobe Systemssoftware, and offers superior performance for printing high-quality text and graphics.
Hewlett-Packard's PCL driver, which includes the PCL5c, PCL5e, and PCL6 drivers.These PCL (Printer Control Language) drivers can be used with most kinds of businessapplication software. The PCL5c printer driver is for color printers, while the PCL5e and PCL6printer drivers are for black-and-white printers. PCL 6 is an advanced version of PCL5e andoffers superior printing quality and speed. The PCL5e and 6 drivers come with black-and-whiteprinters, as standard drivers.
Canon UFR printer driverUFR (Ultra Fast Rendering) is a new algorithm for realizing high speed color rendering. Using the UFR printer driver enables high speed color printing.

Solution:

I installed the UFR driver for C3100 on every XP Professional (32bit), which directly prints to the printing device.

Exchange2007: Files in Exchange data store

E00 indicates the first storage group on a server.

E01 indicates the second storage group on a server.

E02 indicates the third storage group on a server.

etc.

First Storage Group

Tmp.edb

As the name indicates, it is temporary. During information maintenance, tmp.edb is used for transient storage. When the indexes are created and when data are sorted, tmp.edb is used.

E00RES00001.JRS and E00RES00002.JRS reserve a portion of disk space. In case the hard disk full, these two files allow the Exchange 2007 to shutdown normally instead of crashing the system.

E00.log is the current transaction log. Exchange first writes data to this log file. When E00.log is full, it is renamed according to the format E00000000001.log, E00000000002.log, etc.

E00tmp.log

Because renaming E00.log and creating a new E00.log takes some time, it is highly possible that Exchange 2007 has new data to be logged. E00tmp.log file bridges the gap. The new data is stored in E00tmp.log file.

E00.chk

It is a checkpoint file. At a given moment, not all the transactions in log files (E00.log, E00000000001.log, etc.) are committed to database file Mailbox Database.edb. The E00.chk marks the point at which the transactions are committed.

Windows2003:Users can write files but cannot modify and delete them

Requirements:
Administrator can do everything.

User1 can put files and create subfolders inside User1 Folder. User1 can open it and read it but cannot modify it and delete it.

User2 has the similar security needs.

Folder structure:
User1 Folder's properties:


When user1 logs on, he can put files inside the companyFile/User1 folder. But he cannot delete and modify them.

Write Attributes and Write Extended Attributes control the modification. If you assign both Write attributes and Write Extended attributes to user1, user1 can modify the files.