Terminal services BEST practice

http://technet2.microsoft.com/WindowsServer/en/library/d0aa8673-cc55-4c70-a540-49fbc106834b1033.mspx?mfr=true

Terminal Server Best practices
Updated: January 21, 2005

 
Best practices
•

Install Terminal Server on a standalone server and not on a domain controller.

Installing Terminal Server on a domain controller can affect the performance of the server because of the additional memory, network traffic, and processor time required to perform the tasks of a domain controller in a domain.
•

Install Terminal Server on an NTFS file system partition.

NTFS provides greater security for users in a multisession environment who access the same data structures.
•

When shutting down a terminal server, use the tsshutdn command instead of the Shut Down option on the Start menu. This will shut down the server in a controlled manner. The Shut Down option on the Start menu does not notify users before ending user sessions and is not recommended. Ending a user's session without warning can result in loss of data at the client. For more information about using tsshutdn, see Tsshutdn.
•

Back up your license server regularly.

Backing up your license server regularly protects data from accidental loss due to hardware or storage failure. Create a duplicate copy of the data on your hard disk and then archive the data on another storage device such as a removable disk or tape. In the event that the original data on your hard disk is accidentally erased or overwritten, or becomes inaccessible because of a hard disk failure, you can easily restore the data from the archived copy.
Top of pageTop of page
Program installation
•

Use Add or Remove Programs in Control Panel to install applications on the terminal server. Using this method, you can install programs for multisession use. For more information about installing applications on a terminal server, see Starting the installation.
•

After you install Terminal Server, do not use Add or Remove Programs to switch Terminal Server on and off.

Terminal Server installs programs for use in a multisession environment. Programs that were installed while Terminal Server was installed might not work correctly when Terminal Server is uninstalled. Instead, reinstall all programs for use without Terminal Server if you decide to remove the component.
•

Check for application compatibility scripts before installing programs for use with Terminal Server.

Many commonly used programs have been tested for compatibility. Some programs require minor changes to the installation. Scripts are available for these programs and must be run after the program installation is complete. Scripts are located in the systemroot in \Application Compatibility Scripts\Install.
Top of pageTop of page
Configuring Terminal Services
•

Use Terminal Services Group Policy to configure one or more terminal servers, or to manage Terminal Server user settings. Terminal Server Group Policies can be applied on individual computers or on groups of computers belonging to a single organizational unit.
Managing users
•

Use Terminal Services-specific groups

Create User Groups that are specifically for Terminal Services users. Maintaining users through groups is much easier and less time consuming than managing users individually.

Windows Server 2003 family server operating systems contain a default User group called Remote Desktop Users, which has been specifically created to manage Terminal Server users. This group is not populated by default. You must add users to the Remote Desktop Users group if you want them to be able to establish remote connections.
•

Use Terminal Services-specific profiles

Assign a separate profile for logging onto Terminal Services. Many of the common options that are stored in profiles, such as screen savers and animated menu affects, are not desirable when using Terminal Services. Assigning a specific profile allows users to get the most out of the system they are using without expending additional server resources. For information about assigning a Terminal Services specific profile, see Change a user's Terminal Services profile path.
•

Use mandatory profiles

Use a mandatory Terminal Services profile that is created to suit the needs of all of the different types of clients and that provides the best server performance. Be aware that 16-bit computers and Windows-based terminals might not support some screen resolutions.
•

Set time limits

Setting limits on the duration of client connections can improve server performance. You can set the limits on how long a session lasts, how long a disconnected session is allowed to remain active on the server, and the time allowed for a session to remain connected, yet idle. For information about setting session limits, see Configuring session limits.
•

Use the Starting program option

If you have users who need access to only one application on the terminal server, use the Starting program option to restrict users to that application. For more information, see Specify a program to start on session connection.
•

Create preconfigured connection files for users or groups of users

To make connecting to Terminal Services easier, you can supply users with preconfigured connection files. Collections of connection files can also be made either for different departments within your organization or for different job titles. preconfigured connection files are created using Remote Desktop Connection. For more information, see Managing Terminal Services connection files.

Sharing profiles between local and AD domain accounts (XP tested)

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=2240

To create a local account that shares your domain profile:

01. Log on as the local Administrator and create a local account with the same UserName as your domain account.

NOTE: Your PC can not be a domain controller.

02. Logon as this new account and logoff.

03. Logon as your domain account.

04. Use Regedt32 and select the HKEY_CURRENT_USER key.

05. On the Security menu, press Permissions.

06. Press the Add button.

07. In the Look in: box, toggle your local computer name. Select the new UserName account you created in step 01.

08. Press Add and then press OK.

09. On the Security tab, select the new ComputerName\UserName account and check both Read and Full Control.

10. Press the Advanced button and check both boxes at the bottom of the Permissions tab.

11. Press Apply and Press OK until all dialog boxes are closed.

12. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

and locate the new SID by inspecting each ProfileImagePath for \Documents and Settings\UserName.ComputerName.

13. Double click this ProfileImagePath and remove the .ComputerName, so it is equal to your domain profile.

14. Exit Regedt32.

15. Delete the \Documents and Settings\UserName.ComputerName folder.

16. Grant the local UserName full control on the \Documents and Settings\UserName folder / sub-folders.

17. Logoff and logon locally as UserName. You will see your domain (and local) profile.

Sharing profiles between local and AD domain accounts (XP tested)

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=2240

To create a local account that shares your domain profile:

01. Log on as the local Administrator and create a local account with the same UserName as your domain account.

NOTE: Your PC can not be a domain controller.

02. Logon as this new account and logoff.

03. Logon as your domain account.

04. Use Regedt32 and select the HKEY_CURRENT_USER key.

05. On the Security menu, press Permissions.

06. Press the Add button.

07. In the Look in: box, toggle your local computer name. Select the new UserName account you created in step 01.

08. Press Add and then press OK.

09. On the Security tab, select the new ComputerName\UserName account and check both Read and Full Control.

10. Press the Advanced button and check both boxes at the bottom of the Permissions tab.

11. Press Apply and Press OK until all dialog boxes are closed.

12. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

and locate the new SID by inspecting each ProfileImagePath for \Documents and Settings\UserName.ComputerName.

13. Double click this ProfileImagePath and remove the .ComputerName, so it is equal to your domain profile.

14. Exit Regedt32.

15. Delete the \Documents and Settings\UserName.ComputerName folder.

16. Grant the local UserName full control on the \Documents and Settings\UserName folder / sub-folders.

17. Logoff and logon locally as UserName. You will see your domain (and local) profile.

HP warranty lookup

http://h20000.www2.hp.com/bizsupport/TechSupport/WarrantyLookup.jsp?lang=en&cc=us&prodSeriesId=472277&prodTypeId=12454

SNMP trap configuration

To configure agent properties

1.	Open Computer Management
2.	In the console tree, click Services. Where? Services and Applications > Services
3.	In the details pane, click SNMP Service.
4.	On the Action menu, click Properties.
5.	On the Agent tab, in Contact, type the name of the user or administrator for this computer.
6.	In Location, type the physical location of the computer or the contact.
7.	Under Service, select the appropriate check boxes for this computer, and then click OK.

Post blog on SD reader

http://www.sdreader.com/info/article.html

Nifty web tools

http://www.buttonator.com/

web templates

Template Monster
20%

Site2You
30%

Template Tuning
25%

Tor: An anonymous Internet communication system

http://tor.eff.org/

Tor: An anonymous Internet communication system

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

Gnat box notes

sequence of setup:
Inbound tunnel - ext ip:port mapping w/ int ip:port
Remote Access filter - further narrow down from what IP to what IP; (allow any to any 25...)
IP passthru - i.e. VPN 192.168 allow all to corp subnet; (fe1 ok-> ex,fs; crm !-> ex,fs)

details:

IP Pass Through Filters

IP Pass Through Filters control access to and from IP addresses that have been specified as IP Pass Through addresses. IP Pass Through Filters are different from Remote Access and Outbound Filters in that they control both inbound and outbound access to/from the designated IP Pass Through addresses. Since IP Pass Through addresses are not translated, the GTA Firewall functions as a gateway for these addresses. IP Pass Through Filters utilize IP Pass Through addresses in the definitions, not GTA Firewall network interface addresses.

Typically, two filters are required for each different Hosts/Network IP Pass Through IP address: one for outbound access and the other for inbound access. IP Pass Through Filters are defined in the same manner as Remote Access or Outbound filters. The rules concerning filter order also apply.

If IP Pass Through hosts/networks are defined, defaulting filters will create a filter set based on the addresses defined on the Hosts/Networks screen. Since IP Pass Through hosts/networks can be defined in a variety of different combinations, the default filters will vary according to options selected. These system-generated filters can be modified to match your security requirements.

Create a Pair of Filters for a Defined IP Pass Through Host

1. Create an empty filter definition, or edit an existing filter.

2. An IP Pass Through address must have two filters, inbound and outbound. First create the Outbound filter. Complete the filter definition in the same manner as an Outbound filter, specifying the same source IP address as that of the IP Pass Through address. Save the filter.

3. Create another filter for the inbound connection. Define the filter as you would a Remote Access Filter except that the destination IP address will be the IP Pass Through address, not the IP address on the GTA Firewall network interface. Save the filter.

4. Once you have completed all the desired IP Pass Through Filters, click the Save button on the filter set to save the filters and apply them to the system.

Accessing IMAP email accounts using telnet

http://www.bobpeers.com/technical/telnet_imap

Firewall ports to be opened when Exchange is in DMZ

http://support.microsoft.com/default.aspx?kbid=270836

Exchange Server static port mappings
View products that this article applies to.
Article ID : 270836
Last Review : July 3, 2006
Revision : 12.1
This article was previously published under Q270836
This article is a consolidation of the following previously available articles: 270836, 148732, 155831, 833799, 291615, 264035, 302914, 278339, 280132, 298369, 194952, 259240, 832017, 320529, 320228, and 154596

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry
On This Page
SUMMARYSUMMARY
MORE INFORMATIONMORE INFORMATION
Static port mappings for MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall Static port mappings for MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall
Static port mappings for MAPI client computers to connect to Exchange Server 5.5 through a firewallStatic port mappings for MAPI client computers to connect to Exchange Server 5.5 through a firewall
Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end serversStatically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers
How to configure Microsoft Exchange Server 5.5 Outlook Web Access to connect to Exchange Server 5.5 through a firewallHow to configure Microsoft Exchange Server 5.5 Outlook Web Access to connect to Exchange Server 5.5 through a firewall
Limitations of Exchange Server static port mappingsLimitations of Exchange Server static port mappings
REFERENCESREFERENCES
SUMMARY
This article describes how to statically map the ports that earlier-version MAPI client computers use to connect through a firewall to a server that is running Microsoft Exchange Server 5.5, Microsoft Exchange 2000 Server, or Microsoft Exchange Server 2003. Earlier-version MAPI client computers include Exchange Server client computers and client computers that are running Microsoft Outlook in Corporate or Workgroup mode. Additionally, this article describes how to statically map the ports in a front-end server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) Ethernet environment so that the computer can log on to the network and communicate with the back-end servers.
Back to the top Back to the top
MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Back to the top Back to the top
Static port mappings for MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall
To enable earlier-version MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall, add entries to the registry to make the ports that are assigned to these connections static. To do this, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
3. Add the following entry for the Microsoft Exchange SA RFR Interface:
Value name: TCP/IP Port
Value type: REG_DWORD
Value data: The port number to be assigned, in decimal format
Make sure that you assign different port settings to each registry key. If you run the netstat -an command at a command prompt, you can view all TCP/IP connections and listening ports in numeric format. You must use an unused port for the static mappings.

Note We recommend that you assign ports in the 5000 - 65535 (decimal) range. For more information about the guidelines for static port assignment of Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/) How to configure RPC dynamic port allocation to work with firewalls
4. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
5. Add the following registry value for the Microsoft Exchange Directory NSPI Proxy Interface:
Value name: TCP/IP NSPI Port
Value type: REG_DWORD
Value data: The port number to be assigned, in decimal format
6. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
7. Add the following registry value for the Microsoft Exchange Information Store Interface:
Value name: TCP/IP Port
Value type: REG_DWORD
Value data: The port number to be assigned, in decimal format
8. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSRS\Parameters
9. Add the following registry value for the Microsoft Exchange Site Replication Service (SRS):
Value name: TCP/IP
Value type: REG_DWORD
Value data: The port number to be assigned, in decimal format
10. Exit Registry Editor.
11. Restart the computer.
After you complete these steps, configure the packet filter or firewall to enable TCP connections to be made to port 135 for the Microsoft Exchange System Attendant service and the ports that you assigned in steps 5, 7, and 9.

If you make these changes on a server that is running Exchange 2000 Server or Exchange Server 2003 and that is installed on a global catalog server, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: The port number to be assigned, in decimal format
Note Port assignments should be in the range of 1024 through 5000 (decimal).
4. Exit Registry Editor.
Restart the global catalog server so that the static mapping is read when the Name Service Provider Interface (NSPI) is initialized.

Note The port number that is selected should not conflict with other programs. If the port number conflicts with other programs, the NSPI will not start.
Back to the top Back to the top
Static port mappings for MAPI client computers to connect to Exchange Server 5.5 through a firewall
To enable earlier-version MAPI client computers to connect to Exchange Server 5.5 through a firewall, add entries to the registry to make the ports that are assigned to these connections static. To do this, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: 5000
Note We recommend that you assign ports in the 5000 - 65535 (decimal) range. For more information about the guidelines for static port assignments of Exchange Server services, click the following article number to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/) How to configure RPC dynamic port allocation to work with firewalls
4. Locate and then click to select the following subkey:
System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
5. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: 5001
Note We recommend that you assign ports in the 5000 - 65535 (decimal) range. For more information about the guidelines for static port assignments of Exchange Server services, click the following article number to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/) How to configure RPC dynamic port allocation to work with firewalls
6. Exit Registry Editor.
7. Restart the computer.
After you complete these steps, configure the packet filter or firewall to allow for Transmission Control Protocol (TCP) connections to be made to port 135 for the Microsoft Exchange System Attendant service, and the ports that you assigned in steps 3 and 5.
Back to the top Back to the top
Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers
To install Exchange Server 2003 or Exchange 2000 Server on computers that are isolated from their Microsoft Windows Server 2003 or Microsoft Windows 2000 networks by a firewall and that are in a perimeter network Ethernet environment, follow these steps:
1. To enable Windows Server 2003-based computers or Windows 2000-based computers to log on to the domain through the firewall, open the following ports for incoming traffic:
• 53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
• 80 (TCP) - Required for Outlook Web Access access for communication between front-end and back-end Exchange servers.
• 88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
• 123 (UDP) - Windows Time Synchronization Protocol (NTP). This is not required for Windows 2000 logon capability. However, it may be configured or required by the network administrator.
• 135 (TCP) - EndPointMapper.
• 389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
• 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion, and Microsoft Distributed File System (DFS) discovery.
• 3268 (TCP) - LDAP to global catalog servers.
• One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and 3514235-4b06-11d1-ab04-00c04fc2dcd2). This is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System Attendant (MAD) source code. Therefore, you must map the port in the registry on any domain controllers that the Exchange server must contact through the firewall to process logons. Then, open the port on the firewall.

To map the port in the registry, follow these steps:
a. Start Registry Editor.
b. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
c. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value: A value that is more than 1024
d. Exit Registry Editor.
Make sure that the slash in "TCP/IP" is a forward slash. Additionally, make sure that you assign a value that is more than 1024 (decimal). This number is the additional port that you must open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not affect performance. Additionally, setting this registry value covers any logon request redirects that occur because of servers that are down, roles that change, or bandwidth requirements.
Notes
• For the server inside the firewall to communicate through the firewall to the external server, you must also have ports 1024 through 65535 configured for outgoing communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
• Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile.
2. Install Exchange Server 2003 or Exchange 2000 Server on the external computer. You do not need any more ports open to install Exchange Server 2003 or Exchange 2000 Server on the external computer.
3. Configure Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity. Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity only requires that other ports be open as required for whatever communication is appropriate. For example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on. Additionally, any connectivity by secure protocols, such as Ipsec or Secure Sockets Layer (SSL)-secured HTTP, Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3), that you need requires additional configuration that is not specified in this article. If the front-end server in the perimeter network has a different subnet, make sure that you add that subnet in the Active Directory Sites and Services snap-in.

Note You do not have to add the subnet if you have not created a separate subnet object in Active Directory Sites and Services.


In a perimeter network Ethernet environment, you must also define TCP/IP routes from the computer in the perimeter network Ethernet environment to every computer in the internal network that you must communicate with.

Note In a perimeter network firewall scenario, there is no Internet Control Message Protocol (ICMP) connectivity between the Exchange server and the domain controllers. By default, Directory Access (DSAccess) uses ICMP to ping each server to which it connects to determine whether the server is available. When there is no ICMP connectivity, Directory Access responds as if every domain controller were unavailable. For more information about how to turn off the Directory Access ping by creating a registry key, click the following article numbers to view the articles in the Microsoft Knowledge Base:
320529 (http://support.microsoft.com/kb/320529/) Using DSAccess in a perimeter network firewall scenario requires a registry key setting
320228 (http://support.microsoft.com/kb/320228/) The "DisableNetLogonCheck" registry value and how to use it
Back to the top Back to the top
How to configure Microsoft Exchange Server 5.5 Outlook Web Access to connect to Exchange Server 5.5 through a firewall
To install Exchange Server 5.5 Outlook Web Access on the external computer that is directed at a Microsoft Exchange Server 5.5 server that is running inside the perimeter network and a firewall, you must open the Windows 2000 or Windows Server 2003 ports that were mentioned at the start of the "Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers" section. Additionally, you need static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), the Microsoft Exchange Information Store service (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and the System Attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c).

To configure the RPC port for the Microsoft Exchange Directory Service, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.
To configure the RPC port for the Microsoft Exchange Information Store service, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.
To configure the RPC port for the Microsoft Exchange System Attendant service, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.
5. Restart the computer.
Back to the top Back to the top
Limitations of Exchange Server static port mappings
The following list describes some of the limitations of Exchange Server static port mappings:
• Outlook client access issues

If a process is already using the statically assigned port when the Exchange service starts, the Exchange service cannot use that port. However, the Microsoft Exchange Information Store service or the Microsoft Exchange Directory service, or both services, will still register all their other endpoints and start successfully.

However, when users try to open Outlook and then connect to Exchange Server, they may receive the following error message:
Unable to open your default e-mail folders. You do not have permission to log on.
To resolve this issue, make sure that Exchange Server has initialized a port for the Microsoft Exchange Information Store service, the System Attendant service, and the NSPI service. You can verify this by running RPCDump on the server for the TCP/IP protocol.

You can statically map the Exchange Server services that are listed in this article to any free TCP/IP port number in the full range (1 - 65535). However, we recommend that you use the range 5000 - 65535 because most services that automatically select an ephemeral port that is greater than 1023 usually start with the ports on the lesser range (1024 - 4999). If you run a netstat -an command at a command prompt, you receive a listing of all the ports that are currently registered on the server. You can use this list to help determine a new, valid (unused) port that you can use to statically map the Exchange services.
• Message tracking issues

To enable the message tracking function on a server that is running Exchange 2000 Server Service Pack 2 (SP2) or a later version and that is located in the perimeter network, the Windows Management Instrumentation (WMI) must be allowed to connect to the target server.

The WMI service starts to create connections at the lowest numbered port starting at port 1024. Over time, the port number that is used by WMI increases sequentially. For more information about how to statically map ports for the WMI service, click the following article number to view the article in the Microsoft Knowledge Base:
154596 (http://support.microsoft.com/kb/154596/) How to configure RPC dynamic port allocation to work with firewall
Back to the top Back to the top
REFERENCES
For more information about how to configure static communication ports in Outlook 2003, click the following article number to view the article in the Microsoft Knowledge Base:
833799 (http://support.microsoft.com/kb/833799/) How to configure static communication ports in Outlook 2003
For more information about how Outlook 2000 accesses the Active Directory directory service, click the following article number to view the article in the Microsoft Knowledge Base:
302914 (http://support.microsoft.com/kb/302914/) How Outlook 2000 accesses Active Directory
For more information about the ports that Exchange 2000 Server uses, click the following article number to view the article in the Microsoft Knowledge Base:
278339 (http://support.microsoft.com/kb/278339/) TCP/UDP ports used by Exchange 2000 Server
For more information about how MAPI clients access Active Directory, click the following article number to view the article in the Microsoft Knowledge Base:
256976 (http://support.microsoft.com/kb/256976/) How MAPI clients access Active Directory
For more information about Outlook clients connect through a firewall or proxy server which is performing Network Address Translation (NAT) between public and private networks, click the following article number to view the article in the Microsoft Knowledge Base:
291615 (http://support.microsoft.com/kb/291615/) Outlook cannot connect through a firewall or a proxy server that is performing Network Address Translation (NAT) between public and private networks in Outlook 2002 and Outlook 2003
For more information about how to configure ports for UDP new mail notification packets, click the following article number to view the article in the Microsoft Knowledge Base:
264035 (http://support.microsoft.com/kb/264035/) No way to configure port for UDP new mail notification packets
For more information about port requirements for Windows Server systems, click the following article number to view the article in the Microsoft Knowledge Base:
832017 (http://support.microsoft.com/kb/832017/) Service overview and network port requirements for the Windows Server system
Back to the top Back to the top
APPLIES TO
• Microsoft Exchange Server 2003 Enterprise Edition
• Microsoft Exchange Server 2003 Standard Edition
• Microsoft Exchange 2000 Server Standard Edition
• Microsoft Exchange Server 5.5 Standard Edition
Back to the top Back to the top
Keywords:
kbhowto kbnofix KB270836

Hottest scripts on hotscripts.com

http://www.hotscripts.com/Popular/index.html

Offline Files How To...

http://technet2.microsoft.com/WindowsServer/en/library/63f30266-9394-4df4-920e-366a7d1d86381033.mspx?mfr=true

How to...

•	Set up your computer to use Offline Files
•	Make a file or folder available offline
•	Change how Offline Files responds to network disconnection
•	Encrypt offline files
•	Make Web pages available offline

Making search engine index Flash sites properly

Search Engine SDK FAQ


http://www.adobe.com/licensing/developer/search/faq/#item-1-6

Who should use the Macromedia Flash Search Engine SDK?

The Macromedia Flash Search Engine SDK is designed for search engine application engineering teams. Users of the SDK can add Flash file decompression, parsing, and indexing features to their server-based search applications.

Intermediate and advanced Flash developers may find the SDK useful for other server-based text and link extraction/conversion purposes, or for client-side testing of their Flash content against the basic Macromedia Flash Search Engine SDK code.

back to top

How does the Macromedia Flash Search Engine SDK work?

The SDK includes an application named ‘swf2html’. Swf2html extracts text and links from a Flash .SWF file, and returns the data to stdout or as an HTML document. Swf2html is provided as a compiled application, and as a static library for linked library implementation. For complete functionality, see the file Readme.htm included in the SDK.

back to top

What is included in the Macromedia Flash Search Engine SDK?

Included in the Macromedia Flash Search Engine SDK are the following:

1. swf2html executable files, for command-line implementation
2. libswf2html static libraries, for linked library implementation
3. zlib decompression library for decompressing Flash Player 6 files that have been compressed
4. C++ source code
5. Technical readme file (Readme.htm) that covers:
   • What swf2html extracts from a SWF file
   • Sample output
   • Command-line implementation
   • Linked library implementation
   • Build note

back to top

What are the system requirements for the SDK?

The SDK supports processing SWF files created for Flash Player 3, 4, 5, 6, 7, and 8 and has been tested on Windows NT4, Windows 2000 Professional, and Linux RedHat 7.1 systems. Additional platforms should be built using the SDK.

back to top

Will search engines that deploy the Macromedia Flash Search Engine SDK be able to decompress my compressed Macromedia Flash Player 6 files?

Yes. The Flash Search Engine SDK code supports SWF files created for Flash Player 3, 4, 5, 6, 7, and 8.

back to top

Can search engines index Macromedia Flash content that was created with Flash 3 or Flash 4?

Yes. The Flash Search Engine SDK code supports SWF files created for Flash Player 3, 4, 5, 6, 7, and 8.

back to top

When can I expect to have my Flash content included in third party search engine indexes?

Adobe is working to support a number of search engine companies, but has not made any announcements about specific search engine support. For up-to-date information on this effort, visit the Adobe Flash Developer Center, as well as individual search sites for future developments.

back to top

Where can I find out more information about the Flash Search Engine SDK?

See the Readme file included with the Flash Search Engine SDK.

How to use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003

http://support.microsoft.com/kb/326480/

SUMMARY

This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Microsoft Windows 2000-based domain to a Microsoft Windows Server 2003-based domain.

MORE INFORMATION

You can use ADMT to migrate users, groups, and computers from one domain to another, and analyze the migration affect before and after the actual migration process.

Note This article assumes that the source domain is a Windows 2000-based domain, and that the target domain is a Windows Server 2003-based domain in Windows 2000 Native mode or later.

How to set up ADMT for a Windows 2000 to Windows Server 2003 migration

You can install the Active Directory Migration Tool version 2 on any computer that is running Windows 2000 or later, including:

•	Microsoft Windows 2000 Professional
•	Microsoft Windows 2000 Server
•	Microsoft Windows XP Professional
•	Microsoft Windows Server 2003

The computer on which you install ADMT must be a member of either the source or the target domain.

Intraforest migration

Intraforest migration does not require any special domain configuration. The account you use to run ADMT must have enough permissions to perform the actions that are requested by ADMT. For example, the account must have the right to delete accounts in the source domain, and to create accounts in the target domain.

Intraforest migration is a move operation instead of a copy operation. These migrations are said to be destructive because after the move, the migrated objects no longer exist in the source domain. Because the object is moved instead of copied, some actions that are optional in interforest migrations occur automatically. Specifically, the sIDHistory and password are automatically migrated during all intraforest migrations.

Interforest migration

ADMT requires the following permissions to run properly:

•	Administrator rights in the source domain.
•	Administrator rights on each computer that you migrate.
•	Administrator rights on each computer on which you translate security.

Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain, you must make some domain and security configurations. Computer migration and security translation do not require any special domain configuration. However, each computer you want to migrate must have the administrative shares, C$ and ADMIN$.

The account you use to run ADMT must have enough permissions to complete the required tasks. The account must have permission to create computer accounts in the target domain and organizational unit, and must be a member of the local Administrators group on each computer to be migrated.

User and group migration

You must configure the source domain to trust the target domain. Optionally, the target may be configured to trust the source domain. While this may ease configuration, it is not required to finish the ADMT migration.

Requirements for optional migration tasks

You can complete the following tasks automatically by running the User Migration Wizard in Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT must be an Administrator in both the source and the target domains for the automatic configuration to succeed.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1.	Create a new local group in the source domain that is named %sourcedomain%$$$. There must be no members in this group.
2.	Turn on auditing for the success and failure of Audit account management on both domains in the Default Domain Controllers policy.
3.	Configure the source domain to allow RPC access to the SAM by configuring the following registry entry on the PDC Emulator in the source domain with a DWORD value of 1: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\TcpipClientSupport You must restart the PDC Emulator after you make this change.

Note For Windows 2000 domains, the account you use to run ADMT must have domain administrator permissions in both the source and target domains. For Windows Server 2003 target domains, the 'Migrate sIDHistory' may be delegated. For more information, see Windows Server 2003 Help & Support.

You can turn on interforest password migration by installing a DLL that runs in the context of LSA. By running in this protected context, passwords are shielded from being viewed in cleartext, even by the operating system. The installation of the DLL is protected by a secret key that is created by ADMT, and must be installed by an administrator.

To install the password migration DLL:

1.	Log on as an administrator or equivalent to the computer on which ADMT is installed.
2.	At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command to create the password export key file (.pes). In this example, sourcedomain is the NetBIOS name of the source domain and path is the file path where the key will be created. The path must be local, but can point to removable media such as a floppy disk drive, ZIP drive, or writable CD media. If you type the optional password at the end of the command, ADMT protects the .pes file with the password. If you type the asterisk (*), ADMT prompts for a password, and the system will not echo it as it is typed.
3.	Move the .pes file you created in step 2 to the designated Password Export Server in the source domain. This can be any domain controller, but make sure it has a fast, reliable link to the computer that is running ADMT.
4.	Install the Password Migration DLL on the Password Export Server by running the Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server 2003 installation media, or the folder to which you downloaded ADMT from the Internet.
5.	When you are prompted to do so, specify the path to the .pes file that you created in step 2. This must be a local file path.
6.	After the installation completes, you must restart the server.
7.	If you are ready to migrate passwords, modify the following registry key to have a DWORD value of 1. For maximum security, do not complete this step until you are ready to migrate. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AllowPasswordExport

To download ADMT, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp (http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp)

For more information about how to use ADMT to perform a migration, see ADMT Help. Start the Active Directory Migration Tool, click Help Topics on the Help menu, click the Contents tab, and then click Active Directory Migration Tool.

For more information about ADMT, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/Windows2000Pro/reskit/part7/proch31.mspx (http://www.microsoft.com/technet/prodtechnol/Windows2000Pro/reskit/part7/proch31.mspx)

The Active Directory Migration Tool version 2 is included in the I386\Admt folder on the Windows Server 2003 CD.

---

APPLIES TO

•	Microsoft Windows Server 2003, Standard Edition (32-bit x86)
•	Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
•	Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
•	Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
•	Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
•	Microsoft Windows 2000 Server
•	Microsoft Windows 2000 Advanced Server

eventvwr error: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Details Product: Windows Operating System Event ID: 4226 Source: Tcpip Version: 5.2 Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts. Explanation The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged. Establishing connection–rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program. Connection-rate limitations may cause certain security tools, such as port scanners, to run more slowly. User Action This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows. To close the program At the command prompt, type Netstat –no Find the process with a large number of open connections that are not yet established. These connections are indicated by the TCP state SYN_SENT in the State column of the Active Connections information. Note the process identification number (PID) of the process in the PID column. Press CTRL+ALT+DELETE and then click Task Manager. On the Processes tab, select the processes with the matching PID, and then click End Process. If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK.

Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx.

http://support.microsoft.com/kb/291352/en-us

You are prompted to save the changes to the Normal.dot global template every time that you quit Word

Article ID	:	291352
Last Review	:	July 20, 2006
Revision	:	5.1

This article was previously published under Q291352

On This Page

SUMMARY

SYMPTOMS

CAUSE

Cause 1: The "Prompt to save Normal template" check box is selected

Workaround

Cause 2: Word is infected with a macro virus

Cause 3: An installed add-in or an installed macro is changing the global template Normal.dot

Workaround

REFERENCES

SUMMARY

When you quit Word, you may be prompted to always save the changes to your global template, Normal.dot. First, you can turn off the prompt and Word will automatically save the changes, but you may still have a problem. Second, your Normal.dot template may be infected with a macro virus. To resolve this problem, you would need to install or update your virus protection software on your computer. Third, you could have an add-in that is causing this problem. To resolve this problem, you may need to determine what add-in is causing the problem and remove it from the Office or Word startup folders.

Back to the top

SYMPTOMS

Every time that you quit Word, you receive the following message:

Changes have been made that affect the global template, Normal.dot. Do you want to save those changes?

Back to the top

CAUSE

This problem may occur for the following reasons.

Back to the top

Cause 1: The "Prompt to save Normal template" check box is selected

You receive this message if the Prompt to save Normal template check box is selected.

Workaround

To turn off this message, follow these steps.

Important If you turn off this message in Word, you may still have a problem. Word will automatically save the changes to your global template, Normal.dot, but you will not be prompted. You may still have to perform the other steps listed in this article.

1.	On the Tools menu, click Options.
2.	On the Save tab, click to clear the Prompt to save Normal template check box.

Back to the top

Cause 2: Word is infected with a macro virus

This problem may occur if your computer is infected with a virus that changes the global template (Normal.dot). To help avoid virus infection, keep your antivirus software and your virus definitions updated with the latest versions. Ask your antivirus software vendor for the latest information.

For information about how to contact your antivirus software vendor, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 (http://support.microsoft.com/kb/65416/) Hardware and software vendor contact information, A-K

60781 (http://support.microsoft.com/kb/60781/) Hardware and software vendor contact information, L-P

60782 (http://support.microsoft.com/kb/60782/) Hardware and software vendor contact information, Q-Z

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

211800 (http://support.microsoft.com/kb/211800/) How to deal with a macro virus in Word 2000 or Word 2002

233396 (http://support.microsoft.com/kb/233396/) How to reduce the chances of macro virus infection

211607 (http://support.microsoft.com/kb/211607/) Frequently asked questions about Word macro viruses

Back to the top

Cause 3: An installed add-in or an installed macro is changing the global template Normal.dot

You may receive the message that is listed in the "Symptoms" section if an add-in or a macro on your computer modified the Normal.dot template. Add-ins that are known to cause this behavior include the following:

•	Stamps.com Internet postage
•	Works Suite add-in for Microsoft Word

An add-in installed in Word may add one or more of the following items to your computer:

•	WLL file
•	Templates
•	COM add-in
•	Auto macros

Workaround

How to remove WLL add-ins and templates in the Word and Office Startup folders

When you start Word, Word automatically loads templates and add-ins that are located in the Startup folders. Problems in Word may be the result of conflicts or of problems with an add-in. To determine whether an item in a Startup folder is causing the problem, temporarily empty the folder.

Word loads items from the Office Startup folder and the Word Startup folder. To remove items from the Startup folders, follow these steps:

1.	Quit all instances of Word. If you use Word as your e-mail editor, make sure that you quit Outlook also.
2.	On your Windows desktop, double-click My Computer, and then locate your Office Startup folder. The default location is: C:\Program Files\Microsoft Office\Office\Startup Note For Office versions 2000 and earlier, the Office folder is Office. For Office XP, the Office folder is Office10. For Office 2003, the Office folder is Office11.
3.	Drag each item from the Startup folder to the desktop. (Or create a folder on your desktop and drag each item to this new folder.) Note To create a new folder on the desktop, right-click a blank area on the desktop, point to New, and then click Folder.
4.	Find the Word Startup folder, and then drag each item from the Startup folder to the desktop. (Or create a folder on your desktop and drag each item to this new folder.) The default location for the Word Startup folder depends on the operating system. On Microsoft Windows 98 and Windows Millennium Edition without profiles enabled, the location is: C:\Windows\Application Data\Microsoft\Word\Startup On Windows 98 and Windows Millennium with profiles enabled or on Windows NT 4.0, the location is: C:\Windows\user name\Application Data\Microsoft\Word\Startup On Windows 2000, Windows XP, and Windows Server 2003, the location is: C:\Documents and Settings\user name\Application Data\Microsoft\Word\Startup
5.	Start Word. If you can no longer reproduce the problem, and you removed multiple items from the Startup folder or folders, you can try to isolate the problem by adding the files back to the appropriate Startup folder, one by one. Try to reproduce the problem after each addition to determine which file causes the problem.

How to remove COM Add-ins

COM add-ins can be installed in any location. COM add-ins are installed by programs that interact with Word. To view the list of installed COM add-ins, follow these steps:

1.	On the Tools menu, click Customize.
2.	Click the Commands tab.
3.	On the Commands tab, click Tools in the Categories list.
4.	Use the mouse to drag the COM Add-Ins command to a toolbar.
5.	Click Close to close the Customize dialog box.
6.	Click the new COM Add-Ins button to view the COM add-ins that are loaded with Word.

If add-ins are listed in the COM Add-Ins dialog box, temporarily turn off each of the add-ins. To do this, click to clear the check box for each COM add-in that is listed, and then click OK. When you restart Word, Word starts without loading the COM add-ins that you turned off.

If the problem is resolved after you turn off the COM add-ins, one of the listed COM add-ins is the cause of the problem. If you have multiple COM add-ins listed, you may want to determine which one is causing the specific problem. To determine this, turn the COM add-ins back on one at a time, and then restart Word.

How to remove Word auto macros

Some macros are named "auto" macros. These auto macros run automatically when Word is started. The following table lists these auto macros. To start Microsoft Word without running the auto macros, hold the SHIFT key while you start Word. To do this, click Start, point to Programs, and then hold the SHIFT key and click Microsoft Word.

Macro	Storage location	Automatically runs
AutoExec	In the Normal template or in a global add-in	When you start Word
AutoNew	In a template	When a new document that is based on the template is created
AutoOpen	In document or template	When a document that is based on the template or that contains the macro is opened
AutoClose	In document or template	When a document that is based on the template or that contains the macro is closed
AutoExit	In the Normal template or a global add-in	When you quit Word

Word recognizes a macro with a name that begins with "Auto" as a macro that automatically runs when the situation to which it applies occurs. You can temporarily prevent an auto macro from running by holding SHIFT while performing the action that causes the macro to run. For example, to prevent an AutoOpen macro from running, hold SHIFT while you open a document or a template.

If the problem is resolved by holding the SHIFT key when you start Word or when you perform an action in Word such as opening a document, an auto macro is the problem. To work around this problem, follow these steps:

1.	Click Start, and then click Run.
2.	In the Open box, type winword, and then click OK.
3.	On the Tools menu, point to Macro, and then click Macros.
4.	In the Macros dialog box, a list of macros may appear. If any macro listed begins with "Auto," you may want to remove this macro. To remove an auto macro, click the macro, and then click Delete. Note An auto macro may have been added by a Word add-in. To determine what template contains the auto macro, change the Macros in box to a listed template. After you determine which template contains the auto macro, you may want to remove that template from your computer. Removing a template that was added by a Word add-in may reduce or stop the add-in's functionality.
5.	Click Cancel or click Close to close the Macros dialog box.
6.	On the File menu, click Exit to quit Microsoft Word.

If the problem is resolved after you restart Word, the auto macro was the problem.

Back to the top

REFERENCES

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Back to the top

---

APPLIES TO

•	Microsoft Office Word 2003
•	Microsoft Word 2002 Standard Edition
•	Microsoft Word 2000 Standard Edition
•	Microsoft Word 97 Standard Edition

Back to the top

Keywords:

kbnomt kbgraphxlink kbscreenshot kbsettings kbmacro kbaddin kbnofix kbprb KB291352

Back to the top

SKY-click - call center for Skype

Interesting service - http://www.sky-click.com