Skip to main content


Showing posts from March, 2009

Q: When you add a file to a CMAK profile, where is it stored?

You can add files the CMAK (Connection Manager Administration Kit) to allow you to run programs, or scripts, when a connection is established. This is a very powerful tool that goes beyond mapping drives and printers for you mobile workforce. During the creation of the CMAK profile, you are prompted if you like to include any files. This is where you would browse to include the programs, data, or scripts that will be required by your mobile users. You can also add them when you specify additional actions to take by checking the Include custom action program with this service profile.

The files will be copied to the service profile location: c:\Program Files\CMAK\OS version\profile name.

Q: How do I delete an OU in Server 2008 that was created with deletion protection?

In Server 2008, when you create a new OU, by default the Protect container from accidental deletion checkbox if checked. This helps to prevent you, or someone else, from deleting something they should not. The problem comes from what to do if you really do need to delete it. Follow this procedure to undue that setting.

• Enable Advanced Features in Active Directory Users and computers.
• Open the OU’s properties
• Click the Security tab.
• Click the Advanced button.
• Click the entry that starts as Deny Everyone.
• Click Edit.
• In the Deny column, remove the checks for Delete and Delete Subtree.
• Click OK 3 times.
You can now delete the OU.

Q: If using GZN (Global Names Zone), do your clients need a WINS address configured on them?

No they do not. The idea behind the GlobalNames zone in Windows Server 2008 is that no client configuration is needed. Just remember that you need to meet these requirements.

· DNS Servers must be Windows Server 2008.
· Global Names Zone must be enabled (DNSCMD /config /enableglobalnamessupport 1) on each DNS server.
· A forward lookup zone named GlobalNames must be set up on each DNS server that
· · · Is active directory integrated
· · · Does not support dynamic updates (recommended)
· You must provide a CNAME record mapping the client name to its FQDN.

When a client makes a single name request to a DNS server, DNS will check all its zones to try and match it to a FQDN. This will not work. After DNS has exhausted all its zones, it will look in the Globalnames zone. There, should it be present, it will locate a CNAME record for that single name. It will point to the FQDN record in the forward lookup zone. DNS will now return the IP address to the req…

Q: Can you change the location of where WSUS Client store the downloaded files?

I was not able to find a definitive answer from Microsoft on this one. The clients store the files a C:\Windows\SoftwareDistribution. All Technet articles that I find are concerning where the server stores the downloads, if at all. After going through the group policies concerning WSUS and not seeing anything to direct the downloaded files to another location, I would say it is not possible.

One reason for this may be because the Windows directory is the only location that WSUS knows exist for sure. Should you have clients with 2nd HDs and clients without, you would have to write separate group policies. That would require a doubling of the GPOs that administrators would have to support. The best policy is not to fill you c: drives.

Q: In AD FS, do you need to purchase additional CALs?

AD FS (Active Directory Federated Services) allow you to provide single sign on (SSO) capability to your business partners. You, as the resource organization, control the access. Your partner organization (or account organization) controls the accounts. That way the user management is not with you, but security is. The users of the partner organization can get access to your resources without creating new user accounts and passwords.

The question of licensing comes into play. Microsoft that a licensing option called External Connector or EC license. This option allows you to provide access to your Windows Server 2000/2003/2008 environments to users who are part of a partner organization and access your resources remotely. You can also utilize a standards Server 2008 CAL for this.

I still recommend talking with a Microsoft Licensing Specialist to best determine the licensing model for your organization.

External Connector license overview.…

Q: What versions of Windows Clients can participate in an NAP environment?

The only legacy clients that support Network Access Protection is Windows XP SP3. It is recommended that you upgrade all your XP clients to SP3 prior to enforcing NAP in your environments to prevent disruption of service. This can easily be done utilizing Windows Server Update Service (WSUS) which is a free download from Microsoft. You can also get instructions on how to set up WSUS in your environment at: I recommend that you force the installation of SP3 to avoid having any issues when NAP enforcement is turned on.

Windows Vista is good to go with NAP. No service packs required.


Q: In Network Access Protection, what happens if a compliant computer falls out of compliance while accessing data?

I had a lot of trouble finding a definitive answer to this one at Microsoft. Please take these comments of my interpretation of what happens from the following blog knowing that you may want to test this with your applications prior to deployment.

If you client falls out of compliancy in an NAP environment while you have open data from a network share, the result will be like if the server went down. Let’s say you open a Word document and are happily typing along. You client goes out of compliance and loses its connection to the network. Since the data is already loaded in Word, the user should be able to continue typing. If they try to save it, Word will not be able to access the location. They will have to save the changes locally until the client is back within compliance.

College or Certification?

I ran across this interesting question on a Tech Forum at

I've read through several of the 'n00b' type threads in the forum and I am becoming a little overwhelmed. My original thought was to attend a IT tech school. I have read in various places that tech schools and degrees aren't always the best choice. Sinking a ton of money into a school [even one that promises job placement] is sounding like less of a good idea. It seems like the all important factor is experience and certifications. Do schools like ITT prepare you for these certifications? Is it better to pick and choose classes at a community college that will help with certs and forgo the degree? Are there classes out there that are specifically tailored for specific certs? This is coming from someone with no IT work experience and no certs or IT education. I'm just wondering what the most logical first step would be and if that step involves a pricey degree or not. I know basically nothing so tha…