Tuesday, 29 May 2007

Upgrading your Windows SharePoint from SQL 2000 or MSDE to SQL Server 2005

Before we begin

There are eight steps, the three things you should know before you start are, one the name of your Sharepoint databases and two the SQL instance you are using

Step one

First stop the SharePoint sites in IIS if you’re not sure of them, then you can get a list from the SharePoint administration site before you begin.

Step two

Next you’ll need to stop the SharePoint Timer Service you can do this from the services MMC (I would suggest you put it on manual till you complete the upgrade)

Step three

Stop the SQL instance that your SharePoint is installed too (for most of you it will be MSSQL$SHAREPOINT) take the SQL database %SystemDrive%\Program Files\Microsoft\SQL Server\MSSQL$SHAREPOINT\data

If you are unsure of the system path you can get is by looking at the properties of the SQL service, inside the data directory your will find your SQL data copy these to a safe location the first database is normally STS_servername_1.mdf and STS_Config.mdf you’ll also need the log files STS_servername_1_log.LDF and STS_Config_log.LDF (Other database will only exist if you created them and hopefully you will not forget them when backing them up)

Step four

Now that you have your databases safely copied you can goto the add remove programs and remove the SQL instance the normal label “Microsoft SQL Server (Sharepoint)” remember whatever the name of the instance will have to use later when installing SQL 2005.

Step five

Install Microsoft SQL 2005 remembering that you need to do the following one install the “Management Tools” this option is not selected by default, two remember to select the instance name that matches the one you removed earlier. (Windows Authentication Mode and two use the SQL cluster account or the local system account if you have only one Sharepoint server)

Step six

After the install open the SQL Server Management Studio and connect to your instance, on the right hand side you’ll have the Object Explorer and under that the Security create a new login type the name NT Authority\Network Service if this name is wrong it will not work.

You also need to give the NT Authority\Network Service some roles right click on it and select the login properties click the Server Roles and select the dbcreator and securityadmin roles

Create another login DomainName\SBS SP Admins

Step seven

Your need to reattach the database so from Microsoft SQL Server Management Studio under the Object Explorer right click on the databases and select Attach then click add, you are adding the same databases you made copies of in step three remember to add the STS_servername_1.mdf first then the config database.

Step eight

Restart the SharePoint Timer Service you stopped in step two and then lastly restart the sites in IIS your upgraded is now complete.

Monday, 28 May 2007

Cisco Privilege Access

Why Privilege access?
The basic username and password gives you access to the router with maybe an enable password standing between you and doing anything with it, this is fine for a single user device but when you want to split the access in to roles such as monitoring, administration and remote access the access of each needs to be defined.

Let’s split this into roles
Administrator this is level 15 the highest
Support this is level 5/6 are the most common
Monitoring is level 3/4 are the most common
Remote Worker

The Cisco privilege mode works by allowing the level you set access to the commands you set and if you don’t set any other they won’t have any others example.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password
Username vpn privilege 0 secret password

privilege exec all level 3 show
privilege exec level 6 reload
privilege exec level 6 configure

This command means only people with privilege level 6 and higher can perform a reload, but level 3 can use the show command.

You can use lock and key as well, in this example the enable password sets the privilege level not just the user account, so the support or any other user can use the enable command and the password to get level 15 access

enable secret level 15 password

Username admin privilege 15 secret password
Username support privilege 6 secret password

Here is a example the admin user has all access to the router.
The monitoring user can issue show commands.
The support user can do the same as monitoring user and issue change of ip commands on any interface and bring it in and out of shutdown, and lastly restart the router.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password

privilege interface all level 6 shutdown
privilege interface all level 6 ip
privilege exec level 6 configure terminal
privilege exec level 6 reload
privilege exec level 3 show

The basic rules you should be thinking of when building your privilege list, is to keep in mind what each level should be able to do

Level 15 – all commands
Level 6 – limited commands
Level 3 – read only
Level 0 – no access

You should now have a basic understanding of privilege levels now and you can explorer these commands from here.

Saturday, 12 May 2007

Windows XP Firewall from Domain Policy

BP (best practice) for computers in a domain is to set a domain policy for workstation and laptop by placing them into an OU (organisation unit) for each type.

From the AD (active directory) create and new GP (group policy) and link it to the OU you want it to apply to, such as Laptops or Workstations even Servers remember computer components can only be applied to computers and user components to users so if the computer or user does not sit in that OU it will not apply to them.

In the GP you created you find lots of sub keys the one we are look for in this example is:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall

Under this you have two sub keys Standard Profile and Domain Profile.

The first is the Domain Profile is the profile that applies to the computer when it is on the domain LAN, the second Standard Profile applies to the computer when it is NOT on the domain LAN ie off site or disconnected.

Recommend for these policies is as follows,
Enable Protect all network connections – Local and Domain
Enable Define program exceptions – Local and Domain
Enable Allow local program exceptions – Local and Domain
Enable Allow file and printer sharing exception – Domain only
Enable Allow Remote Desktop exception – Domain only
Enable Define port exceptions – Local and Domain
Enable Define local port exceptions – Local and Domain

In the local port and program exceptions you will need to define some rules, if you click on the show button you will be shown a list of one’s that have already been defined.

Port syntax
6129:TCP:*:enabled:dameware
It breaks down into portnumber:tcp/udp:ip-range:enabled/disabled:portname

Program syntax
%Programfiles%\test.exe:172.16.0.1,172.16.1.1/24:enabled:test program
It breaks down into program-location: ip-range:enabled/disabled:portname

Thursday, 3 May 2007

Exchange SMTP Problems

Checking you email server setup is a very importent because its better than having users telling you they are not able to send email, and that's just one reason.

You can check your domain name record by doing a domain name look up also called a NSLOOKUP here is an example lookup.

C:\Documents and Settings\Administrator>nslookup

Default Server: ns.isp.co.uk
Address: 195.186.44.13


> set query=any

> domain.net
Server: ns.isp.co.uk

Address: 195.186.44.13

domain.net

primary name server = server.domain.net
responsible mail addr = admin.domain.net serial = 2007032026
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

domain.net nameserver = ns2.isp.co.uk
domain.net nameserver = ns.isp.co.uk domain.net
MX preference = 10, mail exchanger = server.domain.net domain.net
MX preference = 20, mail exchanger = smtp.isp.net domain.net

text = "v=spf1 mx ~all"

ns.isp.co.uk internet address = 195.186.219.229
ns2.isp.co.uk internet address = 195.186.218.7
server.domain.net internet address = 195.186.174.123
smtp.isp.net internet address = 195.186.131.8
>

Now you check your mail server has a revise domain name record setup, if it doesn’t the some mail server such as AOL and Yahoo and others will not accept email from you.

>set query=ptr
>195.186.174.123
Server: [195.186.44.13]
Address: 195.186.44.13
Non-authoritative answer:
123.174.186.195.in-addr.arpa name = server.domain.net

174.186.195.in-addr.arpa nameserver = ns.isp.co.uk
174.186.195.in-addr.arpa nameserver = ns2.isp.co.uk
ns.isp.co.uk internet address = 195.186.219.229
ns2.isp.co.uk internet address = 195.186.218.7
>

Make sure you FQDN (Fully Qualified Domain Name) on the server matches the MX record; you can do this by telneting to your mail server.

telnet server.domain.net 25

You should see a response like.

220 server.domain.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959

If you receive a response like the one below then you’ll need to make some changes as it is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1)

220 domain.net Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959

If you follow all these rule you should be able to email anyone and everyone.