Saturday, March 21, 2009

Using ADModify to ensure inheritable permissions are set on user objects

Most Exchange migrations I might find 1-2 of these that can be addressed as one off issues, but today I had customer that had a lot more than usual.

I searched for a good adsiedit, ldp, or other query - no good, its an ACL, not an AD user object property, I did find some .NET examples that I did not want to venture down that road.

And then, I found admondify.net:
http://technet.microsoft.com/en-us/library/aa996216(EXCHG.65).aspx

This requires a PSS call (or google) to download. Not an install, just an unzip and use utility.


Click Modify Attributes


Select domain, select a DC, Hit the big green arrow

Then select the root or OU you want and enter a custom LDAP query of (objectClass=*) and select add to list

Then Ctrl-a or control select user objects and hit next.

Then you can go to the account tab (normally would be security->advanced in ADUC) and finally select the "allow inheritable permissions to propagate to this object" checkbox and go.

Quick, easy, and best of all, whatever you do generates an XML log file that you can also use to "undo" your changes!

Saturday, March 07, 2009

Exchange 2007 HT and CAS in NLB - Unicast versus Multicast

I have implemented about 4 NLB clusters for HT, CAS, or both now, and every time the rule of thumb has been, use what works.


From the MS Exchange page on IPv6 (also applies to IPv4) we know that:

  • Unicast address A packet is delivered to one interface.
  • Multicast address A packet is delivered to multiple interfaces.


More searching turned up this very helpful article describing the differences:

http://vittoriop77.blogspot.com/2006/03/nlb-unicast-vs-multicast.html


So, in one implementation, the customer had a Proventia M60 firewall, and unicast ended up working and performing more reliably. In another using an Juniper SSG firewall, unicast performed poorly and multicast ended up being the fix.


I searched the Exchange implementation guide and CHM thoroughly and didn't find any particular guidance, so I think at this point trial and error is the best bet. Learn what works in your config and go with it.