Before beginning a server migration project, a number of mandatory prerequisites are needed to be met in order to complete a server migration successfully.
These requirements are standards to meet both the requirements for Microsoft Windows server security and the Winzero ServerMigrator software.
Download the Server Migration Checklist
Monday, August 24, 2009
Windows Server Migration Checklist - ServerMigrator
Wednesday, April 08, 2009
New Release: Winzero TakeControl
Winzero new product release: TakeControl allows administrators to gain administrative access to files, folders and shares without destroying the original permissions by appending the Administrators group SID to ACLs.
The Challenge
To gain access to files and folders, Administrators can take ownership and grant full access control permissions and rights to themselves if they want to modify, rename or delete these files or folders. During this process the original permissions are removed and must be reconstructed to maintain security.
The Solution
Grant Administrators full control to files, folders or shares without taking ownership or destroying the original permission using Winzero TakeControl.
Avoid Take Ownership
Using standard Windows functions, if you must access a file or a folder that you do not have rights to, you must take ownership of that file or folder. When you do this, you replace the security permissions that were originally created for the file or folder.
Winzero TakeControl uses an append process to add the Administrators group with full control to each folder ACL and file ACL. without changing the original NTFS permission.
Download a fully functional trial version or learn more how TakeControl can help with profile migration and server migration projects.
Sunday, February 22, 2009
Access Denied Using Multiple Server Names (OptionalNames)
Bulletin: 022109
Software Effected:
ServerMigrator - multiple server name feature
Issue:
Using the multiple name feature (OptionalNames) in ServerMigrator to assign both the old and new server name to the target server, the new server name and the old server name are both reachable by ping, DNS is working correctly and the old server has been shut down however access is denied.
When clients try to connect to a share using the old server name. Access is denied. Logon Failure: target account name is incorrect.
The following error appears in the event viewer when accessing the old server UNC name:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/OldServerName/domainName. This indicates that the password used to encrypt the Kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm and the client realm. Please contact your system administrator.
Solution:
For Windows 2003 or newer servers, for the OptionalNames value to work correctly edit or add the following Registry entry.
HKLM\System\CurrenControlSet\Services\LanmanServer\Parameters
DisableStrictNameChecking
REG_DWORD=1
for DNS aliasing to work.
The final solution to this issue was finally resolved thanks to our client, Ken Jackson at Malco Products Inc., (www.malcopro.com) in Barberton, Ohio.
After using ServerMigrator to add additional names to a server, change the DNS setting of the old server to point to the new server IP address and verify that the registry settings are correct, Manually remove the old server name from the domain using the Active Directory User and Computers MMC. Once deleted, add the old server name to Active Directory again and reboot the server with the two names.
Once again our thanks go to Ken Jackson for his efforts in resolving this issue.
Tuesday, November 11, 2008
Password Copy Issue
Bulletin: 111108
Software Effected:
ServerMigrator, PasswordCopy and WADMigrator
Issue:
Just recently Microsoft has released an update that is preventing passwordcopy from accessing the system32 directory that a number of our clients started experiencing in the last week.
Solution:
We have identified this issue and have resolved it. There will be a new ServerMigrator and PasswordCopy available starting November 12th that over rides the password copy problem some of our clients were experiencing.
New Update Releases:
ServerMigrator2007 version 5.10
PasswordCopy32 version 3.00
WADMigrator version 5.00
* PasswordCopy Server Edition and Domain Edition will be repalced with PasswordCopy32 followed by PasswordCopy64.
Sunday, February 24, 2008
Windows Server 2008, Upgrade or Migrate?
Bulletin: 022408
Software Effected:
ServerMigrator, RemoveUnknown, Accessreporter, RenameITSE
Issue:
We are planning on deploying Windows Server 2008 shortly, would you recommend upgrading existing servers to Server 2008 or migrating clean to Server 2008?
Are there any steps we should take before rolling out Windows Server 2008?
Solution:
Before you begin, verify hardware and software compatibility before deciding which path to follow.
Regardless of which path you select for deploying Windows Server 2008, we strongly recommend analyzing and cleaning up the old server before moving foward. In either case, "garbage in, garbage out", your end result will only be sucessful as what you bring into server 2008.
Windows Server 2008 in place upgrade
Winzero recommends the following steps above and beyond the Microsoft upgrade path.
Report and cleanup obsolete users and local groups. Remove disabled accounts and accounts that do not or have not accessed the server for a period of time. Remove local groups with out members or local groups that do not have access to folders or shares.
Report, verify and cleanup File, folder and Share ACLs. Tighten security by removing the everyone group in ACLs.
Report and remove unknown accounts and SIDs in localgroups and files, folders and share ACLs.
Windows Server 2008 Migration
Winzero recommends the following steps above and beyond the Microsoft migration path.
Report and cleanup obsolete users and local groups. Remove disabled accounts and accounts that do not or have not accessed the server for a period of time. Remove local groups with out members or local groups that do not have access to folders or shares.
Report, verify and cleanup File, folder and Share ACLs. Tighten security by removing the everyone group in ACLs.
Report and remove unknown accounts and SIDs in localgroups and files, folders and share ACLs.
if your migration involves server consolidations, report duplicate user names and duplicate localgroups names from the servers that will be combined. Verify if accounts and groups are to be merged or renamed before migrating.
Taking these additional steps before upgrading or migrating to Windows Server 2008 will improve security and provide the fastest time-to-benefit.
Friday, November 30, 2007
Wednesday, October 17, 2007
Multiple Server Names
Winzero ServerMigrator has an option to add multiple server names to one server. This feature is handy when trying to remap user connections by allowing the new server to have two names: the old server name and the new server name.
However in our customer's enviroment a server would not respond to a cname that had just been created. After using the multi name utility and adding the new name to DNS and then connecting to “\\SecondServerName\c$” the server responded with an error “A duplicate name exists on the network.” Windows Server 2000 and 2003 listens for it’s “netbios” name only and ignore requests that come through with any other name.
A Simple Registry Fix.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\LanmanServer\Parameters
Check for or add the following registry value:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1
Rebooot the server.
Subscribe to:
Posts (Atom)
