Managed IT Services Blog

Check Point SSL Network Extender and Windows Update KB2585542

If you have used Check Point for any period of time, you’ve probably run into the ‘fw monitor’ command which is a very useful troubleshooting tool in a variety of scenarios.

For many traditional domain migrations, the use of sIDHistory is a common vehicle to avoid disruptions. As users and groups are migrated to other domains, they inherit new SIDs. This is because SIDs are domain specific. So historically problems arose when users and groups attempted to access resources in the source domain. Because the DACLs (Discretionary Access Control List) of the source resources are still attuned to the original SID's, users who migrated to a new domain or forest would be denied access. So to circumvent this starting with Windows 2000 Microsoft introduced the sIDHistory attribute. The premise of this attribute is to store the users or groups SID from the previous source domain and append it to the access token along with their new SID. Now users and groups in the midst of a migration could have access to source resources like file servers that have yet to be migrated.

As an administrator faced with the demanding task of an Active Directory migration, you need to know which machines are used by every client, which machines are used by multiple people and which employees log into them. This information can be very useful for support staff in general – but it really becomes a lifesaver when doing an AD migration or consolidation. You do not need a sophisticated third party auditing tool with an expensive support agreement. Just a one line capture script:

At Teched 2011 this year, Microsoft announced the broadened virtualization support of Exchange 2010.

Customers often try to strike the right balance between managing the “threat from within” while at the same time offering their user population access to network resources.  The edge of the network represents a unique opportunity to enforce the company’s security posture and acceptable use policy.   No longer is it sufficient to merely leverage 802.1x to authenticate and grant users access to the network.

A common problem when migrating objects from one forest to another using Microsoft’s ADMT (Active Directory Migration Tool) is the inability of the tool to migrate SID history for windows standard domain global groups such as "Domain User" or "Domain Admins." Typically what happens is in situations where administrators have used these groups to assign permissions such as in file and directories on a file and print server, users no longer have access to these files and directories during the interoperability stage of a migration. This stage is when users, groups and workstations have all been migrated to the new forest, but the application servers still remain in the source domain.

We have found that many of our clients are running into snags when trying to implement this process. So to help, we thought it would be useful to outline the most common pitfalls.