DC & File Server 在同一台時的權限影響

DC 與 File Server 在同一台時,而同一個 OU 裡,委派權限以及 Server Operator 群組權限同時存在的條件下,此 OU 的使用者繼承權限會受影響,帳號裡的 Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here 勾勾會被拿掉.



微軟有 KB 說明這樣問題的解決方式 AdminSDHolder Thread Affects Transitive Members of Distribution Groups ,但是修改 AdminSDHolder 會有不預期的問題發生.

另外,建議兩個解決方法,但是前提下,OU 內的使用者不能加入 Server Operator 群組 :

1. DC 和 File Server 需使用2台不同的獨立 Server,使用者可以設定 Full Control OU ,OU 內的使用者可加入 File Server 的 Power User 群組.

2. 如果 DC 兼 File Server 的情況,需要額外建立一個使用者帳號,例如: OUadmin 給某個使用者使用,並設定 OUadmin 可 Full Control OU,所以使用者在 AD 中有 2 組使用者帳號,一個是普通權限的用途,一個是可以管理 OU 的用途.

The Name on the Security Certificate is invalid or does not match the name of the site

公司內部的使用者,透過Outlook 2007 or Outlook 2010 MAPI Client 連線 Exchange 2010 時,發生如圖的安全性警告訊息,主要的原因是內部使用者使用 https 連線 Exchange Server 時,內部 Exchange Server 連線名稱跟外部憑證名稱不符造成的.



解決方法:
1. 透過EMC來修改 Internal Url,此 Internal Url 要與 External Url 名稱相同



2. 或者透過 Exchange Power Shell 來修改 Internal Url,執行指令如下

Set-OWAVirtualDirectory –Identity ServerName\OWA (default web site) -InternalURL https://XXX.XXX.XXX/OWA

Set-OABVirtualDirectory –Identity ServerName\OAB (default web site) -InternalURL https://XXX.XXX.XXX/OAB

Set-WebServicesVirtualDirectory –Identity ServerName\EWS (default web site) -InternalURL https://XXX.XXX.XXX/ews/exchange.asmx

Set-ActiveSyncVirtualDirectory –Identity ServerName\Microsoft-Server-ActiveSync (default web site) -InternalURL https://XXX.XXX.XXX/Microsoft-Server-ActiveSync

另外,Exchange 2010 還須執行下列指令,如果是 Exchange 2007 的話,可以省略

Set-ECPVirtualDirectory –Identity ServerName\ECP (default web site) -InternalURL https://XXX.XXX.XXX/ECP

執行完成後確認上述設定是否透用



如果上述設定還未套用,以及憑證的錯誤警告訊息持續產生,請透過 Exchange Power Shell 再執行下列指令修改 CAS 的內容,此錯誤訊息的問題即可解決

Get-ClientAccessServer –Identity ServerName | Set-ClientAccessServer
–AutodiscoverServiceInternalUri https://XXX.XXX.XXX/autodiscover/autodiscover.xml

About the SMTP Connector

SMTP Connector 在 Exchange 2003 設定的套用範圍,如圖(一)是可以選擇套用整個組織還是路由群組,而在 Exchange 2010 名稱有些許的差異,如圖(二),如果未勾選 Scoped Send Connector 表示套用整個組織,如果勾選 Scoped Send Connector 表示套用路由群組

關於 Shared Folders and Shared-Folder Permissions

關於 Shared Folders and Shared-Folder Permissions 在 Member Server 與 Domain Controller 所需要的權限:
Members of the Administrators or Power Users group can share folders on a Windows member server. You have to be a member of the Administrators or Server Operators group to share folders on a domain controller of a domain.

What is the Server Operators?

關於Server Operators的權限範圍如下:
Members of this group can perform server management tasks such as creating, changing, and deleting shared printers, shared directories, and files. They can also back up and restore files, lock the server console and shutdown the system. They cannot modify system policies or start and stop services.

Migration from Office Communications Server 2007 R2 to Lync Server 2010

Before You Begin the Migration

Phase 1: Plan Your Migration from Office Communications Server 2007 R2

Phase 2: Prepare for Migration

Phase 3: Deploy Lync Server 2010 Pilot Pool

Phase 4: Merge Topologies

Phase 5: Configure the Pilot Pool

Phase 6: Verify Your Pilot Migration

Phase 7: Add Lync Server 2010 Edge Server and Director to Pilot Pool

Phase 8: Move from Pilot Deployment into Production

Phase 9: Complete Post-Migration Tasks

Phase 10: Decommission Legacy Site

Migrate Using Lync Server 2010 Management Shell (optional)