I had a call that a user's workstation is taking 5 minutes to boot up. I did some user file cleanup which should have nothing to do with the issue as the slow boot is before the user gets the CAD screen. I did an ipconfig/all to make sure dns was correct. I did an ipconfig/flushdns. I then updated the Realtek nic from a 2002 driver to a 2008 driver. I rebooted the workstation and it came up in a minute after the bios finished its stuff.

Some computer manufacturers are not so good about getting you the latest nic drivers. If you have a computer that uses Broadcom nics you usually need to go to Broadcom to get the latest drivers. 

I have all these crummy usb thumbdrives . Crummy means  too small to carry a lot of files on. I considered them useless until my Intel server said create a bootable usb thumbdrive and place the updates on the usb bootable thumbdrive. In the past I had to make a bootable floppy and then a few more floppys to update the various Intel utilities. Now they say place them all on a thumbdrive and boot from that. Finally a use for 128 meg thumbdrive.

This guy has great instructions with screenshots for those of us who can’t read instructions.

http://www.bay-wolf.com/usbmemstick.htm

I had a user buy some wham bam Dell portable pc for $4,000. It sure was fast with Vista Ultimate, Blue Ray, Bluetooth keyboard, lots of ram and processor. Well it sort of looks like a laptop but it weighs a lot. The primary business application does not run on Vista so we set him up to use the pretty new application server. He also has a dog slow XP laptop. I could not get the default printer to stick on the application server. I would log in with one laptop and set the default printer on the application server. He would log in with the other laptop and the default printer on the application server changed. The default printer kept flopping back and forth. Every day was a new day.

So here is what I did. Group Policy management. I made a new GPO under domainname.local Windows Components/Terminal Services/Client/Server data redirection. Do not set default client printer to be default printer in a session. Enabled.

Problem of default printer flopping about due to the client machines was solved.

Here are some things I do. I may miss a step so you may have to
confirm things. After you added connection filter provider you need to
make sure you have checked that stuff in the default virtual server.

Global Settings/Message Delivery right click Properties.
Sender Filtering: Check Filter messages with a blank sender and Drop
connection if address filter matches filter.
Connection Filtering: Add your favorite RBL services. I happen to use zen.spamhaus.org Please visit www.spamhaus.org to review terms and conditions to see if you are eligible to use their services.
Intelligent Messaging Filtering: I set it at 7 and Reject. You want
reject so if there was a valid message the sender receives notice that
your server rejected the message.
Recipient Filtering: Filter recipients who are not in the Directory.

Apply and go to Servers/Servername/Protocols/Default SMTP Virtual
Server right click Properties.
Advanced.
Edit
I check everything but Sender ID Filter.

Make sure you are on Exchange SP2 and you add the registry dword
HKLM\Software\Microsoft\Exchange\ ContentFilterState set to 1. That
key lets Microsoft Updates get IMF definitions.

I open up perfmon.msc from the Run box.
On the icon bar I click on the notebook icon to get the report view.
Click on the + sign next to it to add some counters.
In the Performance Object drop down box look for
MSExchange Transport Filter Sink. Choose all counters and Add.
Back to Performance Object and choose MSExchange Intelligent Message
Filter. Choose all counters and Add. I really do not care for the per
second counters so you can choose select counters from list if you
like.

Now you have a permon that is showing how much stuff is going in to
your Exchange server that the IMF considers spam. It shows you how
many connections are being rejected by the RBL. It shows you how many
connections are being dropped because the recipient is not in your
Active Directory. I do a little math and come up with some interesting
numbers.

Click on File and save as. I save it as imfperfmon.msc. I right click
on the desktop and make a new shortcut. Type imfperfmon.msc in the
next two boxes. Now you have a shortcut on your desktop anytime you
want to see how the RBL and IMF are doing.

Back to your question. If you have the imfperfmon working you can see
a little about what is coming in. Last night I had an account getting
slammed with some mailer daemon nonsense. I need to visit to see what
is really going on.

Mail may still be stuck in the queue as your server is trying to send
out Non Delivery Reports to bogus addresses. If you have done the
clicks I mentioned and others hopefully the junk will be blocked.
Those NDRs will die off after a few days. The default setting in
Exchange is to try to deliver for 2 days and then give up. There is a
trick to flush all the messages out but it may be just as easy to let
them die out on their own. As long as you do the clicks I did you
should eventually be ok.

Another rant is that I do in Exchange System Manager. Properties of
the Default SMTP Virtual Server/ Access/Relay. I have the button only
in the list. Below that list I do not have the checkbox clicked for
All computers that successfully authenticate. There is no computer
that I want to relay against my server. I want everyone to be using
Outlook or Outlook Web Access to deal with email. That is just another
way for people to cause trouble. Of course after a misadventure I get
to suggest now is the time to have passwords 8 characters long and
having more than 2 things from the keyboard. Since there are at least
6 easy things on the keyboard it should be not hard to create and easy
to remember complex password.
http://www.microsoft.com/protect/you...rd/create.mspx

I get a call that a new user cannot open tif or jpg file. When they go to Windows Explorer the file association is greyed out. I do a Google search and turn up a registry value of  hklm\software\microsoft\currentversion\policies\explorer add dword NoFileAssociate with a value of 0. Or if this is missing it is the same as a 0. Well I searched and searched for other answers as this key did not help. The searches also suggested the HKCU but I would get an error when trying to create a new dword when logged in as a workstation user.  I tossed out a white flag. Merv Potter saw the flag. He said it was a power user issue. Well I created a new user on my XP laptop as a limited user. I could not do that file association task. I made the new user a local Power User and he could. I logged on to the workstation in that domain. I made Domain Users Power Users of that workstation. That fixed the problem. Well actualy it did not as that level is a bit higher than I would like but so it goes until someone tells me a better solution.

I got a call from a co-worker at a pop up account. You know the people that call wanting a little help but not a lot. They got a new server with hardware SATA raid 1. They installed SBS on a 500 gig partition. Personally I like to see 30-40 gigs for the OS and one or two other partitions. One partition for Exchange databases. Another partition for data. I like to keep the C: partition fairly free of stuff. My though is that I can scandisk or defrag a 40 gig partition in short order. To scandisk a 500 gig partition might take days. I don not know but it takes pretty long to scan 40 gigs.

They chose to do ADMT. Last time I tried ADMT it bombed. It bombed on moving workstations because that other account had manually entered in ip and dns info on the workstation. Since then I have learned how to do Jeff Middleton’s Swing migration. I do the frugal $50 version using the steps in SBS 2003 Advance Practices book. I have learned that you need to make sure Windows Firewall is disabled when you are doing swings but other than that the swing is pretty easy. You grab AD. You clean it up. You build the new SBS starting with the OS. Grab the AD. Finish installing SBS. Move the Exchange databases and restore the shares. I do not have to touch workstations. I can knock workstations offline for a few minutes while I unplug the old SBS from the network and plug in the new SBS. I need a bit of time to move the Exchange databases over. That might be an hour if the database is not too big. Moving files over can be fast or slow depending on quantity. You might have some user group membership adds. I use Microsoft’s print migration tool to grab printer shares. That usually works.

Back to Thursday night. The goal was to have things up and running in the morning. Well they did have a late start. ADMT bombed moving computer accounts over. I heard about that late Thursday. Bedtime late for me. I suspect the fact their router was providing dns really screwed up that task. More on that later. They marched on moving the Exchange and company files over. That was taking forever which meant continue the project in the morning.

I checked in the next morning and they were starting the unjoin/rejoin workstations. By the time I arrived 1.5 hours later they had one workstation on the new domain. File and Setting wizard was run before hand we tried to move the workstations to the new domain. That worked ok on most of the machines but not all. Many of the workstations were slow to boot, painfully slow for modern workstations. I suggested that the router providing dns was a bad idea. That may have fallen on deaf ears. At the workstations I touched I started manually entering in dns and wins. That helped the machine when applying settings. It also helped when Outlook profiles had to be set to point to the new server name.

Today is Friday. I spent another 2 hours today cleaning up some loose ends with user profiles. I noticed that a few of the workstations would not work from /remote. They also would not accept remote assistance from the SBS Server Management console. The one machine that did work both inside and outside had the dns and wins entered by me. They also had a hodge podge of workstation AV. It seemed that every workstation had a different AV client. I suspect a few were not up to date.

I fixed the WSUS 3 that would not open from Server Management. The SBS official blog has some clicks for that.

http://blogs.technet.com/sbs/archive/2007/05/01/wsus-3-0-on-sbs-white-paper-released.aspx

So the take away if you insist on ADMT is to make sure that the SBS is doing all dhcp. Make sure that the workstations are getting all their ip, dns and wins from the SBS. Of course my personal opinion is to do a swing migration.

Another note from that project. I set up zen.spanhaus.org in the Exchange connection filter. 80% of the incoming was getting blocked. 20% of the remaining was getting blocked by IMF 7. Users were asking where all their email was. I told them that we were blocking spam. Another useless statistic. Over 2360 messages blocked in less than 24 hours for a 10 user office. They might be a bit more productive not sifting through all that spam.

Another takeaway. Do not schedule a new server install the day before the project manager is heading out of town. Do not schedule a new server install 2 days before you move to a new office.

If I am correct and ADMT computer migration bombed because of router dhcp then maybe ADMT would have worked fast enough. Since it did not work they spend 12 of my (coworker David and I) hours plus a day of their IT lead working on the project. The staff did almost no computer work all day Thursday. If we had done a swing and started it Thursday morning, the staff would have worked as long as they wanted until maybe 2:00. I would have knocked them off for an hour while I pulled the Exchange databases over and rebooted their workstations. The would have been a bit off line for another few hours while the 30 gigs of data was pulled from the old server to the new server. If my math is correct swing for $960 or ADMT for $2400. Granted ADMT might have worked without the router dhcp nonsense but that was before I visited. So ADMT might have been pretty inexpensive. Of course if the account had bought Swing for $200 then they would not have had the projected $960 or the actual $2400 fee.

Nobody asked me so maybe I could have saved ADMT, Maybe not. I do know that I have done Swing at a two office location with 30 users and only an hour of down time and a few hours of printer cleanup. I did not have to touch one workstation. I like that.

It has trapped 244 spam with SCL or 7 or larger in less than 8 hours. That is about 25 less spam going to the four Blackberry users. The rest of the users have a little less to sort through. On the other hand the Exchange administrator now will have 1,000 messages a day to wade through.

I go to this site for a number of great Exchange tutorials.

http://msexchange.org/

I had a call a month ago on a Tuesday night about a server that would not reboot. It kept popping up errors and wanted to run chkdsk. It appeared to finally come up and the person who called went home. I tried to remote in to the server and it would not answer. I knew I would have a morning visit. I appeared the next morning and I tried every variation of chkdsk I could come up with. That could be a humorous comment as I know of /f and /r. I called Microsoft tech support and we booted off the install cd. Running chkdsk when there is no OS in the picture nets better results. Well not this time.

This was hardware raid 1 and I was getting array good in the bios boot up. I unplugged one of the drives and tried to run chkdsk again and again. It seemed that I might get a clean /f but the next /r would find issues. I could get the server to boot but not too fast and I never got a clean scandisk twice using chkdsk/f.  Once again it is Raid 1 so you have 5 choices. Bad disk 1, Bad disk 2, both disks bad, bad controller card, bad motherboard. There might be other problems but those choices cover the likely scenarios. I gave up on the one hard drive and started working on the other hard drive. That second hard drive cleaned up nicely and booted happy as can be. We lost some email as the backup did not run correctly over the three day weekend. I recovered files from Tuesday but no luck on email. That was painful. What was also painful was my chice of drives. If I had better binary luck I would have ended the Microsoft call in a 1/2 hour instead of 3 or 4 hours. The support engineer was great. He had about 5 years of support experience.

A month later a fellow who used to work with me calls stating that his old SQL server is slow to boot, appears to be running but users are not able to work. I suggested unplugging one hard drive or the other as he is using raid 1 also. He never called back so I bet one of his hard drives was acting up.

You ask “Would a hardware Raid 1 with hot swap?” The problem was the hardware thought the drives were fine. The operating system did not see the drives as happy. I am guessing that no, a hot swap would not have helped.

I have a goal sometimes of lowest user privileges. Not often enough though. End users have a much harder time installing junk programs if they are not a local administrator. Drive by malware may have a harder time getting installed. My newsgroup buddies JeffM and SusanB have given me clues and tools to work on making users workstation users. As you may know too many vendors say “make the user an administrator” so their application can work. You can use tools like filemon and regmon to see what is really going on when you run an application. Those two tools let you watch what is happening with the files and the registry. I generally know or assume two things for my down and dirty test. The user needs to have full control of the application folder and the HKLM/Software key for that application. OK, that assumption might be stretching how elevated the permissions need to be but that is where I start.

I am logged in to the workstation as Administrator. Well I might be logged in as a domain administrator but usually I log on as administrator. I then go in to Control Panel/Add-Remove to uninstall any “junk” that either came with the workstation or the user installed. Junk is subjective but Google Desktop, Yahoo toolbar for IE, screen savers, shopper stuff and anything else that I have been bit by in the past. I delete temp files from all the users, delete their IE temp files and do a defrag. I might scan for malware, spyware and viruses if the machine is working weird. That is just some of my housekeeping 101 I do.

I go to My Computer, right click and Manage. I go to local users and groups. I look at the administrator group and remove anyone who should not be in there.

I then log on as the worker bee and let them work. If everything is working well, great. The registry and folder permissions worked every time for me. I have heard application tech support say to me that the user needs to be an administrator. My reply is “How is your Vista development going?” I have 4 third party doctor office software packages I work with regularly. I do have to call in on occasion. Sometimes I hear that administrator nonsense which I explain away.

So every Jim story has a long story it seems. I did this last week for E-Mds. It worked fine. The short story was that a user could not scan in E-Mds unless the workstation log in was a domain administrator log in. I did my registry and file permissions. We logged in as the user that usually sits at the workstation and did a test scan. Things worked great. I get a call a day later and it is not working. I click away trying to find out why and get no where. I call E-Mds support and we start working on things. I happen to like their support. The folks are friendly and we always solve the problem, usually pretty quickly. Well today was not a quick call. We click around and nothing helps. I set the local workstation administrators to domain users and that did not help. That should have eliminated any folder permissions issue on the workstation. I opened notepad and did some save as to the folder on the server that the application uses. That should eliminate server folder issues.

I create a new user on the domain. I log on to the workstation as the new user and E_Mds scanning works fine. That eliminates the workstation and the server permissions. It is down to the user. In the past I have deleted workstation user profiles when something odd just keeps biting me. Almost always seems to work. It did not this time. I had the same issue when I logged back on as the problem user. I did see that the user was having a new profile built as it took a few minutes for the first log in to happen. I inherited the SBS so I am not positive about everything that has been done. I saw no sign of desktop redirection or user profile redirection. I did have My Documents redirection though. I looked in the user’s folder on the server and I saw nothing weird. That is not true. I did have an issue saving a shortcut to her folder but I could create new txt file to her user folder. While she was logged off I renamed her folder 1aajohnson. I made a new aajohnson folder and set the security permissions correct. I logged on as aajohnson and E-Mds scanning worked fine. I copied all of her documents over from her old folder to her new folder. Everything still worked fine.

So the take away. Not only can you get bit by a weird local user profile but a redirected user folder.

 start
Run
Cmd and enter
ipconfig/all
The gateway, dns and wins should be your SBS
Ping ip of gateway or your SBS if the gateway is not the same as your WINS

If you can ping your server great.

If you have a Dell go to services
Start
Run
Services.msc
Make sure Network Location Awareness is set to automatic.
Go to your network properties.
click on Advanced
Advanced settings
Make sure that your LAN is at the top.

Start
Control Panel
User Accounts
User Accounts
Advanced
Manage Passwords

You could reboot for th enla and nic stuff to stick. The cleared passwords problem should work right away. I also clear passwords in Internet Explorer. Tools/Internet Options/Content and Autocomplete.

Blindsided by the new US daylight savings time?

I am going to be out of town that weekend. Lucky me. I am already suffering though. One account called because appointments are not sticking to the correct time. 10 am in Atlanta in three weeks before the patches should still be 10 after the patches. I don’t know if the account was running this or not. http://support.microsoft.com/kb/931667 . I need to check back with them.

Well here is how I got bit. Outlook kept acting weird on a few workstations at one account. They are using SalesLogix which is a CRM. Outlook works fine when SalesLogix is not installed. I was getting all kinds of errors when installing SalesLogix. I tried and I tried but I could not get it to work. I called the var for support. Ring, no answer and no call back. I looked at the product’s website but there were no answers. Eventually someone called me back with a simple registry edit to adjust their program to play well with the new DST. The install went great and now Outlook and SalesLogix works fine. If I had only known I could have saved a lot of time. If their website had a big bold notice it would have helped. If the var had sent an email. Well maybe the var had sent an email but it was not forwarded to their part time IT staff. Me/us. On the other hand if the account had kept up to date on their SalesLogix they would not have had a problem. The most current version was already patched up with no special clicks.

 I have a SBS account with 3 routers and 4 servers. Your typical SBS environment.

Main office:

Hospital router 192.168.10.1

Main office site to site router 192.168.10.254

Internet router 10.0.1.1

PSSSBS 192.168.10.2 and 10.0.1.2

Psschartlogic (sql server that syncs a folder and sql)192.168.10.3

Pssapps2  (for remote timeclock use and to see the hospital network apps)192.168.10.4

Remote office:

Clogic2 (sql server that works with psschartlogic)192.168.9.2

Remote office site to site vpn router 192.168.9.1

I had this account working for a year or more on SBS 2000. I have the remote office connecting to the main office pssapps2 to use the timeclock and to look at hospital xrays and lab reports. The hospital internet portal does not have the most up to date lab reports and xrays so we want to use the hospital router via pssapps2 to see stuff. The main office does not need to use pssapps because the timeclock is on psssbs. All the workstations at the main office can use the hospital router to see xrays and reports.

This fell apart when I installed a new SBS 2003 with ISA 2004. On my SBS I added my routing tables. I added my dns entries and host entries. I could resolve names and everything worked fine at the main office. The remote office was having a hard time reaching the servers or workstations. One doc wants to reach his workstation because he had a few unique things on his workstation. Weird thing was that you could reach psschartlogic and psssbs  from the remote office but that was it. When I am in the main office working from any main office computer all machines tested would answer a rdp session.

I made sure the Windows firewall was turned off on the pssapps2. I turned off the Trend firewall. No diff. I turned on the Windows firewall and made sure there were exceptions for remote. I turned on logging and I could see the start of a conversation with a 3389 connection but nothing after that. I clicked on default settings and a warning pops up. I click away. Now I cannot get to pssapps2 because the default is let no traffic in. It was 10:30 at night. I was planning on visiting in the morning. Did I mention that this account is a pulmonary and sleep disorder practice? That means the run 24x7. I get calls in the evening when things do not work. I guess I broke things a little too late for anyone to notice. They must have already gotten their face sheets. Oh, they actually run two remote offices but the second remote office dials in using a Microsoft vpn so they did not suffer problems access any resources because the vpn put them in the 192.168.10.x network.

I arrive at the site and the staff is in jeans. This is always a good sign as it suggests no patients or docs for the day. They were doing housecleaning with minimal computer use. That meant free reign of the server with a bit of server going down warning. I go back to pssapps2 and turn off the Windows firewall. I noodle around and I give up on things. I call Microsoft support. This costs money but usually worth it. I almost never call with a 10 minute problem. I often spend 2 hours and even days working on problems. I had a dfs problem at this same account that I spent 2 months working on. I work in Atlanta. I started the support call over the phone. A month later I actually was in Texas for training and spent a few hours with a Microsoft support engineering in his cube working on the dfs problem. We never solved that dfs problem. Well I sort of solved it when I install new hard drives in the problem server and a new operating system. I then used VisaVersa from http://www.tgrmn.com/ It has a gui interface so I can see what is happening. I bought the basic program and the other program that is supposed to set things up as a service. I could never get the service module to work so I told the program to sync using a task schedule every 15 minutes. Program works great. I have used the tool a few times when xcopy did not work when I did a swing migration. I do a swing every month or so. http://www.sbsmigration.com/ I am cheap so I use the procedure listed in http://www.amazon.com/Advanced-Windows-Business-Server-Practices/dp/0974858072 The book covers a lot of things but I use it mainly for the migration process. Jeff has developed a number of scripts that you can use to make the job easier. I need to watch someone use the scripts so I can appreciate them. Sorry I learned computers in dos and mainframes so I am sort of used to working without gui for some tasks. Anyway the kit he has put together is great and worth every penny.

Back to the current problem. Support looks around and can’t see anything. They state something to the affect that ISA is handling all 3389 and we need to change the ports on the other servers and workstations. She starts to change the listening port and I stop her. I do not want to tell my users click on port 3388 for this server and 3387 for this workstation. I request a bump up to the next level of support. I am passed on. I swear that I am still in India as the next guy has a name I cannot pronounce. I was certainly not John and did not sound like a John fromOhio. Well I was in Canada support. I have called there and they are quite international. In the Texas and Charlotte support offices everyone there seemed to be from the US. Well Ray Fong in Charlotte was not from the US but most were. I guess I am just showing my ignorance. An international company should have people from all over the world working for them. I know some folks I met in Charlotte are working over in the UK for Microsoft.

Sorry, I digress again. I explain to Shahram  what my goal is and how I have engineered things. We look around. We change some local network settings in ISA. I had the hospital networks, my main office network and my remote office networks listed. 192.168.10.0-192.168.10.255, 192.168.9.0-192.168.9-255, 172.10.0.0-172.0.0.255, and 192.168.4.0-192.168.4.255. He tried to make the main office 192.168.9.0-192.168.10.255. That made not difference.

Here is my routing table from my SBS. Note that there is nothing exciting or worrisome because all my gateways are private ips the real world cannot reach.

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0         10.0.1.1         10.0.1.2     20

         10.0.1.0    255.255.255.0         10.0.1.2         10.0.1.2     20

         10.0.1.2  255.255.255.255        127.0.0.1        127.0.0.1     20

   10.255.255.255  255.255.255.255         10.0.1.2         10.0.1.2     20

    24.98.210.192  255.255.255.255         10.0.1.1         10.0.1.2     20

        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1

       172.18.0.0      255.255.0.0     192.168.10.1     192.168.10.2      1

       172.18.1.0    255.255.255.0     192.168.10.1     192.168.10.2      1

       172.20.0.0    255.255.255.0     192.168.10.1     192.168.10.2      1

      172.30.10.0    255.255.255.0     192.168.10.1     192.168.10.2      1

      192.168.4.0    255.255.255.0     192.168.10.1     192.168.10.2      1

      192.168.9.0    255.255.255.0   192.168.10.254     192.168.10.2      1

     192.168.10.0    255.255.255.0     192.168.10.2     192.168.10.2     10

     192.168.10.2  255.255.255.255        127.0.0.1        127.0.0.1     10

    192.168.10.18  255.255.255.255        127.0.0.1        127.0.0.1     50

   192.168.10.110  255.255.255.255    192.168.10.18    192.168.10.18      1

   192.168.10.255  255.255.255.255     192.168.10.2     192.168.10.2     10

        224.0.0.0        240.0.0.0         10.0.1.2         10.0.1.2     20

        224.0.0.0        240.0.0.0     192.168.10.2     192.168.10.2     10

  255.255.255.255  255.255.255.255         10.0.1.2         10.0.1.2      1

  255.255.255.255  255.255.255.255     192.168.10.2     192.168.10.2      1

Default Gateway:          10.0.1.1

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

      172.30.10.0    255.255.255.0     192.168.10.1       1

      192.168.9.0    255.255.255.0   192.168.10.254       1

       172.18.1.0    255.255.255.0     192.168.10.1       1

       172.20.0.0    255.255.255.0     192.168.10.1       1

       172.18.0.0      255.255.0.0     192.168.10.1       1

      192.168.4.0    255.255.255.0     192.168.10.1       1

Routing 101. A computer cannot talk to another computer unless it knows how to talk to the other computer. Sometimes this stuff is handled by a server, sometimes by a router, sometimes magic. Well never magic but it seems that way. If you have worked with Cisco routers you know nothing good happens when connecting two sites until you  tell the routers how to talk to each other. You go into their Command Line Interface and program away. This Cisco conversation is not relevant to my problem. It is just a high level overview. On a workstation or server you might have to do a route add –p 192.168.9.0 mask 255.255.255.0 192.168.10.254. You can tighten it up if you need to go to a specific workstation or server or a smaller subnet. That is why you see some persistent routes because I used the –p when I ran the command.

After much clicking here and there we ran some netmon traces at psssbs, pssapps2 and from a workstation at the remote office. 20 minutes later Sharam calls back with info. He talked with some other techs and they are sure ISA 2004 is eating up the traffic. Well that was my thought the whole time as it worked with ISA 2000 on the old server. http://support.microsoft.com/kb/888042 The solution is simple. We did route add –p 192.168.9.0 mask 255.255.255.0 192.168.9.254 on pssapps2 and the doctor’s main office workstation. The remote desktop now works fine. What I never understood was how the psschartlogic would accept rdp. I bet I never looked at the route print. I also bet I added a route add –p back 4 months ago when I installed the new hard drives and the new operating system.

Long story short. Check your routing tables. Add some routes to see if good things happen. Make sure you delete those routes if you added them with a –p if they do not help. If you did not use a –p then a reboot will flush out your experiment.