Change UserPrincipalName with Script via Powershell

When setting up single sign on in Office 365, one problem you may run into is needing to change the UserPrincipalName to match your public mail domain. For example, if your primary Active Directory Domain is something like @domain.local it will not work with Office 365 and you will need to change the UserPrincipalName to @domain.com.

After you have created the alternate UPN as described in http://techatmount.blogspot.com/2012/09/office-365-single-sign-on-errors.html, you can script the change the of UPN of users to a different UPN using the following powershell script.

I played around with the formatting of the code below to get it nicely color coded. This means that some of the line breaks don't show well here, but a copy and a paste into notepad should format it properly.

Import-Module ActiveDirectory            
$privateUPN = 'domain.local'            
$publicUPN = 'domain.edu'            
Get-ADUser -SearchBase "ou=Students,dc=domain,dc=com" -SearchScope SubTree -filter * |             
ForEach-Object {if ($_.UserPrincipalName){#Checks if the UserPrincipalName is null            
 $newUserName = $_.UserPrincipalName.Replace($privateUPN,$publicUPN) #Changes the UPN and sets the new name to a variable            
 <# The following is to output extra details for troubleshooting  : Note the line continuation is a back tick#>            
 #Write-Host $_.UserPrincipalName " now is " $newUserName -ForegroundColor DarkRed `            
 $_ | Set-ADUser -Server $privateUPN -UserPrincipalName $newUserName <#-WhatIf#>}#The whatif commands doesn't actaully change anything remove it to make the change.            
 else {Write-Host $_.sAMAccountName + " does not have a UPN" -ForegroundColor DarkCyan}            
 #{$newUserName = $_.UserPrincipalName.Replace($privateUPN,$publicUPN))}            
 }

GroupPrincipal.FindbyIndentity Search returns Well Known SID Error

We use a custom program to assist in the creation and management of our Active Directory User Accounts. In this we use the DirectoryServices.AccountManagement namespace released in .net 3.5 to do much of the interaction with AD.

One of the processes that gets completed is to find what groups a user should be in based on their department and add the user to that group.

In doing this, I use the following code to search for the group based on their name.

Dim domainContext As PrincipalContextdomainContext = New PrincipalContext(ContextType.Domain, "campus", "OU=" & Me.Department & ",OU=" & Me.accountType & ",DC=domain,DC=com")Dim group As GroupPrincipalgroup = GroupPrincipal.FindByIdentity(domainContext, Me.Department)

Problem

A problem arose while searching for some of our departments. For example our Communications department is identified as 'CO' and our Education department is identified as 'ED'. When we searched for the value 'CO' assigned to Me.Department, the identity found was the well known SID "Creator Owner." When we would search for 'ED', the group found was "Enterprise Domain Controllers" instead of the expected group 'ED'.

We would also receive the following error when trying to create the user account.

This principal object represents a well-known SID and does not correspond to an actual store object. This operation is not supported on it.

Solution

The solution to the problem was actually pretty quick.
Change

group = GroupPrincipal.FindByIdentity(domainContext, Me.Department)

to

group = GroupPrincipal.FindByIdentity(domainContext, IdentityType.SamAccountName, Me.Department)

so you are only searching against the sAMAccountName or you can choose a different IdentityType to search against. The options include

• DistinguishedName
• Guid
• sAMAccountName
• Name
• Sid
• UserPrincipalName

Additionally trying to catch the MultipleMatchesException did not resolve the problem because it was never thrown during the search process.

Hopefully this will help save some searching.

Spear Phishing Attempts

We have recently been receiving several different types of spear phishing attempts. These messages contain customized institutional headers and information of interest specific to the users they were sent to. For example, fake recruiting information was sent to admissions and vice presidents.

We have notified users of the phishing emails and tried to sink hole the DNS addresses.

Office 365 Single Sign On Errors

Figure 1

We are currently in the midst of setting up a Hybrid Implementation involving Exchange 2010 and Office 365 for Education where we will eventually migrate our student mail from On-Premise Exchange to Office 365.

To enable SSO you need the following items.

• Properly configured ADFS or Active Directory Federated Services Environment
• Office 365 domain with verified Public Domain i.e. domain.edu
• Follow instructions from a blog like this to enable SSO

If you have completed these steps, you should be able verify the ADFS setup by visiting the URL https://adfs.domain.com/adfs/ls/IdpInitiatedSignon.aspx from a variety of places both internal and external clients.

To test Single Sign-On for Office 365 go to https://portal.microsoftonline.com. You should try to login with username@domain.com and it will change your to a page similar to Figure 1. When you click on the Sign in at domain.com link, it should redirect to your ADFS environment and either login you in automatically or prompt for credentials based on configuration, current user credentials, and browser.

If you enter your credentials and receive the following error, "Your organization could not sign you into this service" as shown in the image, the solution is most likely related to the UPN that is currently configured in Active Directory.  The UPN for the user that is attempting to login needs to match that user's UPN in AD. This is typically an issue when you are using a private internal domain name such as domain.local. 

Solution

First you need to add the UPN if it doesn't currently exists in AD. 

1. Open Active Directory Domains and Trusts
2. Right click on the top item  Active Directory Domains and Trusts and choose Properties.
3. Add your alternate UPN public UPN suffix. i.e. domain.com

Second go to Active Directory Users and Computers 

1. Open the properties of the user you are testing.
2. Go to the Account tab.
3. Under User logon name: change the drop down item to the new @domain.com name.

You should now be able to login to Office 365 using your local credentials.

WARNING: This may affect other things if you have people using the private UPN to login elsewhere, so be careful.

4 Ways to Protect Your Mobile Device

Afraid of losing or having your device stolen?

Worried about people getting information or pictures off of your device?

Read on to find out 4 quick and simple ways you can protect your device and yourself from a loss of phone and your privacy.

1. Sign up for and install a device locating App

On iOS devices including iPods, iPads, and iPhones the most common and free App to use is Find My iPhone. By installing this App on your device and tying it to your AppleID you will be able to see where your device is at any time as long as it is enabled and connected to a network such as cellular or Wifi.

It is important to note the just like when you are using your phone the specificity of the location is affected by things like whether your GPS or other location services are enabled, where the more stuff you keep turned on the more accurate the location will be.

This app also allows you to ping your device making it beep, if for example you lost it somewhere in your room.

Android has several similar types of software. The one currently recommended is SeekDroid.  This freemium software in its free mode allows you to do similar location finding features as Find My iPhone. Premium additional features are available depending on your needs.

2. Password protect your device

A password or lock screen on your device is your first line of defense in preventing anyone be they friend or foe from accessing your device. Why does it matter if someone can access your device? A quick look at what we all keep on these devices helps to answer that. Would you want someone posting as you to your facebook or twitter account.

How about photos that you may have taken? Do you have any photos you wouldn't want to be displayed on the front of the newspaper? While it isn't a good idea to take such photos in the first place, as a quick look at celebrities that have recently had their phones broken into and regretted the results demonstrates. Keeping these pictures on your device without locking it is asking for trouble.

To make matters even worse most of the time our devices contain lots of information about us that can be used for identity theft. Things like account numbers, banks cached credentials and contact information that can be used to pretend someone is us.

So how should you protect your device with a password? On iOS the easiest solution is to choose a minimum of a 4 digit PIN number that isn't repeating or simple. For example, bad PINs are things like 1234, 1111, or 5555.

On android devices I recommend also using a minimum of a 4 digit PIN. The swipe code is generally not a good protection mechanism because it is easy to see the fingerprint trail on the screen.

3. Encrypt your device

The good news for iOS users is encryption happens automatically if you have a password on the device in all newer versions of iOS. If you have an old Apple device, you should upgrade the iOS version and then enable a password to secure the device.

On Android devices the risks from an unencrypted devices are even greater because of the access to the file system via USB. Due to the variety of devices and vendors, to find out how exactly to encrypt your specific device it is recommended that you Google it; however it will typically be in the Settings > Security options.

4. Record your Device's Information

If your device does get lost or stolen, you should have as much information about it as possible. This would include numbers like your ASN/IMEI or SIM number, your MAC address, model number and any other distinguishing features such as marks, or damage.  All of this information will assist law enforcement in verifying or returning your device.


In iOS you can get this information by going to Settings > General > About.
On Android devices this is generally available by going to Settings > About device > Status.

 With these steps in place you are on your way to protecting a tool that has become an important part of our daily lives.

Putting Voicemail on Exchange 2010

A major driver for our upgrade to Exchange 2010 is to migrate voice-mail off of our Nortel CS1000 system that currently uses Callpilot to having voice-mail handled by Exchange's Unified Messaging features.

The push for this was the continued expanse of upgrading the Call Pilot voicemail system while receiving no new functionality. By moving voicemail to be handled by exchange we ended up spending a little less than 1/3 of the call pilot cost while receiving several new features.

For this upgrade we received assistance from the Via Group. The designed the upgrade process and handled the work on the Audiocodes device, as well as providing UM and Exchange Assistance as required.

The basic concept for getting Voicemail to to exchange was the following:
-*Prereq. - Have Exchange installed with a server that has the UM role.

Voicemail in Exchange instead of Nortel - Basic Configuration

1. Purchase an AudioCodes Gateway device that essentially acts as a go between for the Analog Nortel Switch and the Exchange UM server.
2. We previously had 4 ISDN Line's as our PRIs from the PTSN. This allowed a maximum of 92 concurrent Incoming or Outgoing calls.
3. We moved one of these PRI's to connect to the AudioCodes Device as a QSIG Trunk, provided a capacity of 23 concurrent connections to the new voicemail server, that leaves 69 concurrent calls allowed in or out of campus.
4. Create the Dial Plans and Policy inside of Exchange Unified Messaging. If you are looking for a good walk-through on this refer to here.
5. Concerning Certificates, we have an enterprise CA that we used to sign the certificate on both the AudioCodes Device and for the UM role in Exchange.
   - Note: Both these devices will need to use the FQDN of the UM server and the DNS address you create for audiocodes gateway. This allows them to do TLS encryption between devices. If you follow this route you will also need to install the root certificates on the AudioCodes Devices
6. Assign Mailboxes to phone numbers in Exchange
7. Ensure Receive Connectors on 2010 CAS are able to accept messages from the UM. (More on this below)

With these steps completed you should be able to receive Voicemail messages in Exchange. Below are a couple of the errors and troubleshooting steps we needed to take.

1. Voicemails not being received in Exchange from "Unauthenticated Callers" ( An unauthenticated caller is anyone whose phone is not in the UM. This means numbers outside the organization and anyone on the legacy Nortel system.)

• Error Messages included the voicemails collecting in InstallDrive:\\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\voicemail.
• In the windows application log we were also seeing the following:  
  The Unified Messaging server encountered an error while trying to process the message with header file "C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\voicemail\53fd3299-40b3-42d2-bf02-02b09edacf1f.txt". Error details: "Microsoft.Exchange.UM.UMCore.SmtpSubmissionException: Submission to the Hub Transport server failed. The operation will be retried. ---> Microsoft.Exchange.Net.ExSmtpClient.UnexpectedSmtpServerResponseException: Unexpected SMTP server response. Expected: 220, actual: 500, whole response: 500 5.3.3 Unrecognized command
  
     at Microsoft.Exchange.Net.ExSmtpClient.SmtpTalk.CheckResponse(ServerResponseInfo response, Int32 expectedCode)
     at Microsoft.Exchange.Net.ExSmtpClient.SmtpTalk.Command(SmtpChunk[] chunks, SmtpCommandType command, Int32 expectedCode)
     at Microsoft.Exchange.Net.ExSmtpClient.SmtpTalk.StartTls()
     at Microsoft.Exchange.Net.ExSmtpClient.SmtpClient.Submit(Boolean disableDelayedAck)
     at Microsoft.Exchange.UM.UMCore.SmtpSubmissionHelper.SubmitMessage(MessageItem message, String senderAddress, String recipientAddress, OutboundConversionOptions submissionConversionOptions, InternalExchangeServer smtpServer)
     at Microsoft.Exchange.UM.UMCore.SmtpSubmissionHelper.SubmitMessage(MessageItem message, String senderAddress, String recipientAddress, OutboundConversionOptions submissionConversionOptions, String requestId)
     --- End of inner exception stack trace ---
  
  Server stack trace:
     at Microsoft.Exchange.UM.UMCore.SmtpSubmissionHelper.HandleTransientSmtpFailure(Exception e, InternalExchangeServer smtpServer, String recipientAddress)
     at Microsoft.Exchange.UM.UMCore.SmtpSubmissionHelper.SubmitMessage(MessageItem message, String senderAddress, String recipientAddress, OutboundConversionOptions submissionConversionOptions, String requestId)
     at Microsoft.Exchange.UM.UMCore.SmtpSubmitStage.InternalDoSynchronousWork()
     at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
     at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)
  
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
     at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
     at Microsoft.Exchange.UM.UMCore.SynchronousPipelineStageBase.SynchronousWorkDelegate.EndInvoke(IAsyncResult result)
     at Microsoft.Exchange.UM.UMCore.SynchronousPipelineStageBase.EndSynchronousWork(IAsyncResult r)"
• The solution for this was to create a custom receive connector on the 2010 Hub transport role because the Default one had to be modified to excluded other addresses to properly receive from internet. The settings we have are General Tab > FQDN = internal FQDN(must have a certificate); Network tab > Receive mail from remote servers includes: Addresses of 2010 UM server, CAS server and 2007 CAS; Authentication Tab > Check TLS, Mutual Auth TLS, Exchange Server Authentication; Permission Groups Tab > Check all users.

Best of Luck in your setup.

Exchange 2007 and Exchange 2010 Upgrade issues

This post will highlight some of the errors and solutions we ran into in our upgrade process.

The first error we ran into after the installation and change of DNS addresses was the backup of the mail queues on the 2010 server because it was unable to send mail to the 2007 exchange HUB server to be delivered to mailboxes.  The Queue was a next hop domain of hub version 8, Delivery type of SMTP Relay in Active Directory Site, the last error was 451 4.4.0 DNS query failed. The last error was:SMTPSEND.DNS.NonExisentDomain; nonexistent domain.

We ran the Mailflow Trouble shooting tool and it gave a couple of warnings regarding no pointer records that had not propagated yet.

The solution ended up being related to the receive connectors. The basic concept is to ensure you have a receive connector on each exchange server that is configured to only include the other exchange server. DO NOT have any other of your receive connectors able to receive from an IP address scope that contains within it the other Exchange server AND has Anonymous Users not selected. An example of our receive connector on the Exchange 2007 server can be seen below.

The second major issue we had was with ActiveSync and our mobile phones. Both Iphone and Android phones experienced errors of Invalid Usernames and passwords. We were also receiving Error:MisconfiguredDevice_Mbx in the IIS logs. This appears to be a common issue according to http://www.stevieg.org/2010/01/solving-iphone-and-exchange-20102007-coexistance-issues/.

 The resolution is to run the command

Get-ActiveSyncVirtualDirectory -Server E2007CA | Set-ActiveSyncVirtualDirectory -ExternalURL:$null

Figure 5

This essentially sets up a proxy for the Activesync clients to the 2007 server. The URL folder from Server Configuration > Client Access > Server > ActiveSync will look like the figure 5. 

- Authentication was set to Ignore Client Certificates and not allow Basic Authentication from the settings of the Client 

- In the IIS folder settings we have Integrated Windows authentication enabled.

- We did temporarily enabled Basic authentication to set a default domain and disabled it; however I am not sure if this had any effect on the final solution.

One final note is that in the process of this some mobile clients updated server settings to legacy.domain.edu. On those few clients they might need to manual change their servers to webmail.domain.edu.

Exchange 2007 to Exchange 2010 Upgrade/Migration

The past couple of days we have spent preparing and doing and upgrade/migration from Exchange 2007 On-Premise to Exchange 2010 On-Premise. All of this is in preparation to migrate voice-mail off of Call-Pilot and our Nortel PBX to Exchange Unified Messaging. That does was made largely because of the every increasing cost of maintenance and replacement wiring for the legacy phone switch. This post will work through the steps, errors and troubleshooting we went through to get Exchange 2010 up and working.

Figure 1. Starting Network Design

Our starting point is the configuration in figure 1. where all Exchange servers are running SP3 Rollup 6.  In addition, all steps until Step # should be able to be completed during normal hours without downtime. This was importance for us because we don't have the redundant hardware or storage to create a replica of the exchange environment. We installed the new servers in a virtual environment.

1. Provision a server in VMware
2. Run the Exchange setup /prepareSchema on the Domain Controller that is SchemaMaster
3. Run the Exchange setup /prepareAD against all domains in your environment. (We have 2, an empty upper root and another full one.)
   
   Note: You will need to move the schema Master to the domain where the exchange server will be installed. Not doing so may result in the following error messages: Hat tip to here for the help
   
   Error: Setup needs to contact the Active Directory schema master but this computer is not in the same Active Directory domain as the schema master (DC=muc,DC=prv). Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=2376fec1-b9ce-44db-beb6-cb9ac4788988
   
   Error: Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master.  Run setup with the /prepareAD parameter on a computer in the domain muc and site Default-First-Site-Name, and wait for replication to complete. Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&e=ms.exch.err.Ex28883C&l=0&cl=cp 
    
4.  Run PS cmd- Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content on the exchange server
5.  Our original desire was to only install the CAS role. Due to the certificates we needed to request, we also needed to install the Hub Transport and UM roles while we were going through the setup. So total roles installed = CAS,HUB,UM
6. Perform any Updates
7. Request a UC SAN Certificate for the 2010 server: Do not include Federation service in your request. Use this article as a good example of how to do this in 2010.
   
   - Note: We use Entrust for our certificates and I highly recommend their services. After authorization, we had access to a Certificate Management Service from which we can create, revoke and reuse certificates after they are purchased. With this we don't have to wait on authorization for every single certificate. Their support is great and they are cheaper than the major certificate vendor.
   
   - Certificate Name of the UC SAN (Subject Alternate Name) certificate
   - Common Name = webmail.domain.edu or mail.domain.edu whatever you have currently set your 2007 CAS to
   - SAN = legacy.domain.edu (for redirection of 2007 mailboxes to 2007 CAS)
   - SAN = autodiscover.mountunion.edu
   - SAN = 2010ExchangeName.domain.domain.local
   - SAN = domain.edu
   - SAN = UM.domain.edu ( For UM roles when required)
8. Install the certificate by replying to the request in the GUI.
9. Add the DNS entries for legacy.domain.edu to the DNS servers and have them mapped to the 2007 CAS server.
10. Change firewall rules to allow access to the 2010 CAS server and allow the 2 Cas servers to talked to each other.
    
    Everything up to this point should be able to be completed with no downtime
11. Change the DNS of the primary mail server and autodiscover to point to the new 2010 CAS server.
12. Replace the current UC SAN certificate that is on the 2007 CAS.
    - Common Name = legacy.domain.edu
    - SAN = autodiscover.domain.edu
    - SAN = 2007ServerName.domain.domain.local (This is critically to avoiding errors from Outlook Clients
    - SAN = webmail.domain.edu
    
    - The error received is if you don't have the proper private name is " Security Alert : Information you exchange with this site cannot be viewd or changed by others. However, there is a problem with this site's security certificate. The name on the security certificate is invalid or does not match the name of the site.
    
13. This will need to be generated by Powershell in 2007. The easiest way I found is to use a site like https://www.digicert.com/easy-csr/exchange2007.htm to generate the powershell to paste into the powershell command line.
14. Take that CSR and submit it to your CA to get a certificate.
15. Install the certificate with Import-ExchangeCertificate -Path C:\filename.cer
16. Run a Get-ExchangeCertificate and copy the thumbprint you just installed.
17. Do an Enable-ExchangeCertificate -Services "SMTP,IIS,POP,IMAP" and respond with the thumbprint.
18. If you are looking for full information on the certificates you can run a Get-ExchangeCertificate | fl to see expiration dates and all SANs
19. Make sure to change any spam filter rules to make 2010 the new primary place that mail passes through

Your mail configuration should now be up and Exchange should be passing mail through the 2010 CAS server.   I will do a follow up post that covers a couple of the problems we ran into along the way. Finally, here is an image of the environment after setup.

Here are a couple links to other useful resources when performing this upgrade.

http://blogs.catapultsystems.com/IT/archive/2010/02/17/preparing-for-the-transition-from-exchange-2007-to-exchange-2010-part-1-of-4.aspx


 http://technet.microsoft.com/en-us/library/bb124350.aspx


http://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/ 


http://blogs.technet.com/b/exchange/archive/2006/11/17/3397307.aspx

Personal Goal Setting at Mount

 The following was written as an email and sent to my peers out Mount as we prepare for the next budget year. Posting it here for archival purposes. Please note, that a lot of this was distilled from EntreLeadership podcast by Dave Ramsey, if you are interested for a much more in depth look at it please visit them.

 It is the time of year again where we are supposed to “make our goals” and the goals for the department. I personally always have difficulty with this, and complain and grumble because it seems we have to make them, not look at them and make them again next year, so I figured I would do some research and understand why I should actually care.  Here are the results of what I found that I figured I would share in case I am not the only one who dislikes this time of the year.

The first thing I found is that our goals should actually be tempered by a personal mission statement this is because something that says who we are, and therefore also who we aren’t. It can basically become the railroad tracks that are goals ride on to make sure we don’t get off track chasing the endless amount of other things. It defines the general direction of where you are heading and keeps you pointed there. It helps you to do what is important so you don’t waste time doing the unimportant things. It helps you find the things that fit you, and realize the things that might not fit you. In essence, a mission statement should act as a filter by which you can look at whatever activity you are doing and determine if that activity has a purpose in your life, is it worth spending the time on.

More specifically, a mission statement should include 3 different areas:

1. Skills and Abilities, or Competencies – The What
2. Personality Traits --- The  How
3. Values, Dreams, Passions --- The Why

When looking at the specifics of these things items we all have different strengths and weakness, or end concepts in each that we should take into consideration. For example, though necessary, one of my strengths is not have conversations with people where there is no clear intent, ie I don’t general talk to people to “get to know them,” where other people in this department are skilled at that and do a much better job at relating and empathizing with people, but for me it means I probably wouldn’t be spending time well if I volunteered at a counseling center talking with people.

The second part of the discussion the fails on the actual creation of goals. When we think of goals, what do we think of?  For me it is the stuff we have to do every day to try and accomplish something, and because of this, we typically go from day to day, ticket or request to ticket or request.  Even though that may be a goal, it isn’t the best way to think about a goal or to create them. The following method is suggested to be better

1.       Dream – These are usually wishes that seldom happen, and therefore dreamers have negative connotation. The dream is that thing way high up the clouds that is super fuzzy and undefined. For example, you might dream of being a millionaire.

2.       Vision – This is the dream pulled out of the clouds. It is the dream in a more defined state. In our example, “millionaire” = having one million dollars in the bank by the time I retire,( probably not via winning the lottery)

3.       Goal – This is the vision that is ready to work. It has been clarified and refined. In our example could be something like, no debt and saving 15% of paycheck every month to reach 1 million by age 65.

As you see with goals that we typically do, “Save money” odds are we wouldn’t be anywhere close to meeting our dream, which is why it is important to go through the process and not just start with a goal.

It is also recommended that we make goals in the following areas of life:

1. Career
2.  Financial
3.  Spiritual
4.   Physical
5.  Intellectual
6. Family
7. Social

Having goals for all these helps keep your life in balance and well rounded. Where if you were to completely ignore one area, you might “run a flat”, and things would be a little shaky and noisy going along. Staying in this condition to long will cause it to become the consuming factor and throw all the other ones out of whack. That being said, you may have times where there is an ebb and flow and one section gets more attention than others, it just shouldn’t be consuming.

Another option that may be beneficial is to use a grid like the following to help through the though process of figuring out those goals. Good luck as we prepare for this next year.

	Dream	Vision	Goal
Career
Financial
Spiritual
Physical
Intellectual
Family
Social

Credit: A lot of this information was from the EntreLeadership podcast by Dave Ramsey, so if you are curious, you can look more up there.