[ActiveDir] Hardening Active Directory
Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Really? Dothey have a ritual for server cleansing and consecration? Maybe a psalmto ward off PHB's? :^) -Original Message-From: Leney, Justin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 9:25 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Hardening Active Directory http://www.nsa.gov/snac/win2k/download.htm-- Guides for AD, DNS, Group Polices, File System. I use these guides religiously. -Original Message-From: Hazelman, Doug [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Hardening Active Directory There's some good tips here. Make sure the AD servers on the NET are in a separate forest. http://www.aelita.com/ADSecurity -doug -Original Message-From: Brad Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
Re: [ActiveDir] Hardening Active Directory
Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-) -gil -Original Message-From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
[ActiveDir] NTDS Diagnostics...
I recall the ability to add a value to the NTDS\Diagnostics registry key on a DC to be able to log information pertaining to management of objects in AD. Of course after I told someone about this I cant seem to find it anywhere. What I remember is it is a value that is not present by default and that when you add it you have the same values that you would have for the other NTDS diagnostics (0-5). It would log information on who made what types of modifications on objects in AD. I remember it being similar to the replication entries that specify metadata that is negotiated for replication amongst replication partners. tia Kevin Sullivan
RE: [ActiveDir] Hardening Active Directory
Title: Message Yeah, but they are pretty damn secure then. Brad Martin Go Daddy Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
Re: [ActiveDir] Hardening Active Directory
Title: Message I think that Gil is referring to the setting that sets "shut down the computer when the securityaudit log is full". That caused servers to reboot over and over. I also recall thatone of the templates set additional restrictions for anonymous connections to "no access without explicit anonymous permissions". This will kill downlevel trusts and keep downlevelclients from logging on. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 1:30 PM Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? Id rather not find out the hard way J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil KirkpatrickSent: Friday, December 27, 2002 11:43 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous "all my DCs just start rebooting themselves every 15 minutes" problem? ;-) -gil -Original Message-From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4)MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/InstallersLAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad MartinSent: Friday, December 27, 2002 10:11 AMTo: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message Thanks for clarifying, Gil. This is great information. Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 1:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Hey Larry, It was a problem one of our customers experienced after deploying the NSA templates in their test lab a few days before production deployment. He frequents the list so may be able to give details, but as I understand it, one of the policy settings on their DCs was to shutdown onaudit failure. I'm not clear on the the specifics on the audit failure, but when the machine went down, it corrupted something (perhaps the audit log?) and then would come back up and then fail again. There was also some issue of removing the Everyone group from the template (I'm reading from our support log) but I don't know what this means exactly. Hopefully the person who had the problem can describe the problem in more detail on-list, or at least get with you offline. The problem has been experienced by several people that I'm aware of. -gil -Original Message- From: Larry A. Duncan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message As far as I can tell (Im new at the company here, and I still haven't gotten a full run down of the environment) there will be people actually authenticating with them. Brad Martin Go Daddy Software -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Leney, Justin Sent: Friday, December 27, 2002 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Another setting that can have detrimental affects on down-level clients is the LAN Manager Authentication Level. Set it the highest level only if you will have Win2000/XP clients authenticating the domain. The AD servers on the net; are they going to just supporta web front end or something similar, or are users going to actually authenticate to them ona day to day basis? -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory I think that Gil is referring to the setting that sets shut down the computer when the securityaudit log is full. That caused servers to reboot over and over. I also recall thatone of the templates set additional restrictions for anonymous connections to no access without explicit anonymous permissions. This will kill downlevel trusts and keep downlevelclients from logging on. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 1:30 PM Subject: RE: [ActiveDir] Hardening Active Directory Can you expand, Gil? I'd rather not find out the hard way... J Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gil Kirkpatrick Sent: Friday, December 27, 2002 11:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Hardening Active Directory Like the infamous all my DCs just start rebooting themselves every 15 minutes problem? ;-) -gil -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 10:35 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Hardening Active Directory Make sure that you test any security recommendations in a lab before deploying them on your network. I have seen some of the templates from the NSA cause problems. Tim Hines, MCSA, MCSE (2000 NT4) MVP - Active Directory - Original Message - From: Larry A. Duncan To: [EMAIL PROTECTED] Sent: Friday, December 27, 2002 11:29 AM Subject: RE: [ActiveDir] Hardening Active Directory Best Practices for Designing a Secure Active Directory http://fetchportal.com/click_thru.asp?LinkId=131 Ops Guide for Securing Active Directory http://fetchportal.com/links.asp?CatId=21 Larry A. Duncan, MCSA/MCSE Solutions Architect, CompTrends Consulting [EMAIL PROTECTED] http://www.comptrends.com/ ph. 615.598.0241 DMOZ: Systems_Management/Installers LAUNCHCast Radio: 1237556939 Columnist: myITForum.com Author: Windows .NET Magazine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Martin Sent: Friday, December 27, 2002 10:11 AM To: Active Directory Mailing List Subject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? I'm going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
RE: [ActiveDir] Hardening Active Directory
Title: Message why out on the Net? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brad MartinSent: Friday, December 27, 2002 11:11To: Active Directory Mailing ListSubject: [ActiveDir] Hardening Active Directory Anyone have any good links with tips on securing Active Directory? Im going to have a couple of AD servers out on the Net, so I want to do what I can to lock them down. Brad Martin Go Daddy Software [EMAIL PROTECTED] 480.505.8800 ext. 250
[ActiveDir]
I am getting an event id 10010 which refers to DCOM. The message is The server { number in her} did not register with DCOM within the required timeout. Any help would be much appreciated. thanks in advance JohnDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [ActiveDir]
Title: Message http://www.eventid.net/display.asp?eventid=10010source= -Original Message-From: John B [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 5:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I am getting an event id 10010 which refers to DCOM. The message is The server { number in her} did not register with DCOM within the required timeout. Any help would be much appreciated. thanks in advance John Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [ActiveDir]
thanks weston. I checked out that link and was able to find something that I believe might be causing the problem. I believe it's related to terminal services and BITS. I made the change or fix, I'll have to review the event log to confirm that this has been fixed. I appreciate your help, hope you have a great new year. John Weston Rogers [EMAIL PROTECTED] wrote: http://www.eventid.net/display.asp?eventid=10010source= -Original Message-From: John B [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 5:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I am getting an event id 10010 which refers to DCOM. The message is The server { number in her} did not register with DCOM within the required timeout. Any help would be much appreciated. thanks in advance John Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up nowDo you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [ActiveDir]
Title: Message Anytime :) -Original Message-From: John B [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 6:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] thanks weston. I checked out that link and was able to find something that I believe might be causing the problem. I believe it's related to terminal services and BITS. I made the change or fix, I'll have to review the event log to confirm that this has been fixed. I appreciate your help, hope you have a great new year. John Weston Rogers [EMAIL PROTECTED] wrote: http://www.eventid.net/display.asp?eventid=10010source= -Original Message-From: John B [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 5:40 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] I am getting an event id 10010 which refers to DCOM. The message is The server { number in her} did not register with DCOM within the required timeout. Any help would be much appreciated. thanks in advance John Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [ActiveDir]
Title: Message http://www.eventid.net/display.asp?eventid=10010source= -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John BSent: Friday, December 27, 2002 17:40To: [EMAIL PROTECTED]Subject: [ActiveDir] I am getting an event id 10010 which refers to DCOM. The message is The server { number in her} did not register with DCOM within the required timeout. Any help would be much appreciated. thanks in advance John Do you Yahoo!?Yahoo! Mail Plus - Powerful. Affordable. Sign up now
RE: [ActiveDir] AD, DNS, Errors - THE WORKS
Resend - last was bounced. No idea why Joe, Check Local Policy on each of the DCs. If any of these was an upgrade (and sometimes, not) of a member that was in a service position before becoming a DC, there are times when a program or application will get installed by a SID that doesn't exist after the machine becomes a DC. This user account had rights (logon locally, etc.) that no longer exist. Typically, you'll want to look for, oh, say Power User. This user has a tendency to get stuck in the Local Policy of a DC, and given that the Power User cannot exist on a DC, this is the message that you're going to see (and I've seen it alot.). Look her for more info: http://support.microsoft.com/default.aspx?scid=kb;en-us;247482 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pelle, Joe Sent: Monday, December 23, 2002 3:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS Just like you say, Are they root.com, hq.root.com and plant.root.com Also, I just noticed that there was a delegation set up from root.com to hq.root.com but not to plant.root.com from root.com (is that what you meant by, did you delegate both subdomains from the root?)... I just set that up and cleared the event logs waiting to see what happens. Still getting the same event log messages... Joe Pelle -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Monday, December 23, 2002 2:42 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD, DNS, Errors - THE WORKS Hmm. My first inclination is that your child domain's don't know about the empty root. How are the DNS configs done? Are they root.com, hq.root.com and plant.root.com, or is it a discontiguous namespace? If its contiguous, did you delegate both subdomains from the root? It smells of DNS issues, though, so definitely work that angle. -- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED]] Sent: Monday, December 23, 2002 2:24 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD, DNS, Errors - THE WORKS Hello! I have a question about setting up DNS in AD... The following is my environment (so far): Empty Root (2 DC's) Child Domain of Empty Root at HQ (2 DC's) DNS, WINS, DHCP Child Domain of Empty Root at 'The Plant' (for now, 1 DC's) DNS DNS is running on all the servers...Every 5 minutes I am getting a warning followed by an error on both Child Domain servers at HQ and The Plant: Warning:SceCli 1202 Security policies are propagated with warning. 0x534 : No mapping between account names and security IDs was done. Please look for more details in TroubleShooting section in Security Help. Error: Userenv 1000 The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332). The DC/DNS server at HQ delegates to The Plant's DNS zone. I don't have the opposite setup... Should I? Basically, I want DHCP clients in The Plant to have access to resources at HQ (or vice versa) or another location without having to go up the tree to go back down... Any thoughts, suggestions, comments are greatly appreciated! Thanks! Joe Pelle List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/