RE: [ActiveDir] FSMO role holding DC's
As an addition to the previous mails I would like to point out a particular issue with the schema master. The installation of an Exchange 2000 server explicitely needs to contact the DC holding the schema master. The reason for this contact is to check whether or not the schema is updated with the Exchange extensions. I consider this to be a bug because every single DC in the forests holds the Schema partition and should therefor be able to verify whether or not the Schema has been updated. This wasn't solved a couple of months ago. Mayby MS will solve it in a next Service Pack of Exchange, but untill then ... Make sure that every Exchange box can contact the Schema Master! Cheers! John Reijnders -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: maandag 20 oktober 2003 11:58 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] FSMO role holding DC's I have nudged this issue in an earlier post but would like to ask again for confirmation from the collective genius contained in this list. Do all DC's in a domain HAVE to have a direct connection to the FSMO role holding machines or is there a way of proxying these roles ? What are some of the likely major implications of maintaining a DC without access to FSMO role holders ? The DC in question is replicating with other DC's, so has all objects but just doenst have any connection to the FSMO role holders. Any thoughts ? Many thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Name
You could use the .fin and/or .biz DNS names without getting into any AD problems. However, you should think about the fact whether or not you want to connect AD to the internet (not now but in the future?). Don't place your bets on renaming your domains in the future using the new domain renaming features in Windows Server 2003. The renaming is a very complex proces which has significant impact on the availability of the infrastructure. If you're sure you only want to use these names internally you can use these extensions without running into problems. Cheers! John -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: woensdag 22 oktober 2003 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Name Can someone please confirm if they have ever used, aside from the standard .com .org .net, for their AD implementation .biz or .fin domain name structure. I am considering implementing nb.fin or nb.biz domain name for our new AD structure some time in the very near future. Would such a name have any side affects on AD or DNS? Another question not pertaining to the one above. I know Windows 2003 server has drastically changed its default security structure on its folders and volumes through either ACL or DACL. In my test environment, when I created a home folder and when I created a user through ADUC, I was able to create a user's home folder, but the user security ACL's were not there. Under W2K, when you share the home folder, create a new user, and create a user's home folder, you automatically created in the security tab the user's name along with his ACL. Does anyone know how to do the same thing in Windows 2003 server? Thanks George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. P E-mail: [EMAIL PROTECTED] g Phone:+381 (11) 3202-474 GSM: +381 (63) 342-321 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] documenting servers
Almost an identical situation here. I would also like to know that, as I am the only one of me here, I could have some documentation that would help contractors get up to speed on the network. Some day I want a holiday, with my mobile phone, or my net connection, and then we need to get a contractor, and the firm CERTAINLY wont pay for him to start a few weeks before I leave to get up to speed!!! I have registered the Windows Server Documentation Project with Sourceforge, and I will hear if they will set it up in the next few days. If those of you are interested want to mail me (each other) off list, then perhaps we will be able to see what happens (???) Look forward to hearing from you. Olly -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 22 October 2003 17:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] documenting servers I have multiple goals for my server docs, although DR is definitely the most important to me. The more servers we get, the more I need a way to quickly tell how much disk, how much RAM, what patch levels, what apps are running, IIS or not, what services running under what credentials, blah blah blah Is others have said, there are many ways to get at the information, but it would be nice to kick off a script and have it return what I want whenever. Management seems to think having a binder with server documentation in it as each new box gets built is sufficient. I contend it changes too often and would like something more dynamic. Maybe a scheduled polling event that writes to a database would be best. I've already started, thanks to Robbie's cookbook and Matthew Lavy's WMI Scripting, and would be happy to participate in a more global project... mc List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: couple of Upgrade questions
As to the first question I believe the answer is no I had not NT domains when running the upgrade in my lad to 2k3 but had no issues with the 2K domains. To the second part - -We went from Exch 5.0 to 5.5. to 2K into our main 2K Domain when we did the original upgrade with no problems. Granted this was after about 2 months of MULTIPLE testing scenarios in our lab. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Wednesday, October 22, 2003 4:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: couple of Upgrade questions When upgrading to Win2k3 will I have trust issues back to my AD (2000) and NT domains? NTLM vs. Kerberos. Has anyone moved an E5.5 exchange server from NT domain to AD domain? Any problems with that? I want to move my E5.5 server out of the NT domain and into the AD domain (2000) before we upgrade to W2K3. Is that dumb?! J This list is awesome and I thank you ahead of time for the responses! Joe Pelle Systems Analyst Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. �
RE: [ActiveDir] DHCP/Netsh
Title: Message What's the point? I mean seriously - if you're using reservations for all addresses, you're performing more work than assigning static IPsto all your machines. And either way, it doesn't prevent someone from grabbing an unused IP address on the subnet and getting online. You'd need something like 802.1x to do that. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Brian Pietrewicz [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 8:37 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh Your can have two identical DHCP servers if you use reservations for all IP's. I do this for security reasons. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Tuesday, October 21, 2003 7:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh You can't have 2 identical servers running at the same time (you'd get some exciting conflicts!) but you could dump your working server and keep the file safe. When your working server fails you then just reload the data into a "spare" server and your DHCP server is back and running. I'd guess it would make sense to do a scheduled dump of this data at regular intervals so that the file is always reasonably up to date. Steve -Original Message-From: Jerry Johnson [mailto:[EMAIL PROTECTED] Sent: 16 October 2003 17:13To: [EMAIL PROTECTED]Subject: [ActiveDir] DHCP/Netsh Everyone, Has anyone ever used Netsh to move DHCP to another server? In Mark Minasi's book he talks about using it to add another DHCP server to your network by dumping it with Netsh from one machine and Exec it to another machine. He did not go into much detail but I did not think you could have identically configured DHCP server's on a network. Thanks Jerry Scicom Data Services Minnetonka,Mn
RE: [ActiveDir] DNS Name
I personally don't put a lot of weight into the save your top level domain for the Internet argument. I've been hearing that since the W2K JDP and we are already on a second version of AD with no indication that saving your tld will be important in any way. You could always prefix an external forest root domain name with ext or external. This is a prime example of a best practice that many people swear by, but I doubt will ever be justified. Just my $.02 :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 4:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Name You could use the .fin and/or .biz DNS names without getting into any AD problems. However, you should think about the fact whether or not you want to connect AD to the internet (not now but in the future?). Don't place your bets on renaming your domains in the future using the new domain renaming features in Windows Server 2003. The renaming is a very complex proces which has significant impact on the availability of the infrastructure. If you're sure you only want to use these names internally you can use these extensions without running into problems. Cheers! John -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: woensdag 22 oktober 2003 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Name Can someone please confirm if they have ever used, aside from the standard .com .org .net, for their AD implementation .biz or .fin domain name structure. I am considering implementing nb.fin or nb.biz domain name for our new AD structure some time in the very near future. Would such a name have any side affects on AD or DNS? Another question not pertaining to the one above. I know Windows 2003 server has drastically changed its default security structure on its folders and volumes through either ACL or DACL. In my test environment, when I created a home folder and when I created a user through ADUC, I was able to create a user's home folder, but the user security ACL's were not there. Under W2K, when you share the home folder, create a new user, and create a user's home folder, you automatically created in the security tab the user's name along with his ACL. Does anyone know how to do the same thing in Windows 2003 server? Thanks George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. P E-mail: [EMAIL PROTECTED] g Phone:+381 (11) 3202-474 GSM: +381 (63) 342-321 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] One computer is fine, one has can't find domain controller errors
Joe wrote: This is the perfect case of when to break out a network monitor and watch the traffic. Do what it is you are trying to do and see what the network is doing. Well. As a final followup to this, I can't reproduce the problem at all any more. The computer that was doing it is not any longer, it now behaves exactly like the one right next to it. I can't detect anything out of the ordinary with any of the tools anyone suggested to me. Unless someone has a better guess, I'm going to assume that there was some transient network or hardware glitch (gremlins? solar flares? The Hand of Fate?) that is now gone. Thanks to everyone who responded with assistance. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Saturday, October 18, 2003 2:05 PM To: [EMAIL PROTECTED] Hello all, I posted earlier concerning Windows XP machines not allowing any scripts to run and presenting no clue as to why. After additional discussion with other techs, as well as multiple searches on the 'net, we decided to completely reinstall the two machines. This solved the IE problem. However, we are getting error messages on 1 machine, but not on the other. The one machine claims it can not contact the domain server. (which is ridiculous because it's mounting shared drives from it, and those shares function properly) Event ID 5719. These two machines are identical in every way. Same hardware. Same software and versions of software. Plugged in side by side to the same switch. The ONLY difference we can imagine, is that the one with the problem was configured for a workgroup during install, and then joined to the domain afterwards (just the tech clicking without thinking) while the one that works was joined to the domain during the initial install. I'm putting this out for two reasons: 1 - to see if anyone has any insight as to what's happening. 2 - to have this information made public, so if others come across it they can see they're not alone. Perhaps someone with some time and a lab available could test to see if the problem I describe is, in fact, caused by the install process described, or if it's just coincidence. Both machines appear to function properly aside from the errors. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Name
... going out on a limb there aren't we Robbie?? :) Sarcasm aside, it's a point with which I happen to agree. To date, I've experienced no beneficial behaviors when following this best practice. In fact, having implemented both I have yet to encounter a scenario where one makes any tangible difference over the other. That said, there may still be a reason in later versions of AD, IP or DNS to adhere to this model but; 1) those reasons have never been sufficiently justified to me and 2) by that time it's likely you'll be able to highlight the domain/forest name(s), hit F2 and type a new one :) Dean -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robbie Allen Sent: Thursday, October 23, 2003 8:54 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Name I personally don't put a lot of weight into the save your top level domain for the Internet argument. I've been hearing that since the W2K JDP and we are already on a second version of AD with no indication that saving your tld will be important in any way. You could always prefix an external forest root domain name with ext or external. This is a prime example of a best practice that many people swear by, but I doubt will ever be justified. Just my $.02 :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 4:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Name You could use the .fin and/or .biz DNS names without getting into any AD problems. However, you should think about the fact whether or not you want to connect AD to the internet (not now but in the future?). Don't place your bets on renaming your domains in the future using the new domain renaming features in Windows Server 2003. The renaming is a very complex proces which has significant impact on the availability of the infrastructure. If you're sure you only want to use these names internally you can use these extensions without running into problems. Cheers! John -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: woensdag 22 oktober 2003 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Name Can someone please confirm if they have ever used, aside from the standard .com .org .net, for their AD implementation .biz or .fin domain name structure. I am considering implementing nb.fin or nb.biz domain name for our new AD structure some time in the very near future. Would such a name have any side affects on AD or DNS? Another question not pertaining to the one above. I know Windows 2003 server has drastically changed its default security structure on its folders and volumes through either ACL or DACL. In my test environment, when I created a home folder and when I created a user through ADUC, I was able to create a user's home folder, but the user security ACL's were not there. Under W2K, when you share the home folder, create a new user, and create a user's home folder, you automatically created in the security tab the user's name along with his ACL. Does anyone know how to do the same thing in Windows 2003 server? Thanks George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. P E-mail: [EMAIL PROTECTED] g Phone:+381 (11) 3202-474 GSM: +381 (63) 342-321 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Name
Heck - we didn't HAVE a TLD when we built our AD forest, so we went hugely generic - for both the AD domains and the Exchange infrastructure. Gotta love being divested... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 8:54 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Name I personally don't put a lot of weight into the save your top level domain for the Internet argument. I've been hearing that since the W2K JDP and we are already on a second version of AD with no indication that saving your tld will be important in any way. You could always prefix an external forest root domain name with ext or external. This is a prime example of a best practice that many people swear by, but I doubt will ever be justified. Just my $.02 :-) Robbie Allen http://www.rallenhome.com/ -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 4:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Name You could use the .fin and/or .biz DNS names without getting into any AD problems. However, you should think about the fact whether or not you want to connect AD to the internet (not now but in the future?). Don't place your bets on renaming your domains in the future using the new domain renaming features in Windows Server 2003. The renaming is a very complex proces which has significant impact on the availability of the infrastructure. If you're sure you only want to use these names internally you can use these extensions without running into problems. Cheers! John -Original Message- From: George Arezina [mailto:[EMAIL PROTECTED] Sent: woensdag 22 oktober 2003 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Name Can someone please confirm if they have ever used, aside from the standard .com .org .net, for their AD implementation .biz or .fin domain name structure. I am considering implementing nb.fin or nb.biz domain name for our new AD structure some time in the very near future. Would such a name have any side affects on AD or DNS? Another question not pertaining to the one above. I know Windows 2003 server has drastically changed its default security structure on its folders and volumes through either ACL or DACL. In my test environment, when I created a home folder and when I created a user through ADUC, I was able to create a user's home folder, but the user security ACL's were not there. Under W2K, when you share the home folder, create a new user, and create a user's home folder, you automatically created in the security tab the user's name along with his ACL. Does anyone know how to do the same thing in Windows 2003 server? Thanks George George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. P E-mail: [EMAIL PROTECTED] g Phone:+381 (11) 3202-474 GSM: +381 (63) 342-321 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Shutdown
Add this if possible if the network card admits management and your path/hubS/switches/firewall/etc. permis it, you can shutdown by sending a 'magic packet' direct that you can have (free) from several vendors in form of utility or add-on (3com, IBM, HP Intel pro) Some switches/routers have this possibility also. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Remote Shutdown Date: Wed, 22 Oct 2003 10:57:01 -0700 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc9-f25.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 22 Oct 2003 11:02:16 -0700 Received: from akogun.jankariwo.com [66.92.14.146] by mail.activedir.org (SMTPD32-8.03) id A536B570098; Wed, 22 Oct 2003 13:58:14 -0400 X-Message-Info: yilqo4+6kc69Js1AB0nsD/kr0uH8PRWG Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: [EMAIL PROTECTED] Thread-Topic: [ActiveDir] Remote Shutdown Thread-Index: AcOYwCSfux9ImYI5Q2aLliYTfbWb8AABcApw Precedence: bulk Sender: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 22 Oct 2003 18:02:19.0155 (UTC) FILETIME=[A25E6E30:01C398C6] From the Router/Switch, trace it to the network port it's connect to, then disable the port. Whoever owns the box will then scream for help. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Juan Ibarra Sent: Wed 10/22/2003 10:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remote Shutdown Hello, to all, Recently we had an issue with a remote user that left a test machine on the network and had a virus. We could not shut it down because it wasn't part of the domain and we had no admin rights to it. Does anyone know of a utility or a way to shut a machine remotely in this scenario. Thanks, Juan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP
Title: Message Found this in the msdn site under the Platform SDK DHCP Server Management API (watch for wrapping on the url) http://msdn.microsoft.com/library/default.asp?url=""> I may have to stick to netsh though. That code looked way over my head. Batch file, vb and vbscript are more my speed. Clyde BurnsNorton Healthcare.Louisville Ky. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Thursday, October 23, 2003 1:33 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP I'd love to see that if you can find it. Last I heard, there is still no DHCP Server WMI provider. I just looked at a W2K3 server with theDHCP Server installed and couldn't find a provider for it. Not having ascripting API is a big hole for the Microsoft DHCP Server. dhcpobjs.dll isn't supported and from what I heard it was only accidentally put in the W2K Res Kit. It has a lot of problems regardless. Shelling out to netsh (ugh) is the best option at this point from a scripting perspective. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 9:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Clyde- Somewhere buried on Microsoft's site, I once came across a WMI provider for DHCP Servers. I will see if I can track down a URL. Darren -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burns, ClydeSent: Wednesday, October 22, 2003 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Ive used netshto move the scopes from one server to another. There were some minor issues (documented in technet) but it works fairly well. Other things to try: From the 2000 Server Resource Kit Microsoft DHCP Database Export Import Tool - DHCPEXIM.EXE Just like the title says. An import/export tool. I prefered netsh as I could edit the script between servers. DHCP Objects 1.0 - DHCPOBJS.EXE dll to program against a dhcp server. It has issues with scopes that have more than 255 reservations. If anyone knows of any other type of automation tool to use against a dhcp server I would really like to hear about it. Clyde Burns Norton Healthcare. Louisville Ky. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Tuesday, October 21, 2003 7:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh You can't have 2 identical servers running at the same time (you'd get some exciting conflicts!) but you could dump your working server and keep the file safe. When your working server fails you then just reload the data into a "spare" server and your DHCP server is back and running. I'd guess it would make sense to do a scheduled dump of this data at regular intervals so that the file is always reasonably up to date. Steve -Original Message-From: Jerry Johnson [mailto:[EMAIL PROTECTED] Sent: 16 October 2003 17:13To: [EMAIL PROTECTED]Subject: [ActiveDir] DHCP/Netsh Everyone, Has anyone ever used Netsh to move DHCP to another server? In Mark Minasi's book he talks about using it to add another DHCP server to your network by dumping it with Netsh from one machine and Exec it to another machine. He did not go into much detail but I did not think you could have identically configured DHCP server's on a network. Thanks Jerry Scicom Data Services Minnetonka,Mn This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you. This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly
[ActiveDir] You guys amaze me!
I'm serious. Here is a question for you. As always, if you could offer any info, I would be very grateful. We're a small shop with only 2 Admins managing 200 users in 4 states and we don't have the firepower you guys do. Let's say you don't like your AD domain name and you want to change it. You have 4 DCs, 3 each W2K SP3 and 1 each NT4 SP6a, so you're still in mixed mode. You could move the NT DC to 2K, then move everyone to W2K3, then raise the Forest functionality level and then play Russian Roulette with Rendom. That's one option. Or could it be as simple as DCPromoing all 3 W2K3 servers down to Standalone servers, allowing the NT4 DC which still controls the pre-W2K subdomain name to take full control of the domain again, and then DCPromoing one of the 3 W2K DCs back up to W2K as the FSMO and renaming the domain to what you want? I would love to believe I could do it and get away with it. Thank you people. PS: I don't envy you Joe. I hope you're being paid well! RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Object Perms
Joe,
Thanks for the reply.
The users are admins on the computer, thats not a
problem.
The problem we are having with delegating Write
Account Restrictions, Write Service Principal Name,
Write DNS Host Name and Reset Password perms is that
the users/workstation techs can join a computer to the
domain with the same name as a computer that already
exists, thus disjoining the first computer.
We are looking to make is necesary that a Domain Admin
reset the computer account before the
users/workstation techs can join that computer.
--- Joe [EMAIL PROTECTED] wrote:
The user will need to be an admin on the computer
itself. I know of no way
around that.
In AD if using the GUI, simply spepcify the person
or group that can do the
join when creating the object.
If creating the machine acount via script, delegate
the following to the
computer:
Write Account Restrictions
Write Service Principal Name
Write DNS Host Name
Reset Password
Here is some perl code for that little piece that I
use to write acl's to an
OU for that purpose.
#
# Write Account Restrictions on computer
#
if ($debug) {print Setting $securitygroup
with Write Account
Restrictions on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={4C164200-20C0-11D0-A768-00AA006E0529};
# Account Restrictions
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=32;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Validated Write Service Principal Name on
computer
#
if ($debug) {print Setting $securitygroup
with Write
servicePrincipalName on Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={F3A64788-5306-11D1-A9C5-F80367C1};
# servicePrincipalName
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=8;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Validated Write dNSHostName on computer
#
if ($debug) {print Setting $securitygroup
with Write dNSHostName on
Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={72E39547-7B18-11D1-ADEF-00C04FD8D5CD};
# dNSHostName
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=8;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
#
# Reset Password on computer
#
if ($debug) {print Setting $securitygroup
with Reset Password on
Computers...\n};
$ace =
Win32::OLE-CreateObject(AccessControlEntry);
$ace-{Trustee}=$securitygroup;
$ace-{ObjectType}={00299570-246D-11D0-A768-00AA006E0529};
# Reset Password
$ace-{InheritedObjectType}={BF967A86-0DE6-11D0-A285-00AA003049E2};
# computer
$ace-{AccessMask}=256;
$ace-{Flags}=3;
$ace-{AceType}=5;
$ace-{aceflags}=10;
$dACL-AddAce($ace);
undef $ace;
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of fact hunter
Sent: Wednesday, October 22, 2003 10:39 AM
To: [EMAIL PROTECTED]
I want to allow a low level user to join a computer
to the domain only when
the computer account has been pre-populated as a new
account or the account
has been reset in the case of a reimage. However, I
do not want them to be
able to overwrite computer accounts that are in use.
Any help is appreciated.
Ama
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product
search
http://shopping.yahoo.com
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
__
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] refreshing local group membership
Is there a way (utility, command, etc.) to refresh the membership of a computers local administrators group without logging off and back on? Im trying to get the PC to recognize changes made to the group during that session if possible. Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do �
RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP
Title: Message Rob, I am forwarding your request to my MS TAM and MCS guy. Todd -Original Message-From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 1:33 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP I'd love to see that if you can find it. Last I heard, there is still no DHCP Server WMI provider. I just looked at a W2K3 server with theDHCP Server installed and couldn't find a provider for it. Not having ascripting API is a big hole for the Microsoft DHCP Server. dhcpobjs.dll isn't supported and from what I heard it was only accidentally put in the W2K Res Kit. It has a lot of problems regardless. Shelling out to netsh (ugh) is the best option at this point from a scripting perspective. Robbie Allen http://www.rallenhome.com/ -Original Message-From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 9:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Clyde- Somewhere buried on Microsoft's site, I once came across a WMI provider for DHCP Servers. I will see if I can track down a URL. Darren -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burns, ClydeSent: Wednesday, October 22, 2003 8:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP Ive used netshto move the scopes from one server to another. There were some minor issues (documented in technet) but it works fairly well. Other things to try: From the 2000 Server Resource Kit Microsoft DHCP Database Export Import Tool - DHCPEXIM.EXE Just like the title says. An import/export tool. I prefered netsh as I could edit the script between servers. DHCP Objects 1.0 - DHCPOBJS.EXE dll to program against a dhcp server. It has issues with scopes that have more than 255 reservations. If anyone knows of any other type of automation tool to use against a dhcp server I would really like to hear about it. Clyde Burns Norton Healthcare. Louisville Ky. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Tuesday, October 21, 2003 7:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DHCP/Netsh You can't have 2 identical servers running at the same time (you'd get some exciting conflicts!) but you could dump your working server and keep the file safe. When your working server fails you then just reload the data into a "spare" server and your DHCP server is back and running. I'd guess it would make sense to do a scheduled dump of this data at regular intervals so that the file is always reasonably up to date. Steve -Original Message-From: Jerry Johnson [mailto:[EMAIL PROTECTED] Sent: 16 October 2003 17:13To: [EMAIL PROTECTED]Subject: [ActiveDir] DHCP/Netsh Everyone, Has anyone ever used Netsh to move DHCP to another server? In Mark Minasi's book he talks about using it to add another DHCP server to your network by dumping it with Netsh from one machine and Exec it to another machine. He did not go into much detail but I did not think you could have identically configured DHCP server's on a network. Thanks Jerry Scicom Data Services Minnetonka,Mn This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you.
RE: [ActiveDir] OT? - You guys rock
Title: Message Check is in the mail Yusuf. :P Thanks for the kind words, I appreciate it. Especially being compared to Joe, Rick, Robbie and Gil. Todd Myrick -Original Message-From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - You guys rock I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za__Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way.Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.___
[ActiveDir] Silly Question probably....
Gentlemen, We had a few folders within a specific share just dissappear earlier this morning. At first, we thought they had been deleted (since our initial search came up with no trace of them) and ordered a backup tape with the files. A few moments ago, we found them...all of them. However, when we looked at the security properties on the folders and files, we noticed that a specific CSLID was listed there: S-1-5-21-7796645487-3596344109-306335-2737-1211 We do all of our permissioning by group assignment, of course, so I'm guessing this is probably the person or account that moved those files without knowing it. Is there a way in AD to determine whose CSLID this is? Or some 3rd-Party tool the group can recommend? I'd also be interested in any options you might have for preventing this from happening again. My thanks to the group, in advance. -Steve Steven Dunn Director, Technology Services Executive Director, Incorporated List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Utilities
I would say. NETPRO products are a easy item to your AD wish list. (Directory TS, Analyzer, DNS analyzer are musts.) Directory Insight if you want the change log. Quest Spotlight on AD is also a interesting tool. I think DT is a little better though. Aelita's Backup solutions for AD, and Exchange Recovery are a must. Event Log reporting for Data Administration in AD. Aelita Intrust Bindview BV-control Blogging software from Radio so you can create a website that is driven by RSS news feeds and has tons of great links. For AD Delegation management EDM has a strong Web Admin tool, and very slick 32 bit interface with integrated GPO results. It has a flexable architecture approach now as well. BV-Admin. Haven't used it in a while, but Offers a very interesting 32bit console that supports Drag and Drop. Also said to have good Web interface. Quest has a great tool for Native Mode delegation and 32bit MMC support. Personally I think their strength is in Strong central operations. Hyena for those times you want a good AD tool and don't want to mess with MMC's. If your design has multiple forest, and you need to move users between them, Look at Aelita EMM. Todd Myrick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 1:06 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Utilities NetPro's Directory Analyzer |+-- || | || Cook, David A.| || [EMAIL PROTECTED]| || m | || Sent by:| || [EMAIL PROTECTED]| || ivedir.org | || | || | || 10/23/2003 01:04 PM | || Please respond to | || ActiveDir | |+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV) | | Subject: [ActiveDir] AD Utilities | --- ---| It's budget time here and thus time to present my wish list of what I would like to get next year. Seems things always come up in the middle of the year that I would like but wasn't budgetted for. I'm curious to know what, if any, third party tools or utilities do you use that you couldn't live without? Specifically I would like something that would monitor the health and replication of AD. Dave Cook Exchange Administrator Kutak Rock, LLP 402-231-8352 [EMAIL PROTECTED] The information contained in this electronic mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may be confidential and/or legally privileged. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, you have received this transmission in error and are hereby notified that you are strictly prohibited from reading, copying, printing, distributing or disclosing any of the information contained in it. In that event, please contact us immediately by telephone (402)346-6000 or by electronic mail at [EMAIL PROTECTED] and delete the original and all copies of this transmission (including any attachments) without reading or saving in any manner. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT? - You guys rock
So, you are saying he gets a Puck? Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Thu, October 23, 2003 11:07 am To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Check is in the mail Yusuf. :P Thanks for the kind words, I appreciate it. Especially being compared to Joe, Rick, Robbie and Gil. Todd Myrick -Original Message- From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za http://www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP/Netsh - Other ways of working with DHCP
Title: Message
I
wrote this as a VBScript wrapper to NETSH. We have used this to reload
4000 scopes on multiple DHCP servers. You can run this via a batch file
and supply all the required parameters or use it to run interactively for
creating new scopes. Up to you.
As
always test it in a lab prior to production use.
I can
not be responsible for the results of running this script.
*SCRIPT BEGIN
Option
Explicit'On Error Resume next'wscript.echo ""'wscript.echo
"NewDHCP.vbs (c) Edward Parker, Buchanan Associates"'wscript.echo
" This script will add Subnets in
DHCP"
Dim
sDHCPServer, sScope, sScopeSub, sScopeName, sRangeBegin, sRangeEnd,
sOptionDim sDefaultGW, sFQDN, sResults, sScopeDescDim
oShell
If
wscript.arguments.count 0 then
If wscript.arguments(0) = "/?" OR wscript.arguments(0) = "?" OR
wscript.arguments(0) = "-?" thenwscript.echo
""wscript.echo "USAGE:"wscript.echo "NewDHCP
DHCPSERVERIP SCOPE SCOPE SUBNET NAME
DESCRIPTION START IP RANGE END IP RANGE Default
GW DOMAIN NAME"wscript.echo
""wscript.echo "EXAMPLE:"wscript.echo
"NewDHCP192.168.1.1 5.5.5.0 255.255.255.0 ""Scope Name""
""ScopeDescription"" 5.5.5.100 5.5.5.150 5.5.5.1
domain.com"wscript.quitEnd
If
End
If
if
wscript.arguments.count 9 OR wscript.arguments.count 9
thenIf wscript.arguments.count 1 thenMsgBox "No
command line arguments detected"elseMsgBox "Wrong
Number of Arguments"End IfsDHCPServer = Inputbox("What
is the DHCP Server IP Address?")sScope = Inputbox("What is the
Scope to add?")sScopeSub = InputBox("What is the Scope's
Subnet?")sScopeName = InputBox("What is the Scope's
Name?")sScopeDesc = InputBox("What is the Scope's
Description?")sRangeBegin = InputBox("What is the Scope's Range
Starting IP?")sRangeEnd = InputBox("What is the Scope's Range
Ending IP?")sDefaultGW = InputBox("What is the Default
Gateway?")sFQDN = InputBox("What is the domain
name?")
elsesDHCPServer =
wscript.arguments(0)sScope = wscript.arguments(1)sScopesub =
wscript.arguments(2)sScopeName =
wscript.arguments(3)sScopeDesc =
wscript.arguments(4)sRangeBegin =
wscript.arguments(5)sRangeEnd =
wscript.arguments(6)sDefaultGW =
wscript.arguments(7)sFQDN =
wscript.arguments(8)'wscript.echo sScopeName " "
sScopeDesc
End IF
Set oShell =
CreateObject("wscript.shell")if err 0 then opps "Create
Shell", err.number,err.description,err.sourcewscript.echo "Adding Scope "
sScope'wscript.echo "netsh dhcp server " sDHCPServer " add
scope " sScope " " sScopeSub " """
sScopeNAme """ """ sScopeDesc sResults =
oShell.Run("netsh dhcp server " sDHCPServer " add scope "
sScope " " sScopeSub " """ sScopeNAme """
""" sScopeDesc ,0, True)If sResults 0
thenopps "Add Scope Failure
"sScope,sResults,"?","?"sResults = 0End
ifoShell.Run "netsh dhcp server " sDHCPServer " scope "
sScope " add iprange " sRangeBegin " " sRangeEnd,0,
TrueIf sResults 0 thenopps "Add IP
Range Failure "sScope,sResults,"?","?"sResults =
0End if'oShell.Run "netsh dhcp server " sDHCPServer "
scope " sScope " add excluderange " beginIP " "
EndIP,0, True'If sResults 0
then'opps "Add Exclusion
Failure",sResults,"?","?"'sResults = 0'End
ifoShell.Run "netsh dhcp server " sDHCPServer " scope "
sScope " set optionvalue 003 IPADDRESS " sDefaultGW,0,
TrueIf sResults 0 thenopps "Add Scope
Option 003 Failure "sScope,sResults,"?","?"sResults =
0End ifoShell.Run "netsh dhcp server " sDHCPServer "
scope " sScope " set optionvalue 015 STRING " sFQDN,0,
TrueIf sResults 0 thenopps "Add Scope
Option 015 Failure "sScope,sResults,"?","?"sResults =
0End ifoShell.Run "netsh dhcp server " sDHCPServer "
scope " sScope " set state 1",0, TrueIf sResults
0 thenopps "Scope Set State Failure
"sScope,sResults,"?","?"sResults = 0End
ifwriteMe "Success: Scope Creation complete for "
sScopeSub Opps(Data, ErrMsgNum, errMsgDesc,
ErrMsgsource)Dim oFSO,oFilewscript.echo "Error: Failed
adding " DATA " " ErrMSGNum " " ErrMsgDesc "
" ErrMsgSourceSet oFSO =
createobject("Scripting.Filesystemobject")Set oFile =
oFSO.OpenTextFile("c:\DHCPERRORS.txt",8,True)oFile.writeline "Error:
Failed adding " vbtab DATA vbtab ErrMSGNum
vbtab ErrMsgDesc vbtab
ErrMsgSourceerr.clearwscript.quitEnd Sub
Sub WriteMe(info)Dim
oFSO,oFileSet oFSO =
createobject("Scripting.Filesystemobject")Set oFile =
oFSO.OpenTextFile("c:\DHCPWORKS.txt",8,True)oFile.writeline
infoEnd Sub
END
SCRIPT*
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23,
2003 1:06 PMTo: '[EMAIL PROTECTED]'Subject:
RE: [ActiveDir] DHCP/Netsh - Other ways of working with
DHCP
Rob,
I am
forwarding your request to my MS TAM and MCS guy.
Todd
-Original Message-From: Robbie Allen
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 1:33
AMTo:
RE: [ActiveDir] AD Utilities
Title: Message Hyena www.systemtools.com/hyena -Original Message-From: Cook, David A. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:05 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD Utilities It's budget time here and thus time to present my wish list of what I would like to get next year. Seems things always come up in the middle of the year that I would like but wasn't budgetted for. I'm curious to know what, if any, third party tools or utilities do you use that you couldn't live without? Specifically I would like something that would monitor the health and replication of AD. Dave Cook Exchange Administrator Kutak Rock, LLP 402-231-8352 [EMAIL PROTECTED] The information contained in this electronic mail transmission(including any accompanying attachments) is intended solely for its authorized recipient(s), and may be confidential and/or legally privileged. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, you have received this transmission in error and are hereby notified that you are strictly prohibited from reading, copying, printing, distributing or disclosing any of the information contained in it. In that event, please contact us immediately by telephone (402)346-6000 or by electronic mail at [EMAIL PROTECTED] and delete the original and all copies of this transmission (including any attachments) without reading or saving in any manner. Thank you. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Silly Question probably....
Steve- Check out Sid2User, written by Euvgenii Rudnyi. You can get it at http://www.securityfocus.com/tools/544. It will translate a SID to a text user name. -Original Message- From: [EMAIL PROTECTED] on behalf of Technology Listserves Sent: Thu 10/23/2003 2:10 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Silly Question probably Gentlemen, We had a few folders within a specific share just dissappear earlier this morning. At first, we thought they had been deleted (since our initial search came up with no trace of them) and ordered a backup tape with the files. A few moments ago, we found them...all of them. However, when we looked at the security properties on the folders and files, we noticed that a specific CSLID was listed there: S-1-5-21-7796645487-3596344109-306335-2737-1211 We do all of our permissioning by group assignment, of course, so I'm guessing this is probably the person or account that moved those files without knowing it. Is there a way in AD to determine whose CSLID this is? Or some 3rd-Party tool the group can recommend? I'd also be interested in any options you might have for preventing this from happening again. My thanks to the group, in advance. -Steve Steven Dunn Director, Technology Services Executive Director, Incorporated List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] OT? - You guys rock
True, since Scottsdale was right up the road, attending DEC was easy. Now, since it looks to be headed East, travel will be issue. Tho, to defend NetPro, holding it back East will allow a different population attend. Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Creamer, Mark [EMAIL PROTECTED] Date: Thu, October 23, 2003 11:42 am To: [EMAIL PROTECTED] Wow...from Scottsdale to Washington?? Yuck ;-) mc -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 2:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock Yusuf, If you get the chance you should attend a DEC (Directory Experts Conference) hosted by NetPro (www.netpro.com). Most of the folks you mentioned will be there. In fact some of those you mentioned will probably be putting on a presentation. I believe the next DEC is scheduled for the Spring of 2004 in lovely Washington, D.C. (Can I say lovely and Washington, D.C. in the smae thought?) Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Mayet, Yusuf Y [EMAIL PROTECTED] Date: Thu, October 23, 2003 9:11 am To: [EMAIL PROTECTED] I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ _ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT? - You guys rock
Absolutely. I'll be there. :-) (Not that anyone knows who I am!) -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock True, since Scottsdale was right up the road, attending DEC was easy. Now, since it looks to be headed East, travel will be issue. Tho, to defend NetPro, holding it back East will allow a different population attend. Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Creamer, Mark [EMAIL PROTECTED] Date: Thu, October 23, 2003 11:42 am To: [EMAIL PROTECTED] Wow...from Scottsdale to Washington?? Yuck ;-) mc -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 2:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock Yusuf, If you get the chance you should attend a DEC (Directory Experts Conference) hosted by NetPro (www.netpro.com). Most of the folks you mentioned will be there. In fact some of those you mentioned will probably be putting on a presentation. I believe the next DEC is scheduled for the Spring of 2004 in lovely Washington, D.C. (Can I say lovely and Washington, D.C. in the smae thought?) Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Mayet, Yusuf Y [EMAIL PROTECTED] Date: Thu, October 23, 2003 9:11 am To: [EMAIL PROTECTED] I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ _ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT? - You guys rock
You're Michael B. Smith, of course mc (also unknown) :-) -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock Absolutely. I'll be there. :-) (Not that anyone knows who I am!) -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock True, since Scottsdale was right up the road, attending DEC was easy. Now, since it looks to be headed East, travel will be issue. Tho, to defend NetPro, holding it back East will allow a different population attend. Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Creamer, Mark [EMAIL PROTECTED] Date: Thu, October 23, 2003 11:42 am To: [EMAIL PROTECTED] Wow...from Scottsdale to Washington?? Yuck ;-) mc -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 2:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock Yusuf, If you get the chance you should attend a DEC (Directory Experts Conference) hosted by NetPro (www.netpro.com). Most of the folks you mentioned will be there. In fact some of those you mentioned will probably be putting on a presentation. I believe the next DEC is scheduled for the Spring of 2004 in lovely Washington, D.C. (Can I say lovely and Washington, D.C. in the smae thought?) Dan Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Mayet, Yusuf Y [EMAIL PROTECTED] Date: Thu, October 23, 2003 9:11 am To: [EMAIL PROTECTED] I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ For information about the Standard Bank group visit our web site www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. __ _ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Bind DNS and AD
Title: Message I'm having some issues with our implementation of AD and DNS. We use Bind for DNS and have a disjointed namespace. Is there anything other then allowing updates for a particular host needed in order to have DDNS work right? A lot of errors are popping up in the event logs, and only some of the SRV records are being created within Bind. Any info on the best way to set this scenario up would be greatly appreciated. Once again, Thank you for all of your support. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
RE: [ActiveDir] Bind DNS and AD
Title: Message Personally, I think a deligated zone would be the smoothest approach. The issues with Bind can be endless as you traverse the many nuances of difference in implementation and patch versions. Al From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 3:45 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Bind DNS and AD I'm having some issues with our implementation of AD and DNS. We use Bind for DNS and have a disjointed namespace. Is there anything other then allowing updates for a particular host needed in order to have DDNS work right? A lot of errors are popping up in the event logs, and only some of the SRV records are being created within Bind. Any info on the best way to set this scenario up would be greatly appreciated. Once again, Thank you for all of your support. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
[ActiveDir] Delegating Write Access to on the Employee ID
Title: Message Folks, What is the best way to delegate write access to the employee ID field on user objects in a domain. Is there something I can set on a parent domain that will replicate down to the Child OU's, or will I have to write a script to flip the ACE on a object property. Thanks, Todd Myrick
RE: [ActiveDir] OT? - You guys rock
Sure, Small, medium or Large. Also BTW. Go on over to Aelita's website and click around. They have a promo to get a t-shirt that says Master of My Active Directory. It is really cool. My whole team got them today. Todd Myrick -Original Message- From: Daniel Gilbert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock So, you are saying he gets a Puck? Original Message Subject: RE: [ActiveDir] OT? - You guys rock From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] Date: Thu, October 23, 2003 11:07 am To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Check is in the mail Yusuf. :P Thanks for the kind words, I appreciate it. Especially being compared to Joe, Rick, Robbie and Gil. Todd Myrick -Original Message- From: Mayet, Yusuf Y [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 12:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - You guys rock I agree Al that the contributions from the likes of Joe, Rick, Robbie,Todd, Gil .and and (that's the rest of the folks I haven't mentioned) have all been well appreciated. And over these past years you guys have been my inspiration and thus wanting to excel myself all of the time Presently I am at the age of 24 with only a handful of years of experience and I have learnt so much and so much more to learn from all of you. With me being located at the edge of Africa I am hoping at one time I would have the opportunity to rub shoulders with you guys sometime or the other. Thanks again guys yusuf __ __ __ For information about the Standard Bank group visit our web site www.standardbank.co.za http://www.standardbank.co.za __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegating Write Access to on the Employee ID
Title: Message You can easily grant object and attribute specific permissions (which is what you want here) at the root of the domain (or whatever toplevel OU you might have where all other OUs with user accounts are designed to be located). In your case you'd limit the ACE to User-Objects and grant whatever group you choose write access to the employee ID property of the User-Object. Won't want to use the Delegation Wizard - simply do it manually via the Security Editor in ADUC or ADSIedit. No need for scripting, however realize that you have to understand the rules of permission inheritance (e.g. won't be applied to OUs that block inheritance) - but as this is a grant and not a deny ACE, there's no real other worries. /Guido From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 23. Oktober 2003 22:29To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Delegating Write Access to on the Employee ID Folks, What is the best way to delegate write access to the employee ID field on user objects in a domain. Is there something I can set on a parent domain that will replicate down to the Child OU's, or will I have to write a script to flip the ACE on a object property. Thanks, Todd Myrick
