[ActiveDir] About SIZELIMIT_EXCEEDED
Hi,
I'm integrating an open-source application using openldap with Active
directory. I know openldap doesn't support pagination with RFC2696, So I
can't manage more than 1000 result but it's enought. My problem is that
I failed to avoid the message SIZELIMIT_EXEEDED even if the openldap
client limit itself the request size result to only 5...
ldapsearch -W -x -z 5 -b dc=rpn,dc=ch -D cn=Utilisateur
LDAP,cn=Users,dc=rpn,dc=ch -h #.###.## -p 3268
# PC-A, Ordinateurs, rpn.ch
dn: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch
description: PC Administratifs
dSCorePropagationData: 20030130154242.0Z
dSCorePropagationData: 20030130145847.0Z
dSCorePropagationData: 20020920130143.0Z
dSCorePropagationData: 20020723160040.0Z
dSCorePropagationData: 16010714223649.0Z
gPLink:
[LDAP://CN={A8AA7B09-6230-4E5A-8753-6A0EBEB1B05D},CN=Policies,CN=Syste
m,DC=rpn,DC=ch;0]
instanceType: 4
distinguishedName: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch
objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rpn,DC=ch
objectClass: top
objectClass: organizationalUnit
objectGUID:: fOfmDrou40aaJAhJXFTYxA==
ou: PC-A
name: PC-A
uSNChanged: 3978665
uSNCreated: 64825
whenChanged: 20030916115727.0Z
whenCreated: 20020628141248.0Z
# search result
search: 2
result: 4 Size limit exceeded = I've got what I want so why this error
message
# numResponses: 6
# numEntries: 5
Thanks.
--
Patrick Gelin
Office de la Statistique et de l'Informatique Scolaire
CH-2300 La Chaux-de-Fonds
Canton de Neuchtel (Suisse)
Tl. +41 (0)32 919 79 23
Email: [EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting up Sites
Title: RE: [ActiveDir] Setting up Sites Here's an answer from a European guy struggling with AD infrastructures containing more than 1.000 sites (and DCs) connected by ISDN connections ... Consider yourself to be a lucky guy ;-). We've been through this discussion numerous times over here... The best way to minimize the amount of replication traffic is by centralizing your Domain Controllers. Have you considered the possibility of not placing any DCs in location 3? Whether or not this scenario is feasible depends on the number of clients on the 3rd location, the reliability of the connection and the available bandwidth. It could possibly be the solution that results in least amount of costs ...On the other hand, the best way to minimize the amount of authentication traffic is by placing a Domain Controller at each location. Looking at the information you gave us, this will be a solution that will most certainly do for you. Looking at the requirements in your question (minimum amount of replication AND authentication traffic from and to site3 I presume) the following solution could be A way to go. However, an important parameter that missing is the requirement for the convergence time of data within your AD infrastructure: Implement 3 sites (s1, s2, s3). Connect s1 and s2 by the default sitelink. Connect s1 and s3 by sitelink-1-3. Configure the schedule such that replication occurs on even hours. (the frequency depends on the requirement for the convergence time). Connect s2 and s3 by sitelink-2-3. Configure the replication such that replication occurs on odd hours. Let the KCC create Connection objects between servers. In a relative simple environment like this you should not try and configure these yourself. The schedule on the sitelinks will be inherited by the replication over the Connection Objects. This topology has the following benefits: Changes are replicated only once (most of the time) from and to s3 because s1 and s2 replicate more frequently and will keep each other up to date. So changes send from s3 to s1 will not be replicated again from s3 to s2 because s1 has already send the info to s2. The replication topology is fault tolerant. Whenever 1 of the physical connections breaks down, the entire infrastructure is able to replicate. Authentication traffic is minimized because clients will always authenticate to the nearest DC (within the same site). HOWEVER ... I would strongly recommend to seriously consider the most simple alternative. Implement s3 and connect this one to the default sitelink. The idea behind this is to keep things simple. This is one of the important design guidelines I try to adhere to. It will not meet your requirements but I'm positive that it will actually work in your infrastructure! Cheers! John -Original Message- From: David Adner [mailto:[EMAIL PROTECTED]] Sent: woensdag 29 oktober 2003 2:07 To: [EMAIL PROTECTED] Subject: [ActiveDir] Setting up Sites We're going from 2 sites to 3 sites. So far, we've used the DEFAULTSITELINK for simplicity's sake and have the KCC creating replication links. The only thing we changed was the replication interval to every 15 minutes. With the creation of a 3rd site, plus to allow for future expansion, we're going to begin creating site links and such. Site 1 and 2 are connected via a very high speed network. Site 3 is connected to Sites 1 and 2 via a T3. Connectivity to Site 3 is fast, but we still want to avoid unnecessary WAN authentication and optimize replication as much as possible. I'm interested in people's opinions on setting up the metric's for the site links or any other suggestions you have for a relatively new AD implementation. I'm pretty familiar with how things work and have read through various whitepapers, but I'd like to hear people's real world experiences. TTIA. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit
Have seen something along these lines we initially performed the authorization using chid domain (where the DHCP servers are) credentials - this seem to perform the authorization (certainly wrote to the directory) but got messages as you describe. the fix was a good hack using ADSIEDIT of the directory objects relating to the dhcp server, making sure good and proper the directory was replicant with the server removed then making sure the authorisation was performed using ENTERPRISE ADMIN credentials note the domain model to which this applies is empty forest root with child domain DC's on which dhcp server runs HTH GT - Original Message - From: Oliver Marshall [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:34 PM Subject: [ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit I have the exact issue detailed in this KB article; http://support.microsoft.com/default.aspx?scid=kb;en-us;306925 I have done exactly what it says there, allowing loads of time for replication and rebooting etc etc and I still get exactly the same error. Using ADSIEdit removes the entries from the DHCPRoot object, and the changes get replicated. Authorizing the DHCP server adds the server entry to the DHCPRoot object again as it should, though the MMC applet still reports that the server cant be authorised even though it is has just added it itself !!! :( I have a director who will be flying to that office tomorrow with a laptop set to Dynamically Assign IP addresses, and he will be majorly hacked off if he cant get surfing! Any ideas what happening? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit
When you say authorise it as the Enterprise Admin, you mean log on to a server as the enterprise admin account and then try authorising it again ? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 29 October 2003 10:51 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit Have seen something along these lines we initially performed the authorization using chid domain (where the DHCP servers are) credentials - this seem to perform the authorization (certainly wrote to the directory) but got messages as you describe. the fix was a good hack using ADSIEDIT of the directory objects relating to the dhcp server, making sure good and proper the directory was replicant with the server removed then making sure the authorisation was performed using ENTERPRISE ADMIN credentials note the domain model to which this applies is empty forest root with child domain DC's on which dhcp server runs HTH GT - Original Message - From: Oliver Marshall [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:34 PM Subject: [ActiveDir] [OT]'ish DHCP authorization error and ADSIEdit I have the exact issue detailed in this KB article; http://support.microsoft.com/default.aspx?scid=kb;en-us;306925 I have done exactly what it says there, allowing loads of time for replication and rebooting etc etc and I still get exactly the same error. Using ADSIEdit removes the entries from the DHCPRoot object, and the changes get replicated. Authorizing the DHCP server adds the server entry to the DHCPRoot object again as it should, though the MMC applet still reports that the server cant be authorised even though it is has just added it itself !!! :( I have a director who will be flying to that office tomorrow with a laptop set to Dynamically Assign IP addresses, and he will be majorly hacked off if he cant get surfing! Any ideas what happening? Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating Computers and Users
I was looking for something where you could import the computer or user names into a text file. I am sorry I was not clear. -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrating Computers and Users I was surprised by your remark that ADMT does not let you migrate compus/users in batch style. I've been through numerous migrations that ran in batches (up to 50K users and compus) using ADMT v2.0. Maybe your definition of batches is something else than mine? I've included some quotes and linksfrom Technet that confirm that batch wise migration (as I define it)is possible using ADMT... http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> If you have a large number of users, groups, or computers to migrate, you can list them in an include file. For example, to create an include file for a batch of computers, create a plain text file and list the computer names, each name on a separate line. Then specify the include file name with the /F option, as follows: ADMT COMPUTER /F "includefile_name" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" Cheers! John From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: woensdag 29 oktober 2003 14:05 To: [EMAIL PROTECTED] Subject: [ActiveDir] Migrating Computers and Users We plan on migrating our users and computers to a new forest and new domain. I am familiar with ADMT, but it does not appear to let you migrate computers or users in batch style. Does anyone know of a script or tool that will let you migrate more than one user or computer to a new domain? NT 4.0 - Windows 2003 AD.
[ActiveDir] AD Self-service User Managment
Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] About SIZELIMIT_EXCEEDED
You can get a size limit error due to either server or client size
constraints that were exceeded. In your case, you've set the max entries to
return to 5. All that error is telling you is that there were more than 5
matches found. This is necessary to allow the client to distinguish between
a search that returns all matching results and a search that only returns a
subset.
Robbie Allen
http://www.rallenhome.com/
-Original Message-
From: Patrick Gelin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 29, 2003 2:40 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] About SIZELIMIT_EXCEEDED
Hi,
I'm integrating an open-source application using openldap with Active
directory. I know openldap doesn't support pagination with
RFC2696, So I
can't manage more than 1000 result but it's enought. My
problem is that
I failed to avoid the message SIZELIMIT_EXEEDED even if the openldap
client limit itself the request size result to only 5...
ldapsearch -W -x -z 5 -b dc=rpn,dc=ch -D cn=Utilisateur
LDAP,cn=Users,dc=rpn,dc=ch -h #.###.## -p 3268
# PC-A, Ordinateurs, rpn.ch
dn: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch
description: PC Administratifs
dSCorePropagationData: 20030130154242.0Z
dSCorePropagationData: 20030130145847.0Z
dSCorePropagationData: 20020920130143.0Z
dSCorePropagationData: 20020723160040.0Z
dSCorePropagationData: 16010714223649.0Z
gPLink:
[LDAP://CN={A8AA7B09-6230-4E5A-8753-6A0EBEB1B05D},CN=Policies,CN=Syste
m,DC=rpn,DC=ch;0]
instanceType: 4
distinguishedName: OU=PC-A,OU=Ordinateurs,DC=rpn,DC=ch
objectCategory:
CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=rpn,DC=ch
objectClass: top
objectClass: organizationalUnit
objectGUID:: fOfmDrou40aaJAhJXFTYxA==
ou: PC-A
name: PC-A
uSNChanged: 3978665
uSNCreated: 64825
whenChanged: 20030916115727.0Z
whenCreated: 20020628141248.0Z
# search result
search: 2
result: 4 Size limit exceeded = I've got what I want so why
this error
message
# numResponses: 6
# numEntries: 5
Thanks.
--
Patrick Gelin
Office de la Statistique et de l'Informatique Scolaire
CH-2300 La Chaux-de-Fonds
Canton de Neuchâtel (Suisse)
Tél. +41 (0)32 919 79 23
Email: [EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir% 40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating Computers and Users
It is still not totally clear Debbie, why do you want to import computer/user names into a text file? Or do you want to have a file with computer/user names that can be imported into the migration product. List based migrations and project based migrations are very popular and allow a lot of flexibility, delegation, distribution of responsibilities etc. the list goes on. If I am correct in what you are trying to do you will probably need to look at some of the vendors out there who have very robust migration products (my company has one and if you want to hear about it send me a note offline). So really the big migration vendors out there are probably where you need to look. Just to get you started you probably want to look at *Aelita* (I have to give my company a little more weight g), Quest, NetIQ, BindView There are a lot of vendors out there and all will present with different focus and strengths. Kevin Sullivan Product Manger Aelita Software [EMAIL PROTECTED] From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 9:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Migrating Computers and Users I was looking for something where you could import the computer or user names into a text file. I am sorry I was not clear. -Original Message- From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Migrating Computers and Users I was surprised by your remark that ADMT does not let you migrate compus/users in batch style. I've been through numerous migrations that ran in batches (up to 50K users and compus) using ADMT v2.0. Maybe your definition of batches is something else than mine? I've included some quotes and linksfrom Technet that confirm that batch wise migration (as I define it)is possible using ADMT... http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> http://www.microsoft.com/technet/treeview/default.asp?url=""> If you have a large number of users, groups, or computers to migrate, you can list them in an include file. For example, to create an include file for a batch of computers, create a plain text file and list the computer names, each name on a separate line. Then specify the include file name with the /F option, as follows: ADMT COMPUTER /F includefile_name /SD:source_domain /TD:target_domain /TO:target_OU Cheers! John From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: woensdag 29 oktober 2003 14:05 To: [EMAIL PROTECTED] Subject: [ActiveDir] Migrating Computers and Users We plan on migrating our users and computers to a new forest and new domain. I am familiar with ADMT, but it does not appear to let you migrate computers or users in batch style. Does anyone know of a script or tool that will let you migrate more than one user or computer to a new domain? NT 4.0 - Windows 2003 AD.
RE: [ActiveDir] AD Self-service User Managment
I was recently surprised by the number of customers who did not want to implement such a facility as self-service. Why? They felt that allowing the employees to change data in the directory would lead to dirty data - for example, addresses all in lowercase, using Ave. instead of Avenue, etc. Sure, a sophisticated package could probably work around all this stuff. Either way, I was surprised by the reaction. I'm curious how others feel about this kind of a tool (with or without workflow). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shad Gunderson Sent: Wednesday, October 29, 2003 6:30 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Win98 AD from CMD Line
Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win98 AD from CMD Line
Windows 9x/Me don't have a computer account in AD, so you don't join them to the AD, you just log in to domain. Regards Matjaz Ladava -Original Message- From: Chris Blair [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 5:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win98 AD from CMD Line Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Self-service User Managment
I think Jackson bring up a great point. It is not necessarily related just to self administration but really to anyone who has a role of 'data administrator'. There needs to be a way to mandate data structures, format, use of 'acceptable values' etc. Without these key components along with very granular delegation the choice would be to revert back to single point of administration being help-desk or something to that effect. This does not mitigate the opportunities to corrupt data it just centralizes the effort to corrupt the directory G. We need our ADs to be available to use as not only an authentication mechanism but a storage of data that we can rely on for application support, GAL, etc. and if we can't trust the integrity of the data it will never grow into the enterprise directory it is architected for and has the capacity for. Workflow and an approval based workflow, I think about often. We have many customers for which this is very important to them. The idea of, for example, requesting membership to a group, having the whole process of email generation and delivery and acceptance and provisioning done in the back end is great. It takes a few touches out of the scenario which makes for a cleaner environment with less 'dirty data'. For the business value it also adds to the ROI by Doing More with Less. There are lots of pieces of data that are present on the directory that I definitely do not want users having access to especially write access to. The solution needs to be flexible enough to create custom interfaces which only expose the data that you approve, have full support for enforcement of workflow rules, business rules and data structure validation rules. Simple solutions are often just that simple, the issues and pains of Active Directory administrators are not simple and they need to be addressed with solutions that can wrap around their needs. Regards, Kevin Sullivan -Original Message- From: Jackson Shaw [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Self-service User Managment I was recently surprised by the number of customers who did not want to implement such a facility as self-service. Why? They felt that allowing the employees to change data in the directory would lead to dirty data - for example, addresses all in lowercase, using Ave. instead of Avenue, etc. Sure, a sophisticated package could probably work around all this stuff. Either way, I was surprised by the reaction. I'm curious how others feel about this kind of a tool (with or without workflow). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shad Gunderson Sent: Wednesday, October 29, 2003 6:30 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win98 AD from CMD Line
Command line or other it is not possible. WinNT and above are required for membership in a domain whether it is NT or AD. Win98 can 'browse' in the domain but it can not be a security principal. Kevin Sullivan -Original Message- From: Chris Blair [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win98 AD from CMD Line Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win98 AD from CMD Line
Chris, sorry but 9x machines can is only able to browse the domain to see devices it can not become a security member of an AD domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Wednesday, October 29, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win98 AD from CMD Line Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Win98 AD from CMD Line
I am also sorry for the HORRIBLE grammar typo. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, October 29, 2003 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Win98 AD from CMD Line Chris, sorry but 9x machines can is only able to browse the domain to see devices it can not become a security member of an AD domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Blair Sent: Wednesday, October 29, 2003 11:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win98 AD from CMD Line Is it possible to join the AD from a Windows 98 using the command line? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ �
RE: [ActiveDir] GPOs and additional sites
Oliver, The GPO processing on the client side includes a short test to determine the available bandwidth to the authenticating DC. If the bandwidth is below a certain threshold, the costlier bits of GPO processing such as application deployment will not be applied. See http://support.microsoft.com/default.aspx?scid=kb;EN-US%3B227260 And http://support.microsoft.com/default.aspx?scid=kb;EN-US;227369 -gil Gil Kirkpatrick CTO, NetPro Author of Active Directory Programming Find AD problems you don't even know you have! Register today for NetPro's FREE DirectoryAnalyzer Rapid Deployment Program! www.netpro.com/welcome/rapid/index.cfm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, October 29, 2003 5:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPOs and additional sites Whilst tinkering (read breaking) AD now that we have multiple sites setup in it, I was wondering this; We have a GPO that installs SP4 by way of an msi file. Now that the scottish office has been brought into the fold, and the DNS is working so that all machines can resolve all other names on the network, is it likely that when/if they reboot the SP4 install will be sent via the not-so-quick 256kbps line to scotland ? On that note, if a user with a roaming profile from the southern office goes to log on to scotlands workstations (happens often) will his machine attempt to download the profile from the servers in the southern office thereby flooding the line with stuff ? Eeek Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Self-service User Managment
I've designed and built several such systems for different organizations. Here's a 30,000 ft view of the process: 1) Account request via web page form 2) When user submits, data is checked and stored in SQL table 3) E-mail is generated to Help Desk notifying them of account request 4) Help Desk logs into custom built Windows Application for managing requests 5) Help Desk sees pending requests, reviews and activates them 6) When they are activated the account data in SQL is used to create a user account, populate attributes and move the account to the correct OU. 7) E-mail is generated to user letting them know they are activated From there users can manage their accounts by logging into the site and clicking a My Account link Keep in mind also at each step there are checks and program logic in place to keep things nice and orderly, i.e., properly formatted data, required fields, etc. These were custom built solutions. Once I created an initial framework, other or internal developers took over and added additional features as they saw fit. - Original Message - From: Shad Gunderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 9:30 AM Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Self-service User Managment
We use RT3 from http://www.bestpractical.com/ It uses a MySql backend, all user's have to do is send an e-mail to an alias we've created (in AD) and it creates the ticket, which sends the request to the helpdesk and the users and is all trackable in a web based format. Best of all it's free. Mike Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2148 | Fax: 425.497.1149 -Original Message- From: Lou Vega [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:32 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Self-service User Managment I've designed and built several such systems for different organizations. Here's a 30,000 ft view of the process: 1) Account request via web page form 2) When user submits, data is checked and stored in SQL table 3) E-mail is generated to Help Desk notifying them of account request 4) Help Desk logs into custom built Windows Application for managing requests 5) Help Desk sees pending requests, reviews and activates them 6) When they are activated the account data in SQL is used to create a user account, populate attributes and move the account to the correct OU. 7) E-mail is generated to user letting them know they are activated From there users can manage their accounts by logging into the site and clicking a My Account link Keep in mind also at each step there are checks and program logic in place to keep things nice and orderly, i.e., properly formatted data, required fields, etc. These were custom built solutions. Once I created an initial framework, other or internal developers took over and added additional features as they saw fit. - Original Message - From: Shad Gunderson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 9:30 AM Subject: [ActiveDir] AD Self-service User Managment Hello all, I'm looking for feedback on products that may provide users a self-service application that will allow employees to register/request an Active Directory domain account and, with some workflow, those accounts will be created. Nothing beyond those specific features are required at this point (i.e. not looking for full-blown LDAP provisioning). Does anyone here use such tools or have any experience they'd care to share? Regards, Shad Gunderson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] Active Directory Cookbook
Title: Message
I can
definitely help put a face to her for you, but for some reason every picture of
Missy that I have seems to have her holding some form of alcohol...
Missy's been putting up with me in a lot of forums and on a lot of topics
for a lot of years..
Roger
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:45
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Active Directory Cookbook
Yeah, she and I got to know each other on this list
(she's one of the folks that convinced me you were worth putting up with as an
MVP - then to nominate you). I know that I've met her in person, but I
can't put the name to the face.
She is a good one, to be sure
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Tuesday, October 28, 2003 7:47 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active
Directory Cookbook
Yup.. Known Missy for quite a few years now. I owe her a scortch or
three next time I see her, too..
Funny, I know a lot of the Exchange MVPs...
--
Roger D. Seielstad
- MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Rick Kingslan
[mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 7:41
PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Active Directory Cookbook
LOL!
Heh Yeah, I forgot that you and Missy are
acquainted. Too funny.
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP -
Active DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
SeielstadSent: Monday, October 27, 2003 7:46 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Active
Directory Cookbook
You been hanging out with Missy Koslosky lately?
--
Roger D.
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
Inovis
Inc.
-Original Message-From: Rick
Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, October 25,
2003 10:48 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active
Directory Cookbook
Bite me, Joe.
:P
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP -
Active DirectoryAssociate ExpertExpert Zone -
www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Saturday, October 25, 2003 1:17 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active
Directory Cookbook
I thought you would think that was a good thought. But you have a
good point to counter that good thought. I should submit something, I
wouldn't mind being in the acknow. err wait a minute. How about this,
people who are already in it can submit something and pick one person to
be removed from the acknowledgements... Oh Rick
:op
Hmmm what could I submit... Oh I know, something I had to do today
really quick... Find all OU's with any GPO link
whatsoever...
First off I wondered, is gplink in the GC?
adfind -schema -f ldapdisplayname=gplink
ismemberofpartialattributeset
Gets you
dn:CN=GP-Link,CN=Schema,CN=Configuration,DC=joehome,DC=comisMemberOfPartialAttributeSet:
TRUE
So it sure is... This is easy!
adfind -gc -b -f
"(objectcategory=organizationalunit)(gplink=*)"
gplink
On my home domain that rips off in less than a
second...
dn:OU=Domain Controllers,DC=joehome,DC=comgPLink:
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com;0]
dn:OU=Cmps,DC=joehome,DC=comgPLink:
[LDAP://CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com;0]
Oh ok, you now want to know what the nice name of those
are...
adfind -b
CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=joehome,DC=com
-s base displayname
and
adfind -b
CN={61CF67FA-41FA-415C-B349-E7D182BDD54F},CN=Policies,CN=System,DC=joehome,DC=com
-s base
I don't recall those exact examples in the book.
:op
Can anyone
RE: [ActiveDir]
I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir]
Microsoft Audit Collection System, formerly known by the codename DAD, is a system for consolidating and analyzing security event logs. It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] DNS Lookup Problem - Windows 2003
I am having an issue with a Windows 2003 AD integrated DNS server doing recursive lookups to find MX records for my outbound mail. Prior to our AD deployment, we were running split brained DNS with Windows 2000 DNS servers internally and externally. Post upgrade, our internal DNS moved to Windows 2003 DNS. Afterwards DNS lookups for web sites appeared to work fine as you could surf the web etc. But in the case of our mail servers and nslookup, all MX record requests would fail, thus blocking outbound email. Using Google, TechNet, and a nice thick Windows 2003 book (William Boswell's), I have to the best of my ability, confirmed that the internal Windows 2003 DNS is setup to do recursive lookups for domains other than the ones it hosts, and in the case of web browsing it does in fact work, even after I clear the DNS caches of my internal servers. To get MX lookups to function, I have had to set the internal servers to forward to one of my two public DNS servers running Windows 2000 DNS. Once done the MX lookups function again just as before. I will need to be upgrading our public servers to Windows 2003 in the very near future and I am afraid that once I do, the MX lookups will fail again. Has anyone else run into this? If not, any suggestions on places to look for more info, or settings to confirm, would be MOST appreciated. I'd really like/need to have my internal servers doing all of the lookups on their own. Thanks for any assistance you can provide. Miles --- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 --- Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock. - Frank Herbert, Chapterhouse:Dune List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]
How far out of beta is it? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Audit Collection System, formerly known by the codename DAD, is a system for consolidating and analyzing security event logs. It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in
RE: [ActiveDir]
This is different than the MRS beta? (Which I'm running.) Sure sounds like it... -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Audit Collection System, formerly known by the codename DAD, is a system for consolidating and analyzing security event logs. It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
[ActiveDir] Cached Credentials
Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,wont happenwhenusingCachedCredentials? I couldnt find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case? -Original Message- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:13 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DNS Lookup Problem - Windows 2003 I am having an issue with a Windows 2003 AD integrated DNS server doing recursive lookups to find MX records for my outbound mail. Prior to our AD deployment, we were running split brained DNS with Windows 2000 DNS servers internally and externally. Post upgrade, our internal DNS moved to Windows 2003 DNS. Afterwards DNS lookups for web sites appeared to work fine as you could surf the web etc. But in the case of our mail servers and nslookup, all MX record requests would fail, thus blocking outbound email. Using Google, TechNet, and a nice thick Windows 2003 book (William Boswell's), I have to the best of my ability, confirmed that the internal Windows 2003 DNS is setup to do recursive lookups for domains other than the ones it hosts, and in the case of web browsing it does in fact work, even after I clear the DNS caches of my internal servers. To get MX lookups to function, I have had to set the internal servers to forward to one of my two public DNS servers running Windows 2000 DNS. Once done the MX lookups function again just as before. I will need to be upgrading our public servers to Windows 2003 in the very near future and I am afraid that once I do, the MX lookups will fail again. Has anyone else run into this? If not, any suggestions on places to look for more info, or settings to confirm, would be MOST appreciated. I'd really like/need to have my internal servers doing all of the lookups on their own. Thanks for any assistance you can provide. Miles --- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 --- Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock. - Frank Herbert, Chapterhouse:Dune List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cached Credentials
Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,won't happenwhenusingCachedCredentials? I couldn't find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir]
Still in beta. The beta 2 refresh was about 6 weeks ago. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:14 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] How far out of beta is it? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Audit Collection System, formerly known by the codename DAD, is a system for consolidating and analyzing security event logs. It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not
RE: [ActiveDir]
Yep, different animal. Essentially for collecting DC security logs and aggregating the content. -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] This is different than the MRS beta? (Which I'm running.) Sure sounds like it... -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Microsoft Audit Collection System, formerly known by the codename DAD, is a system for consolidating and analyzing security event logs. It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Diane Ayers [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 10:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] I was waiting for BRO and SIS to come along too after MOM and DAD. Maybe they were to close to BOB and made someone nervous :-) Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, October 28, 2003 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Shawn, Separate verification that what Gil is telling you is correct. I've needed to set up just the same to manage some issues with an Admin that had rights that he really shouldn't have, yet was mandated by management that he have them. The only way to convince management was to prove that the problems being caused were coming from the careless actions of the Admin. On another note, code name for MACS before the name was settled on - DAD. Meant to 'co-exist' with MOM, but Distributed Auditing Device was not a real Marketing win. Not that I think Microsoft Audit Collection Server is all that much better... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed Just that it was changed. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rightsaarrgghhh Shawn -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn
Re: [ActiveDir] Cached Credentials
Caching credentials happen, when you can not contact DC during logon process. If that happens then your GPO's wont be applied, login scripts won't run. That doesn't necessary mean that you won't be able to access the network, as if only DC are not available, and name-resolution is working, then you could be able to access some network resources. Again this depends if this resources need authentication or not. You always have possibility to turn off cached credentials if you need for security purposes. Regards Matjaz Ladava - Original Message - From: Santhosh Sivarajan To: [EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:20 PM Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,wont happenwhenusingCachedCredentials? I couldnt find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
Re: [ActiveDir] AD Self-service User Managment
Mulnick, Al wrote: That's not really self-service though is it? I would consider self service something that allows a request (anonymous web connection since they don't have an account?) to be automatically sent into a workflow process and approved and created or denied and a response sent back. A response sent regardless would be optimal but may not be practical if the user has not account or email store. That is exactly the definition of self-service that I was operating under. There are some things that have to be determined from the original post such as who can make the request? What's the bare minimum access and communications that the requestor must have? How does the requestor make the request? Well, the particulars haven't exactly been spelled out yet... While I agree with the former comments about data integrity with in the directory, there seems to be some desire to automate this process as much as possible. I was really testing the waters to see how pervasive such tools were in deployment and who the players in the space are - in a brief afternoon of googling, I've discovered that vendors such as Novell, Waveset, BindView provide some level of solution to the question posed along with the roll-your-own approach that was described. Also some identity managment products spill over in regards to functionallity. I certainly have some more requirements gathering to do. I personally can imagine various iterations of this: from a lowly manual process to an integrated work-flow of some complexity... but my assumption is that the individual will have some form of credential (Employee #, SS# (ew!) or some such) to validate his identity and this will pull the trigger to create system accounts on an AD DC. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
I may be using the wrong terminology to explain what I am trying to do. What I need it to do is for any domain request that the server receives that it is not hosting, walk the tree through the root zones on to the correct DNS server and find the answer. The Windows 2000 DNS is doing this for everything. The Windows 2003 DNS is not, which is what stumps me. We use PIX firewalls, no proxies. If the internal DNS is shut down, you can't get anything at all. I just tried it again and got a very odd result. I setup my workstation to only use one of my DNS servers. I then set that DNS server to not forward to my external servers, restarted the dns service and cleared its cache. Then I did a nslookup against it to bestbuy.com. I got replies for www.bestbuy.com, and using 'set type=mx for bestbuy.com got the mx records. Without changing any settings I did the same to aol.com and it timed out with no reply (like most of the domains). I then did the same with the server set to forward to my external DNS and got a instant reply. Below is the output. Default Server: atldc2.summitmg.com Address: 10.100.x.x www.bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: Name:a1103.gc.akamai.net Addresses: 208.254.0.17, 208.254.0.32 Aliases: www.bestbuy.com, www.bestbuy.com.edgesuite.net set type=mx bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x bestbuy.com MX preference = 5, mail exchanger = tag5.bestbuy.com bestbuy.com MX preference = 5, mail exchanger = tag6.bestbuy.com tag5.bestbuy.cominternet address = 205.215.216.98 tag6.bestbuy.cominternet address = 198.22.123.162 aol.com Server: atldc2.summitmg.com Address: 10.100.x.x DNS request timed out. timeout was 2 seconds. *** Request to atldc2.summitmg.com timed-out Below is after I set it to forward to my other server. aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com mailin-04.mx.aol.cominternet address = 64.12.136.153 mailin-04.mx.aol.cominternet address = 64.12.137.121 mailin-04.mx.aol.cominternet address = 64.12.137.152 mailin-04.mx.aol.cominternet address = 64.12.138.89 mailin-04.mx.aol.cominternet address = 64.12.138.152 mailin-04.mx.aol.cominternet address = 152.163.224.122 mailin-04.mx.aol.cominternet address = 205.188.156.154 mailin-01.mx.aol.cominternet address = 64.12.137.89 mailin-01.mx.aol.cominternet address = 64.12.137.184 mailin-01.mx.aol.cominternet address = 64.12.138.57 mailin-01.mx.aol.cominternet address = 64.12.138.152 mailin-01.mx.aol.cominternet address = 152.163.224.26 mailin-01.mx.aol.cominternet address = 205.188.156.122 mailin-01.mx.aol.cominternet address = 64.12.136.57 mailin-02.mx.aol.cominternet address = 64.12.138.120 mailin-02.mx.aol.cominternet address = 64.12.136.89 mailin-02.mx.aol.cominternet address = 64.12.136.121 mailin-02.mx.aol.cominternet address = 64.12.137.89 mailin-02.mx.aol.cominternet address = 64.12.137.184 mailin-02.mx.aol.cominternet address = 64.12.138.89 www.aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: www.aol.com canonical name = www.gwww.aol.com I am REALLY confused now. It seems to be hit or miss, but misses the largest sites and jambs up email as a result. Miles -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case? -Original Message- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:13 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] DNS Lookup Problem - Windows 2003 I am having an issue with a Windows 2003 AD integrated DNS server doing recursive lookups to find MX records for my outbound mail. Prior to our AD deployment, we were running split brained DNS with Windows 2000 DNS servers internally and externally. Post upgrade, our internal DNS moved to Windows 2003 DNS. Afterwards DNS lookups for web sites appeared to work fine as you could surf the web etc. But in the case of our mail servers and nslookup, all MX record requests would fail, thus blocking outbound email.
Re: [ActiveDir] Cached Credentials
But you could still access web servers and others. Not all network resources are file based ;-) Regards Matjaz Ladava - Original Message - From: Rich Milburn To: [EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:12 PM Subject: RE: [ActiveDir] Cached Credentials I think XP implements cached credentials as an optional performance enhancement (but dont remember where I read this). If the DCs are unavailable only GPO changes wont take effect, it uses the old settings at least it certainly appears to. The point about network resources is if the DCs are unavailable then either you cant see the resource servers or if you can then they cant see the DCs. In that case, you wont be able to use a resource (member) server because it has to check your authentication against a DC. null session shares or access using local server accounts would still work, but not mail, etc. From: Matjaz Ladava [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:14 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Cached Credentials Caching credentials happen, when you can not contact DC during logon process. If that happens then your GPO's wont be applied, login scripts won't run. That doesn't necessary mean that you won't be able to access the network, as if only DC are not available, and name-resolution is working, then you could be able to access some network resources. Again this depends if this resources need authentication or not. You always have possibility to turn off cached credentials if you need for security purposes. Regards Matjaz Ladava - Original Message - From: Santhosh Sivarajan To: [EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 8:20 PM Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,wont happenwhenusingCachedCredentials? I couldnt find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Cached Credentials
Yes it is.. Anything domain related wont happen I am looking for more information about those domain related stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,won't happenwhenusingCachedCredentials? I couldn't find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] Cached Credentials
Ah. Then like I said about network resources: assuming the DC is unavailable to more than just your workstation, network resources that rely on AD authentication would be unavailable, you wouldn't get GPO's andlogin scripts, and possibly an ip address if you have to authenticate the computer account (depends on your settings). Other things, such as RIS images etc would also not be published to you. If you did get an address, you wouldn't be able to update your DNS entry if set up for secure DDNS. I doubt that's a complete list, but it's what comes to mind. Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 4:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Cached Credentials Yes it is.. "Anything domain related won't happen" I am looking for more information about those "domain related" stuff. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, October 29, 2003 1:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Cached Credentials Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,won't happenwhenusingCachedCredentials? I couldn't find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
perhaps I missed something in quickly reading this thread, but is it possible that you were still able to get answers for bestbuy.com simply because they were already in the caching resolver on your workstation? You mentioned that you removed the forwarders, cleared cache, and restarted the DNS service on the internal DNS server, but you didn't say whether you also cleared the cache on the workstation (ipconfig /flushdns). I've been bitten by that more than once while troubleshooting DNS... Dave -Original Message- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 I may be using the wrong terminology to explain what I am trying to do. What I need it to do is for any domain request that the server receives that it is not hosting, walk the tree through the root zones on to the correct DNS server and find the answer. The Windows 2000 DNS is doing this for everything. The Windows 2003 DNS is not, which is what stumps me. We use PIX firewalls, no proxies. If the internal DNS is shut down, you can't get anything at all. I just tried it again and got a very odd result. I setup my workstation to only use one of my DNS servers. I then set that DNS server to not forward to my external servers, restarted the dns service and cleared its cache. Then I did a nslookup against it to bestbuy.com. I got replies for www.bestbuy.com, and using 'set type=mx for bestbuy.com got the mx records. Without changing any settings I did the same to aol.com and it timed out with no reply (like most of the domains). I then did the same with the server set to forward to my external DNS and got a instant reply. Below is the output. Default Server: atldc2.summitmg.com Address: 10.100.x.x www.bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: Name:a1103.gc.akamai.net Addresses: 208.254.0.17, 208.254.0.32 Aliases: www.bestbuy.com, www.bestbuy.com.edgesuite.net set type=mx bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x bestbuy.com MX preference = 5, mail exchanger = tag5.bestbuy.com bestbuy.com MX preference = 5, mail exchanger = tag6.bestbuy.com tag5.bestbuy.cominternet address = 205.215.216.98 tag6.bestbuy.cominternet address = 198.22.123.162 aol.com Server: atldc2.summitmg.com Address: 10.100.x.x DNS request timed out. timeout was 2 seconds. *** Request to atldc2.summitmg.com timed-out Below is after I set it to forward to my other server. aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com mailin-04.mx.aol.cominternet address = 64.12.136.153 mailin-04.mx.aol.cominternet address = 64.12.137.121 mailin-04.mx.aol.cominternet address = 64.12.137.152 mailin-04.mx.aol.cominternet address = 64.12.138.89 mailin-04.mx.aol.cominternet address = 64.12.138.152 mailin-04.mx.aol.cominternet address = 152.163.224.122 mailin-04.mx.aol.cominternet address = 205.188.156.154 mailin-01.mx.aol.cominternet address = 64.12.137.89 mailin-01.mx.aol.cominternet address = 64.12.137.184 mailin-01.mx.aol.cominternet address = 64.12.138.57 mailin-01.mx.aol.cominternet address = 64.12.138.152 mailin-01.mx.aol.cominternet address = 152.163.224.26 mailin-01.mx.aol.cominternet address = 205.188.156.122 mailin-01.mx.aol.cominternet address = 64.12.136.57 mailin-02.mx.aol.cominternet address = 64.12.138.120 mailin-02.mx.aol.cominternet address = 64.12.136.89 mailin-02.mx.aol.cominternet address = 64.12.136.121 mailin-02.mx.aol.cominternet address = 64.12.137.89 mailin-02.mx.aol.cominternet address = 64.12.137.184 mailin-02.mx.aol.cominternet address = 64.12.138.89 www.aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: www.aol.com canonical name = www.gwww.aol.com I am REALLY confused now. It seems to be hit or miss, but misses the largest sites and jambs up email as a result. Miles -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case?
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
I'm guessing, but the timeout may be just that: a timeout while waiting for the recursive query to finish. I believe by default you only have a count of 5 to get the answer or fail and you may be over that limit. When you make the request, if the result is returned, it get's cached and that would explain why next time you try it's there and would also explain why your queries sometimes work to large organizations and sometimes fail - it's cached and able to be retrieved fast enough to be under the timeout. Al -Original Message- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 3:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 I may be using the wrong terminology to explain what I am trying to do. What I need it to do is for any domain request that the server receives that it is not hosting, walk the tree through the root zones on to the correct DNS server and find the answer. The Windows 2000 DNS is doing this for everything. The Windows 2003 DNS is not, which is what stumps me. We use PIX firewalls, no proxies. If the internal DNS is shut down, you can't get anything at all. I just tried it again and got a very odd result. I setup my workstation to only use one of my DNS servers. I then set that DNS server to not forward to my external servers, restarted the dns service and cleared its cache. Then I did a nslookup against it to bestbuy.com. I got replies for www.bestbuy.com, and using 'set type=mx for bestbuy.com got the mx records. Without changing any settings I did the same to aol.com and it timed out with no reply (like most of the domains). I then did the same with the server set to forward to my external DNS and got a instant reply. Below is the output. Default Server: atldc2.summitmg.com Address: 10.100.x.x www.bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: Name:a1103.gc.akamai.net Addresses: 208.254.0.17, 208.254.0.32 Aliases: www.bestbuy.com, www.bestbuy.com.edgesuite.net set type=mx bestbuy.com Server: atldc2.summitmg.com Address: 10.100.x.x bestbuy.com MX preference = 5, mail exchanger = tag5.bestbuy.com bestbuy.com MX preference = 5, mail exchanger = tag6.bestbuy.com tag5.bestbuy.cominternet address = 205.215.216.98 tag6.bestbuy.cominternet address = 198.22.123.162 aol.com Server: atldc2.summitmg.com Address: 10.100.x.x DNS request timed out. timeout was 2 seconds. *** Request to atldc2.summitmg.com timed-out Below is after I set it to forward to my other server. aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com mailin-04.mx.aol.cominternet address = 64.12.136.153 mailin-04.mx.aol.cominternet address = 64.12.137.121 mailin-04.mx.aol.cominternet address = 64.12.137.152 mailin-04.mx.aol.cominternet address = 64.12.138.89 mailin-04.mx.aol.cominternet address = 64.12.138.152 mailin-04.mx.aol.cominternet address = 152.163.224.122 mailin-04.mx.aol.cominternet address = 205.188.156.154 mailin-01.mx.aol.cominternet address = 64.12.137.89 mailin-01.mx.aol.cominternet address = 64.12.137.184 mailin-01.mx.aol.cominternet address = 64.12.138.57 mailin-01.mx.aol.cominternet address = 64.12.138.152 mailin-01.mx.aol.cominternet address = 152.163.224.26 mailin-01.mx.aol.cominternet address = 205.188.156.122 mailin-01.mx.aol.cominternet address = 64.12.136.57 mailin-02.mx.aol.cominternet address = 64.12.138.120 mailin-02.mx.aol.cominternet address = 64.12.136.89 mailin-02.mx.aol.cominternet address = 64.12.136.121 mailin-02.mx.aol.cominternet address = 64.12.137.89 mailin-02.mx.aol.cominternet address = 64.12.137.184 mailin-02.mx.aol.cominternet address = 64.12.138.89 www.aol.com Server: atldc2.summitmg.com Address: 10.100.x.x Non-authoritative answer: www.aol.com canonical name = www.gwww.aol.com I am REALLY confused now. It seems to be hit or miss, but misses the largest sites and jambs up email as a result. Miles -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:37 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Recursive lookups are doing what for you? Are they handling the lookup for you and returning the answer to the client for MX records or are they referring your client? My guess is that your web browsing works because of a proxy server or firewall that has the ability to chase the records or is even just using the external servers for name resolution (why ask an internal DNS server for an external address right?) Is this the case?
RE: [ActiveDir] AD Self-service User Managment
You may also want to look at some of the ISP players such as Abridean and see what they can do for you. From a process perspective I would never consider SSN or any other public personal knowledge to be used for the identification process of a user due to security and privacy concerns. I would be more comfortable with a process that sends snail mail to a user and they use that to create the account else something that is generated on a web page that keeps their information anonymous. It's a sticky situation to figure out for sure. Al -Original Message- From: Shad Gunderson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Self-service User Managment Mulnick, Al wrote: That's not really self-service though is it? I would consider self service something that allows a request (anonymous web connection since they don't have an account?) to be automatically sent into a workflow process and approved and created or denied and a response sent back. A response sent regardless would be optimal but may not be practical if the user has not account or email store. That is exactly the definition of self-service that I was operating under. There are some things that have to be determined from the original post such as who can make the request? What's the bare minimum access and communications that the requestor must have? How does the requestor make the request? Well, the particulars haven't exactly been spelled out yet... While I agree with the former comments about data integrity with in the directory, there seems to be some desire to automate this process as much as possible. I was really testing the waters to see how pervasive such tools were in deployment and who the players in the space are - in a brief afternoon of googling, I've discovered that vendors such as Novell, Waveset, BindView provide some level of solution to the question posed along with the roll-your-own approach that was described. Also some identity managment products spill over in regards to functionallity. I certainly have some more requirements gathering to do. I personally can imagine various iterations of this: from a lowly manual process to an integrated work-flow of some complexity... but my assumption is that the individual will have some form of credential (Employee #, SS# (ew!) or some such) to validate his identity and this will pull the trigger to create system accounts on an AD DC. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cached Credentials
Thanks Al. At least I have 3 or 4 items on my list now. I am looking for more information. I couldnt find any technical documentation on this. Santhosh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 4:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Ah. Then like I said about network resources: assuming the DC is unavailable to more than just your workstation, network resources that rely on AD authentication would be unavailable, you wouldn't get GPO's andlogin scripts, and possibly an ip address if you have to authenticate the computer account (depends on your settings). Other things, such as RIS images etc would also not be published to you. If you did get an address, you wouldn't be able to update your DNS entry if set up for secure DDNS. I doubt that's a complete list, but it's what comes to mind. Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cached Credentials Yes it is.. Anything domain related won't happen I am looking for more information about those domain related stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,won't happenwhenusingCachedCredentials? I couldn't find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] Setting up Sites
The best way to minimize the amount of replication traffic is by centralizing your Domain Controllers. Have you considered the possibility of not placing any DCs in location 3? The 3rd site is for disaster recovery, so we need to have local DC's there if only for that. This topology has the following benefits: * Changes are replicated only once (most of the time) from and to s3 because s1 and s2 replicate more frequently and will keep each other up to date. So changes send from s3 to s1 will not be replicated again from s3 to s2 because s1 has already send the info to s2. I originally planned to allow replication to occur 24 hours a day to allow for shorter convergence time possible. But your suggestion does have some benefit that we'll have to consider. HOWEVER ... I would strongly recommend to seriously consider the most simple alternative. Implement s3 and connect this one to the default sitelink. This will effectively make a full mesh type configuration, right? We aren't too afraid of over-utilizing the link to Site 3, but we still want to limit traffic wherever possible. However, am I really saving anything by establishing a second site link with a higher cost with just 3 sites? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cached Credentials
Hey Al, Can you elaborate on what you mean with the possibly an ip address if you have to authenticate the computer account (depends on your settings) remark? Im curious if this is a function natively of Windows, or if youre referring to some type of authentication method like ACS or 802.1x stuff? Thanks! -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 5:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Ah. Then like I said about network resources: assuming the DC is unavailable to more than just your workstation, network resources that rely on AD authentication would be unavailable, you wouldn't get GPO's andlogin scripts, and possibly an ip address if you have to authenticate the computer account (depends on your settings). Other things, such as RIS images etc would also not be published to you. If you did get an address, you wouldn't be able to update your DNS entry if set up for secure DDNS. I doubt that's a complete list, but it's what comes to mind. Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cached Credentials Yes it is.. Anything domain related won't happen I am looking for more information about those domain related stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, October 29, 2003 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Cached Credentials Anything domain related won't happen with cached credentials. By definition, you only need to use cached credentials when you are not able to contact a domain controller. If you can't contact a domain controller, you won't be able to authenticate to other machines because most likely they won't be able to either. Is that too simplified? :) Al From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cached Credentials Hi there, I amtrying to explain to a client thedifferenceon the networkbetweenusing Cached Credentialsand Domain Credentials.I know a few things about group policy updates,such aspassword expiration notice,whenusing CachedCredentials. What else,other than Grouppolicyupdates,won't happenwhenusingCachedCredentials? I couldn't find a good explanation or any technical documentation on this. Cananyone give me a good technical explanation? Thanks, Santhosh
RE: [ActiveDir] GPOs and additional sites
Gil, does this also apply if the binaries are stored in an alternate location such as Dfs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 29, 2003 1:16 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPOs and additional sites Oliver, The GPO processing on the client side includes a short test to determine the available bandwidth to the authenticating DC. If the bandwidth is below a certain threshold, the costlier bits of GPO processing such as application deployment will not be applied. See http://support.microsoft.com/default.aspx?scid=kb;EN-US%3B227260 And http://support.microsoft.com/default.aspx?scid=kb;EN-US;227369 -gil Gil Kirkpatrick CTO, NetPro Author of Active Directory Programming Find AD problems you don't even know you have! Register today for NetPro's FREE DirectoryAnalyzer Rapid Deployment Program! www.netpro.com/welcome/rapid/index.cfm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Wednesday, October 29, 2003 5:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPOs and additional sites Whilst tinkering (read breaking) AD now that we have multiple sites setup in it, I was wondering this; We have a GPO that installs SP4 by way of an msi file. Now that the scottish office has been brought into the fold, and the DNS is working so that all machines can resolve all other names on the network, is it likely that when/if they reboot the SP4 install will be sent via the not-so-quick 256kbps line to scotland ? On that note, if a user with a roaming profile from the southern office goes to log on to scotlands workstations (happens often) will his machine attempt to download the profile from the servers in the southern office thereby flooding the line with stuff ? Eeek Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Record Timestamp
Curious if anyone knows if the DNS record timestamp can be exposed by script? I'm working on a script to delete old machine accounts. Problem is, machine account age is not always accurate based on the last password change date. I'd like to do a query against DNS and examine the record timestamp as a secondary checkpoint prior to deleting the machine account. Any ideas? :-) attachment: winmail.dat
[ActiveDir] sites, site links, site link bridges
Hi All, I have been struggling with a problem concerning sites. Hopefully someone out there will point out where I am going wrong. I have 3 sites: West, Central and East. West/Central are connected via T1; Central/East are also connected via T1. One DC (A) in West, one DC (Z) in East, lots of DCs (B-Y) in Central. I have identified a preferred bridgehead server for each of the sites. We use IP protocol. I have disabled automatic site bridging because of interdivisional firewall issues that exist. I would like: 1) A to only talk to K and 2) Z to only talk to N. For some reason with my current configuration, A wants to talk to Z (and vice versa) and they generate lots of errors because of poor connectivity or maybe no connectivity since conduits don't exists for these connections. How do I get A and Z to only replicate with their preferred bridgehead partners in Central? Thanks much! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Record Timestamp
There are a couple of ways you can get it. If you are a command line hacker, you could use this: dnscmd . /enumrecords rallencorp.com foobar /detail | findstr dwTimeStamp If you are looking to do it via VBScript or Perl, then you'll want to look at the MicrosoftDNS_ResourceRecord WMI class. It has a Timestamp property: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/mic rosoftdns_resourcerecord.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dns/dns/mi crosoftdns_resourcerecord.asp BTW, in what situation does password change date not work if you use a sufficiently long expiration period? Robbie Allen http://www.rallenhome.com/ http://www.rallenhome.com/ -Original Message- From: Marcus Oh [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Wednesday, October 29, 2003 8:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS Record Timestamp Curious if anyone knows if the DNS record timestamp can be exposed by script? I'm working on a script to delete old machine accounts. Problem is, machine account age is not always accurate based on the last password change date. I'd like to do a query against DNS and examine the record timestamp as a secondary checkpoint prior to deleting the machine account. Any ideas? :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Windows Standard Server 2003 or Enterprise Server 2003 as DCs
Folks, Dumb question but one that for some strange reason we can't get a definitive answer about. Xeon processors with hyperthreading seem to appear as two processors instead of one to both Windows 2000 Server and Server 2003. I thought that 2003 would be able to differentiate between the physical processors and the virtual processors. In addition, I've seen conflicting documentation on Microsoft's site stating that Standard Server 2003 supports up to two processors and supports up to four processors. That said, if we are building HP DL380G3's with hyperthreading would we need Enterprise Server 2003 or Standard? We're planning on using them for domain controllers and we're trying to remember why we ordered Enterprise Server 2003 when it appears that the much less expensive Standard Server 2003 would suffice. We're running DL380G3's and BL20pG2's with two processors and Standard Server 2003 seems to be running fine. But is it taking full advantage of the processors or running in some sort of crippled mode where it doesn't utilize the hyperthreading? Perfmon seems to show that it's using both of the physicals and both of the virtuals...but... Any info would be appreciated. Thanks, Mike *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs
I talked to Compaq/HP (whatever you want to call them this week) about this issue since we saw the same thing when we bought ours. Same scenario. We went with Standard Edition for our DCs since there was no performance hit due to the hyperthreading issue, according to their support dept and what I could find on their site and at MS. There's a paper available at: http://www.microsoft.com/whdc/hwdev/platform/proc/HT-Windows.mspx That talks about the licensing bit as well as a lot of tech info, but you don't need Enterprise for that server. Running fine for me... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** That said, if we are building HP DL380G3's with hyperthreading would we need Enterprise Server 2003 or Standard? We're planning on using them for domain controllers and we're trying to remember why we ordered Enterprise Server 2003 when it appears that the much less expensive Standard Server 2003 would suffice. We're running DL380G3's and BL20pG2's with two processors and Standard Server 2003 seems to be running fine. But is it taking full advantage of the processors or running in some sort of crippled mode where it doesn't utilize the hyperthreading? Perfmon seems to show that it's using both of the physicals and both of the virtuals...but... Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs
Charlie, Thanks much. It's what I thought but just needed to be sure. The document explains it well too. Budgeting for a rollout and would hate to get that simple piece of the puzzle wrong... Mike Charlie Kaiser [EMAIL PROTECTED]@mail.activedir.org on 10/29/2003 11:27:58 PM Please respond to [EMAIL PROTECTED] Sent by:[EMAIL PROTECTED] To:'[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs I talked to Compaq/HP (whatever you want to call them this week) about this issue since we saw the same thing when we bought ours. Same scenario. We went with Standard Edition for our DCs since there was no performance hit due to the hyperthreading issue, according to their support dept and what I could find on their site and at MS. There's a paper available at: http://www.microsoft.com/whdc/hwdev/platform/proc/HT-Windows.mspx That talks about the licensing bit as well as a lot of tech info, but you don't need Enterprise for that server. Running fine for me... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** That said, if we are building HP DL380G3's with hyperthreading would we need Enterprise Server 2003 or Standard? We're planning on using them for domain controllers and we're trying to remember why we ordered Enterprise Server 2003 when it appears that the much less expensive Standard Server 2003 would suffice. We're running DL380G3's and BL20pG2's with two processors and Standard Server 2003 seems to be running fine. But is it taking full advantage of the processors or running in some sort of crippled mode where it doesn't utilize the hyperthreading? Perfmon seems to show that it's using both of the physicals and both of the virtuals...but... Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs
Yeah; enterprise version is nice, but for the price difference on a DC, I couldn't justify it. Not enough benefit... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** -Original Message- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 9:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs Charlie, Thanks much. It's what I thought but just needed to be sure. The document explains it well too. Budgeting for a rollout and would hate to get that simple piece of the puzzle wrong... Mike Charlie Kaiser [EMAIL PROTECTED]@mail.activedir.org on 10/29/2003 11:27:58 PM Please respond to [EMAIL PROTECTED] Sent by:[EMAIL PROTECTED] To:'[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject:RE: [ActiveDir] OT: Windows Standard Server 2003 or Enterprise Se rver 2003 as DCs I talked to Compaq/HP (whatever you want to call them this week) about this issue since we saw the same thing when we bought ours. Same scenario. We went with Standard Edition for our DCs since there was no performance hit due to the hyperthreading issue, according to their support dept and what I could find on their site and at MS. There's a paper available at: http://www.microsoft.com/whdc/hwdev/platform/proc/HT-Windows.m spx That talks about the licensing bit as well as a lot of tech info, but you don't need Enterprise for that server. Running fine for me... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** That said, if we are building HP DL380G3's with hyperthreading would we need Enterprise Server 2003 or Standard? We're planning on using them for domain controllers and we're trying to remember why we ordered Enterprise Server 2003 when it appears that the much less expensive Standard Server 2003 would suffice. We're running DL380G3's and BL20pG2's with two processors and Standard Server 2003 seems to be running fine. But is it taking full advantage of the processors or running in some sort of crippled mode where it doesn't utilize the hyperthreading? Perfmon seems to show that it's using both of the physicals and both of the virtuals...but... Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** PLEASE NOTE *** This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
