RE: [ActiveDir] Backups
Guido, In my experience using software raid has many limitations as opposed to the use of hardware raid. For instance hot standby of faulty disks this can't be done without losing the production system for that configuration change. Possibly you could get away at small companies as there reliance on the production system is not high. Yusuf -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: 14 January, 2004 23:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Backups I wondered that in this whole discussion about how to protect yourself from a harddrive-failure the cheapest way - why don't you just use the built-in SW-Raid features of your Windows Server? Naturally, I'm not really a big fan of this SW-Raid and have truly never used them myself (now why would that be?), but with such a low budged you can't really be too choosy... This would give you all the benefits of an automated failover, obviously at the cost of some CPU of the server - which could well be unnoticible for you. It's at least something to look into. However, I'd be interested to hear, if others have already used the Windows SW-Raid features and how their experience is with these...?? Is it ok for the really small companies with NO budged (but a second disk), or would you keep your fingers off? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor Sent: Mittwoch, 14. Januar 2004 20:23 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups No they are too cheap to buy a few hard drives and a raid card :-\ I'll look into Ghost and pcInspector. Do you know if Drive Image by Symantec will work on Win2k server or just workstations? On Jan 14, 2004, at 11:09 AM, Mark Nold wrote: They would spring for Ghost or pcInspector or the like, but not 80 bucks for a 120G IDE drive that you could slap in there to mirror? Do you have any dead pc's lying around that you can grab the IDE drive from? Not the best I know, but seems like it would be better than re-imaging your drive after every change you made in AD to keep your backup fresh. My 2cents anyway -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups Because it's a small company and I have recommended it a hundred times but in a nutshell, they are too cheap even though we have experienced a server crash which took about almost a week to restore everything (which costs more for paying me) and they don't realize a RAID will solve about almost everything and cheaper. On Jan 14, 2004, at 10:25 AM, Coleman, Hunter wrote: If you're concerned about the hard drive failing, why not just set up a RAID1 (mirror) configuration? Cost would be low, and you won't have to worry about creating disk images and swapping hard drives around. Hunter -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups First of all, thank you for the information :-) I would like to make a complete hard drive backup onto the firewire drive (like a complete image) so that if the one on my system crashed then I can just get the hard drive on the fire wire cable and put it into the IDE ribbons. I probably should have mentioned that what I am using is just a fire wire cable that lets you connect any type of IDE drive to it. So with pcinspector, would it be able to make a complete copy of the hard drive (with all the partitions, bootup stuff, etc) to another hard drive and have that hard drive be exactly the same as the hard drive in the system so in the event of a crash I can just swap the hard drive, start up the system, and everything is back to normal with all my Active Directory users, etc? Thanks once again in advanced. Jake On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: using a FW drive, you may run into issues with available drivers to allow you to copy the data without first re-installing an OS on the box. There are some cool free-utilities (such as a disk-cloner) that you may want to look at - but I have no idea if they support drives connected via FW: http://www.pcinspector.de/file_recovery/uk/welcome.htm so in worst case, you'd have to restore the OS onto the new harddrive (default install - incl. the FW driver, if this is not in the default) and then restore your backup afterwards onto this new drive. Otherwise you may preferr using a backup on tape afterall, for which you can get routines to completely restore a server from bare-metal fully automated. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor Sent: Mittwoch, 14. Januar 2004 00:04 To: [EMAIL PROTECTED] Subject: [ActiveDir] Backups
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Tue 1/13/2004 12:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO and the Outlook Dumpster Does anyone know a GPO setting that will allow me to prevent users from accessing the Recover Deleted Items addin in Outlook ? Someone on an exchange mailing list said that there is a GP setting to prevent this addin being loaded. Olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDIFDE and Perl...
For importing, try ADModify http://hellomate.info/exchange/admodify_1.5.zip For auto account creation, try http://www.microsoft.com/technet/treeview/default.asp?url=""> HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mike HogenauerSent: Wed 1/14/2004 10:09 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Good book on AD
Title: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Y=1=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent LDP Primer chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
RE: [ActiveDir] AD in .NET Visual Basic
Title: RE: [ActiveDir] AD in .NET Visual Basic Marc, I would also STRONGLY recommend you dont do this, the amount of overhead you have on your server for one and the time taken to return the results will really make life a nightmare. You have been provided with the link to the paging example, this is the best practice to use. It is not uncommon that ppl change the paging size. I just have been bitten way too many times. It can even be used as a DOS attack :P Al, the code does no actually create a bind to the directory until findall() or Findone() is called. During the process of Dim entry As New DirectoryServices.DirectoryEntry(LDAP://ou=tele_domusers,DC=PROD,DC=TELENET,DC=BE) Dim mySearcher As New System.DirectoryServices.DirectorySearcher(entry) mysearcher.Filter = ((objectCategory=user)(objectCategory=person)) Dim results As SearchResultCollection Dim result As SearchResult results = mysearcher.FindAll You are merely setting properties on the directoryentry and directorySearcher object. ldap_bind_s (_s is because its a secure connection) the LDAP API bind call only really happens at results = mysearcher.FindAll (through the ADSI COM object). This is supposedly done to prevent premature or unnecessary (i.e. if an error occurs) binding to the directory. I hope that is understandable and explains the situation to you correctly LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic NO do not do this.Incorrect answer. The proper way to handle this is to specify a page size in the calls to active directory, something less than 1000 and then retrieve the data in multiple pages. I would hate to see someone slowly increasing the page size on their server as the number of objects gets higher and higher. Heck I would have to set the page size to 100,000 on one of my domains to return all the users and I would hate to see how long that query would run and how dead the DC would be trying to buffer that queries return set. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay Perrine Sent: Wednesday, January 14, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Per RFC the LDAP query limit is 1000 items. You can change that limit to reflect the additional number of items that you want to return. This is done with the ntdsutil utility. Use the LDAP policies. Change the MaxPageSize value. Clay Perrine, MCSE Microsoft Directory Services Support Team From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Wednesday, January 14, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Thanks Carlos, It works, But it only gives me the first 1000 users. Any Idea how I can see more than that? I've gat about 2000 Users. Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: woensdag 14 januari 2004 21:19 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD in .NET Visual Basic Hello Marc, Welcome to the world of System.DirectoryServices. Could you please post the extended error to the list? Just a few things, 1. You should specify a search filter for your query, this will limit the amount of time it takes for your query return results. An example to specify the search query = mysearcher.Filter = ((objectCategory=user)(objectCategory=person)) 2. It is best practice to actually load the required properties into the search, you can load them one by one or you can load a property array. For example loading 1 by 1 = mysearcher.PropertiesToLoad.Add(cn) or an array = mysearcher.PropertiesToLoad.AddRange(MYSTRINGARRAY) 3. Also as a good practice instead of doin result.findall at the loop level rather try this Dim results As SearchResultCollection Dim result As SearchResult results = mysearcher.FindAll Then in your loop try For Each result In results If result.Properties.Contains(cn) Then 'do something with result End If Next The reason you should use .Contains is because if the property does not contain a value you will receive and error = Object not set to an instance... As a test could you specify a username , password and authentication type in the directoryentry. For example Dim entry As New DirectoryServices.DirectoryEntry(LDAP://ou=tele_dom users,DC=PROD,DC=TELENET,DC=BE,USERNAME,PASSWORD,AUTHENTICATIONTYPE) This is just to perform a test we can change this later. Let us know about the extended error. You have obviously checked that the LDAP path is correct (sorry but I have to ask: P) Active Directory Programming ? - http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes - ADSI MVP
RE: [ActiveDir] LDIFDE and Perl...
This script from the TechNet script centre will create 1000 new users. Set objRootDSE = GetObject(LDAP://rootDSE;) Set objContainer = GetObject(LDAP://cn=Users,; _ objRootDSE.Get(defaultNamingContext)) For i = 1 To 1000 Set objLeaf = objContainer.Create(User, cn=UserNo i) objLeaf.Put sAMAccountName, UserNo i objLeaf.SetInfo Next WScript.Echo 1000 Users created. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hogenauer Sent: 15 January 2004 07:09 To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Strange intermittent problem with IADsUser::SetPassword
Hi, when the procedure starts to fail what do you see in the target DC audit trail: Account Logon | Account Management. Have you tried auditing Directory Services Access failures (KB232714)? Does the problem persist if you (are able) to switch to OpenDSObject(WinNT:// as a test? Does the account that triggers the start of the problem have any interesting (useraccountControl) flags set? It might be worth doing metabase dumps on the virtual server to compare working with broken in case something is changing an IIS attribute during running. From your diagnostics it looks like a inetinfo.exe caching issues, something like IISState from the IIS resource kit might help but it would be hard work :( The only problems I have ever looked at in this area are with password changes in Exchange OWA and these went away with IIS6.0 and Exchange 2003. cheers, Lee Flight Network Support, Computer Centre University of Leicester Subject: [ActiveDir] Strange intermittent problem with IADsUser::SetPassword Date: Wed, 14 Jan 2004 18:05:47 -0600 From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hi all, We are having some problems that are very difficult to diagnose using = the SetPassword method on IADsUser. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Importing of contacts
Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joes favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za
RE: [ActiveDir] Good book on AD
Maybe some experience. ;) You have alot of great books. If you read them and can understand them, I think you are ready. Denny _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 6:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Good book on AD I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Good book on AD
Windows 2000 Server Architecture Planning 2nd Edition by Neilsen is quite a good into to a lot of the concepts and provides a good overview. It's not a how to - more a pre-design read ISBN: 1-57610-607-1 Available for $30:00 from http://www.halfpricecomputerbooks.com/book/1576106071 What the hell. It's as cheap as chips!! :-) Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: 15 January 2004 11:48 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Good book on AD Maybe some experience. ;) You have alot of great books. If you read them and can understand them, I think you are ready. Denny _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 6:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Good book on AD I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing of contacts
Yusuf, Please excuse the 'pitch', but there is a product available that fits your needs. Please consider SimpleSync from CPS Systems. With it you can very easily sync multiple Exchange 5.5, 2000 or 2003 directories. No SQL. No new directory. Cost for 3 directories is $10,980. Evaluation copy available for download from www.CPS-Systems.com . Normally up and running in test mode in less than a day. Many thanks, Jerry Welch [EMAIL PROTECTED] +1 703 827 0919 (-5 GMT) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Yusuf MayetSent: Thursday, January 15, 2004 5:48 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Importing of contacts Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joes favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za
RE: [ActiveDir] Bug in GPO?
Doesn't have to be... Set the partition to NFTS with localsystem having the only rights, and I think it would work fine. You're not going to stop the truly determined, but this should stop a whole lot of them -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 5:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bug in GPO? Surely that partition is then available for users to write to (unless you make sure you lock down everything but that's where I came in!!) Steve -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: 14 January 2004 13:00 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Bug in GPO? All you need to do is put the AV software on a different partition -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 6:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bug in GPO? I know of deep freeze; another college near me is using it with some success but they had a problem with things like virus software updates - deep freeze was wiping these out at each reboot! It's such a common requirement that I'm sure there must be a way round it but I've not yet had time to investigate. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 12 January 2004 15:45 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bug in GPO? I used to do a bit of work with some companies up north that had the same issue. They purchased a software product called DeepFreeze which basically reset the C drive back to the way it was at last boot up. They would image the systems, turn on deep freeze, and the users were not able to do anything that a simple reboot would not fix. They were also not able to save any data on drive C - in their case an added benefit. It may be worth looking into as an extra security setup especially in lab situations. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |-+-- | | Steve Rochford | | | [EMAIL PROTECTED]| | | .uk | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 01/12/2004 11:24 AM GMT| | | Please respond to | | | ActiveDir | |-+-- - -- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Bug in GPO? | - -- ---| I'd completely agree with this. I work in a college and we don't want the students to (accidentally or deliberately) play with files on the C: drive but even the tightest set of policies makes no real difference - just typing C: into a file open dialog will show you the drive and typing desktop into the address bar in Internet Explorer also leads to some fun :-) In the end it's easier to make sure that permissions are as tight as possible so that people can't do too much damage and be prepared to re-image the machine if they do! Steve From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: 31 December 2003 04:06 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bug in GPO? Mark- This worked for me on XP as expected--I chose to hide the C: drive using this policy and it was hidden in both My Computer and Explorer. One thing I did note was that, if I enabled this policy while I had Explorer up and running, the C: drive would only get partially hidden. That is, it still appeared in the Explorer tree view but didn't in the right hand results pane. Weird. Restarting Explorer cleared that up and C: was gone. Just as a note, this policy is really nothing more than shell obfuscation. For example, even with the C: drive hidden in Explorer, there are numerous ways the intrepid user can get to C:. For example,
RE: [ActiveDir] DC's on VMWare
I'm pushing towards having 2 types of boxes - blade servers and 2U servers connecting to external storage/SAN, or housing their data locally. As Al mentioned - the Virtualization people are trying to ignore the laws of physics much like the SAN folks did a few years ago. Taking two systems that are at 25% resource utilization and moving them to virtual machines on the same hardware doesn't mean that hardware is now 50% utilized - its now 50% plus overhead for resource contention. There are areas in which it makes a lot of sense - our customer support teams run it on all their workstations, as they need access to multiple OS's for test and verification of customer issues. Our Presales teams do the same thing for their demo environments. We save the $300 licenses in not having to deal with dual and triple boot machines. I think the key, and I've heard it mentioned from some of the people here that are doing it, is truly understanding the load your systems are under, and only then considering virtualizing things. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I have the same reaction most everyone else does. We're in the middle of server consolidation here, too... the days of sprawl are over. So... we're starting w/ low hanging fruit. None of us know exactly how this whole thing will pan out in terms of support so we're not placing any critical servers on VM at this point. I'd prefer to still hang on to the idea of bricks/blades architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare As I mentioned in one of my posts - I'm looking at using this technology so I can run more than 1 web application platform on one piece of hardware. None of these applications would tax a server by itself, yet they can't all run (at least not at all well) within a single OS instance. I agree, however, that mass consolidation doesn't normally make sense. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare Maybe this is a good chance for me to express my ignorance and hopefully be enlightened. I don't understand the whole concept of replacing N (relatively) inexpensive boxes of cost C with one monster box costing more than N * C. Where are you saving money? You still have N (actually N+1) operating systems to pay for, patch, maintain, monitor, etc. and your hardware costs have went up, not down. I can see that each virtual server potentially has access to a vast amount of memory and CPU horsepower, but realistically, how many applications are going to stress a 3GHz single CPU box with, say, 4GB ram? Also, because all your eggs are in one hardware basket, your hardware has become crucially important and probably warrants some sort of extended 24X7 maintenance contract from the vendor adding even more cost to the picture. For a lab, test or educational environment (where performance isn't going to be an issue), I can see something like VMWare being very handy, but running on one inexpensive box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 14, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare It seems to me that it would be cheaper to buy seperate HW for each DC than to buy one HUGE machine. Example: 4 dual CPU machines with 8GB RAM is going to cost less than 1 8 CPU machine with 64GB RAM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 10:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare That brings its own issues (SIDs, etc) that get back into why I don't clone servers. And since you have to stop the entire VM to get a consistent backup for DR, that negates that benefit. I'm looking at it because we have 3 different web based apps that are all relatively low volume, but all three use different application platforms and they don't play well on the same box. So - 1 server, 3 VM's, one per application. Fortunately, they all use SQL Server as the backend, so they'll tie into our existing
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message There are a lot of default settings that most admins change - and deleted item retension is one of them (at least I would hope it is). The DumpsterAlwaysOn setting is client side, and only affects whether or not you can see the dumptser. It most certainly exists on every folder in Exchange (when DIR is enabled). The offender does NOT need to have this registry key set for a Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I know I'm one of three people in the company with it enabled, and I use it to get our exec admin's out of trouble quite a bit Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Tue 1/13/2004 12:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO and the Outlook Dumpster Does anyone know a GPO setting that will
RE: [ActiveDir] Good book on AD
The list of books that I've culled from this group and others, as well as my own experience, is available here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksfile=index Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent LDP Primer chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Good book on AD
Title: Message There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent "LDP Primer" chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing of contacts
Title: Message Looks like Jerry from CPS already mentioned their company's product, which I've heard very good things about. I would think that you *might* be able to do it with the Exchange Interorg tool, but that's a 5.5 tool, so I'd expect you'd need to be in Mixed mode for Exchange. http://support.microsoft.com/default.aspx?scid=kb;en-us;198789 Without some coding, you're probably going to have to purchase a solution though. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:48 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Importing of contacts Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joe's favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za
[ActiveDir] 2003 NTDS.DIT size
Title: Message All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this? �
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] Good book on AD
Title: Message Sure thing Roger, the books link - http://www.apress.com/book/bookDisplay.html?bID=265 LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. ADSI MVP From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Good book on AD There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent LDP Primer chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below Surely some people on here will be able to explain the shrinkage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: 15 January 2004 13:19 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ... Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little off. Can anyone confirm this?
RE: [ActiveDir] Importing of contacts
Title: Message Or you could higher one of the local guys to code this solution for you. It all depends what exactly you would like to move from one directory to the other. CM From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:58 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Importing of contacts Looks like Jerry from CPS already mentioned their company's product, which I've heard very good things about. I would think that you *might* be able to do it with the Exchange Interorg tool, but that's a 5.5 tool, so I'd expect you'd need to be in Mixed mode for Exchange. http://support.microsoft.com/default.aspx?scid=kb;en-us;198789 Without some coding, you're probably going to have to purchase a solution though. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Importing of contacts Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joe's favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
RE: [ActiveDir] Good book on AD
Title: Message Ahh. I really like the APress books - I just picked up a VB.Net cookbook from them a week or so ago. I'm going to have to get my hands on this one. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Good book on AD Sure thing Roger, the books link - http://www.apress.com/book/bookDisplay.html?bID=265 LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. ADSI MVP From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:54 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Good book on AD There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent "LDP Primer" chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] Good book on AD
Title: Message No recommendations on book here, just want to let you know what www.bookpool.com is a good place to get technical books cheap. Many time I find the books are wy below the price of anywhere else, even with SH. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos MagalhaesSent: Thursday, January 15, 2004 8:25 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Good book on AD Sure thing Roger, the books link - http://www.apress.com/book/bookDisplay.html?bID=265 LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. ADSI MVP From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:54 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Good book on AD There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent "LDP Primer" chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message sigur ... Cristian Zaharia Network Administrator Information Technology Zapp [EMAIL PROTECTED] +40.788.101.048 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 3:51 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] DC's on VMWare
I'm not sure how much I'm able to say and can't get very specific. Please let it suffice to say that originally Microsoft had stated that they would not support us with VMWare and would not address issues found until we could prove that the issue existed on a physical box without VMWare involved. Their recommendation was to go with Virtual Server (beta) and that it would be released soon. There were and are delays in the release of Virtual Server. Late last year saw some softening of Microsoft's position. It's not a promise of complete support but it is a step in the right direction as far as we're concerned. We think it's considerably better than best effort however. I appreciated your comments about vendors like IBM and their promises. Was nice to see other people with the same opinion of those types of comments. Remains to be seen what actually happens when we run into an issue with Microsoft and our vendor. I was trying to come up with a way that we could test the supportability but not sure how best to simulate a production issue realistically enough and not upset relations with the vendors. Or else we run into a real issue very soon, before we've gone too far down this road. joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare tivedir.org 01/14/2004 09:34 PM Please respond to ActiveDir In what way has your talks with MS been more positive? They say that they will try but remember it all goes down to best effort irregardless of what your local TAM or even your DTAM says. They can't sign up for anything better than that. Best effort in my book isn't support. At least it isn't for any kind of production machine. I main consulting gig is for a pretty large company and we were being pushed big time into looking at virtualization on VMWARE and really went into looking at the official support model and rejected the whole thing. If I am not in a fully supportable state or can easily and quickly get that way I am not in a happy place. You could go a long time without needing it but the minute you do need it, no one is going to listen to, well we went this long with out it so I guess we got our value... No they will be, What do you mean we are unsupported in this configuration? No, best effort is not supported joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Wednesday, January 14, 2004 9:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare We did discuss hardware partitioning but came to the point that we didn't feel comfortable enough with it yet. Too new and too many unknowns. If we were doing the consolidation a year from now then perhaps. Plus the CPU limitation was a serious limitation for all but some of our DEV servers and so not a big enough help. We are concerned about support. We are in the situation that you, Joe, described about the vendor. Not putting a whole lot of faith in it. Just hope we don't need it. Our talks with Microsoft have been a bit more positive regarding assistance in resolving issues that come up on a VM. Haven't tested the situation yet though. I'm not going to be successful arguing to put all DC's on separate physical machines unless I can prove that the VM solution doesn't work properly. We're under too much pressure to eliminate physical boxes. I think the best solution to recommend may be to have the root
RE: [ActiveDir] AD in .NET Visual Basic
Title: Message
Yep. Didn't mean to indicate otherwise Carlos, just that his bind
was to a container/OU and not really looking for the objects contained; Thanks
for the pointers. Great newsgroup for this subject too
:)
As a
side note, I'm curious about the filter string you used. Why use
objectCategory=User AND objectCategory=Person in the same filter. Wouldn't
one or the other do for your search or am I missing
something?
-Original Message-From: Carlos Magalhaes
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 4:05
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] AD in .NET Visual Basic
Marc,
I would also STRONGLY
recommend you don't do this, the amount of overhead you have on your server
for one and the time taken to return the results will really make life a
nightmare.
You have been
provided with the link to the paging example, this is the best practice to
use. It is not uncommon that ppl change the paging size. I just have been
bitten way too many times. It can even be used as a DOS attack
:P
Al, the code does no
actually create a bind to the directory until findall() or Findone()
is called. During the
process of
Dim entry As New
DirectoryServices.DirectoryEntry("LDAP://ou=tele_domusers,DC=PROD,DC=TELENET,DC=BE") Dim mySearcher As New
System.DirectoryServices.DirectorySearcher(entry)
mysearcher.Filter =
"((objectCategory=user)(objectCategory=person))"
Dim results As SearchResultCollection
Dim result As
SearchResult results =
mysearcher.FindAll
You are merely
setting properties on the directoryentry and directorySearcher object.
ldap_bind_s (_s is because it's a secure connection) the LDAP API bind call
only really happens at "results = mysearcher.FindAll" (through the ADSI COM
object).
This is supposedly
done to prevent premature or unnecessary (i.e. if an error occurs) binding to
the directory.
I hope that is
understandable and explains the situation to you
correctly...
LDAP
(Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices
Carlos
Magalhaes.
From: joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 15,
2004 5:59
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
NO do not do
this.Incorrect answer.
The proper way to
handle this is to specify a page size in the calls to active directory,
something less than 1000 and then retrieve the data in multiple pages.
I would hate to see
someone slowly increasing the page size on their server as the number of
objects gets higher and higher. Heck I would have to set the page size to
100,000 on one of my domains to return all the users and I would hate to see
how long that query would run and how dead the DC would be trying to buffer
that queries return set.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Clay
PerrineSent: Wednesday,
January 14,
2004 4:33
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Per RFC the LDAP
query limit is 1000 items. You can change that limit to reflect the additional
number of items that you want to return.
This is done with the
ntdsutil utility. Use the LDAP policies. Change the MaxPageSize
value.
Clay Perrine,
MCSE
Microsoft Directory
Services Support Team
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of De Schepper
MarcSent: Wednesday,
January 14,
2004 2:57
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Thanks
Carlos,
It works, But it
only gives me the first 1000 users. Any Idea how I can see more than that?
I've gat about 2000 Users.
Marc
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Carlos
MagalhaesSent: woensdag 14
januari 2004 21:19To:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Hello
Marc,
Welcome
to the world of System.DirectoryServices. Could you please post the extended
error to the list?
Just a
few things, 1.
You should specify a search filter for your query, this will limit the amount
of time it takes for your query return results. An example to specify the
search query = mysearcher.Filter =
"((objectCategory=user)(objectCategory=person))"
2. It is
best practice to actually load the required properties into the search, you
can load them one by one or you can load a property array. For example loading
1 by 1 = mysearcher.PropertiesToLoad.Add("cn") or an array =
mysearcher.PropertiesToLoad.AddRange(MYSTRINGARRAY)
3. Also
as a good practice instead of doin result.findall at the loop level rather try
this Dim results
As
RE: [ActiveDir] Folder redir policy
When I ran the RSoP, it gave this reason for it not being applied: this security id may not be assigned as the owner of this object What is this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruce Clingaman Sent: Wednesday, January 14, 2004 2:17 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Folder redir policy I have a folder redirection policy in place but it doesn't get applied. The path is valid, perms are set (folders are created in advance with a script). The user can browse to their directory and save files. The share is on a DFS volume; I wonder if this is the cause. Any ideas? Bruce Clingaman List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing of contacts
Title: Message Isn't that about it then? You have choices of two programs already written else you can write one yourself. If your skills are shaky, you can outsource that to a contractor/consultant to write it for you. Personally, in terms of cost and time, it may make a lot more sense to buy what you need vs. contracting it out. I would present it back to the client and let him decide where the money should be invested based on his opinion. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:24 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Importing of contacts Or you could higher one of the local guys to code this solution for you. It all depends what exactly you would like to move from one directory to the other. CM From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:58 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Importing of contacts Looks like Jerry from CPS already mentioned their company's product, which I've heard very good things about. I would think that you *might* be able to do it with the Exchange Interorg tool, but that's a 5.5 tool, so I'd expect you'd need to be in Mixed mode for Exchange. http://support.microsoft.com/default.aspx?scid=kb;en-us;198789 Without some coding, you're probably going to have to purchase a solution though. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:48 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Importing of contacts Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joe's favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za
RE: [ActiveDir] Good book on AD
Title: Message Its on its way to me for a review , I know some of the authors and have read some of the content it is a really good book if you interested in the System.DirectoryServices Namespace. Keep Well Carlos From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:42 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Good book on AD Ahh. I really like the APress books - I just picked up a VB.Net cookbook from them a week or so ago. I'm going to have to get my hands on this one. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Good book on AD Sure thing Roger, the books link - http://www.apress.com/book/bookDisplay.html?bID=265 LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. ADSI MVP From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Good book on AD There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent LDP Primer chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message No, dumpsteralwayson is used to set the mail properties for the mail folders other than deleted items and to allow for hard deletes to be recovered. Basically, it means that all items must be sent to deleted items retention if they existed in a protected folder. http://support.microsoft.com/default.aspx?scid=kb;en-us;246153 It's not quite that clear though is it? People who have older clients aren't subject to this "feature" at all and only the items that were sent to the Deleted Items folder will have deleted items retention. Basically. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster There are a lot of default settings that most admins change - and deleted item retension is one of them (at least I would hope it is). The DumpsterAlwaysOn setting is client side, and only affects whether or not you can see the dumptser. It most certainly exists on every folder in Exchange (when DIR is enabled). The offender does NOT need to have this registry key set for a Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I know I'm one of three people in the company with it enabled, and I use it to get our exec admin's out of trouble quite a bit Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Tue 1/13/2004 12:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and
RE: [ActiveDir] Folder redir policy
We deal with this problem all of the time. The username needs to be the owner of the folder that is being redirected. For instance, if your policy is redirecting My Documents to \\home\%username%\My_Documents, then the owner of My Documents needs to be the user in question. Open the Folder Redirection policy and under the Settings Tab there is a checkbox named Grant the user exclusive rights to My Documents. This should be checked. Otherwise, have the user in question take ownership of My Documents and see if that helps. Hope this helps. -Original Message- From: Bruce Clingaman [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder redir policy When I ran the RSoP, it gave this reason for it not being applied: this security id may not be assigned as the owner of this object What is this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruce Clingaman Sent: Wednesday, January 14, 2004 2:17 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Folder redir policy I have a folder redirection policy in place but it doesn't get applied. The path is valid, perms are set (folders are created in advance with a script). The user can browse to their directory and save files. The share is on a DFS volume; I wonder if this is the cause. Any ideas? Bruce Clingaman List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDIFDE and Perl...
I have some Perl code for creating users in AD that I've been working on in my spare time. I'd be happy to share it. It uses a combination of ADS and Net::LDAP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 15, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC's on VMWare
I don't understand your comment We save the $300 licenses. Are you under the impression you don't need a license for each Windows VM running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 7:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare I'm pushing towards having 2 types of boxes - blade servers and 2U servers connecting to external storage/SAN, or housing their data locally. As Al mentioned - the Virtualization people are trying to ignore the laws of physics much like the SAN folks did a few years ago. Taking two systems that are at 25% resource utilization and moving them to virtual machines on the same hardware doesn't mean that hardware is now 50% utilized - its now 50% plus overhead for resource contention. There are areas in which it makes a lot of sense - our customer support teams run it on all their workstations, as they need access to multiple OS's for test and verification of customer issues. Our Presales teams do the same thing for their demo environments. We save the $300 licenses in not having to deal with dual and triple boot machines. I think the key, and I've heard it mentioned from some of the people here that are doing it, is truly understanding the load your systems are under, and only then considering virtualizing things. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I have the same reaction most everyone else does. We're in the middle of server consolidation here, too... the days of sprawl are over. So... we're starting w/ low hanging fruit. None of us know exactly how this whole thing will pan out in terms of support so we're not placing any critical servers on VM at this point. I'd prefer to still hang on to the idea of bricks/blades architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare As I mentioned in one of my posts - I'm looking at using this technology so I can run more than 1 web application platform on one piece of hardware. None of these applications would tax a server by itself, yet they can't all run (at least not at all well) within a single OS instance. I agree, however, that mass consolidation doesn't normally make sense. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare Maybe this is a good chance for me to express my ignorance and hopefully be enlightened. I don't understand the whole concept of replacing N (relatively) inexpensive boxes of cost C with one monster box costing more than N * C. Where are you saving money? You still have N (actually N+1) operating systems to pay for, patch, maintain, monitor, etc. and your hardware costs have went up, not down. I can see that each virtual server potentially has access to a vast amount of memory and CPU horsepower, but realistically, how many applications are going to stress a 3GHz single CPU box with, say, 4GB ram? Also, because all your eggs are in one hardware basket, your hardware has become crucially important and probably warrants some sort of extended 24X7 maintenance contract from the vendor adding even more cost to the picture. For a lab, test or educational environment (where performance isn't going to be an issue), I can see something like VMWare being very handy, but running on one inexpensive box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 14, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare It seems to me that it would be cheaper to buy seperate HW for each DC than to buy one HUGE machine. Example: 4 dual CPU machines with 8GB RAM is going to cost less than 1 8 CPU machine with 64GB RAM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 10:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare That brings its own issues (SIDs, etc) that get back into why I don't clone servers. And since you have to stop the entire VM to get a consistent backup for DR, that negates that
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message Hate to say it, but you're wrong on that one Al. The client side registry key simply changes whether or not the client is aware of the "dumpster" in a particular mailbox folder. Remember, the "dumpster" is really nothing more than a view on a database table in which the items are all marked as tombstoned. What you see in the folder in Outlook (or any other client) is simply the list of items in the folder which are not tombstoned. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster No, dumpsteralwayson is used to set the mail properties for the mail folders other than deleted items and to allow for hard deletes to be recovered. Basically, it means that all items must be sent to deleted items retention if they existed in a protected folder. http://support.microsoft.com/default.aspx?scid=kb;en-us;246153 It's not quite that clear though is it? People who have older clients aren't subject to this "feature" at all and only the items that were sent to the Deleted Items folder will have deleted items retention. Basically. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster There are a lot of default settings that most admins change - and deleted item retension is one of them (at least I would hope it is). The DumpsterAlwaysOn setting is client side, and only affects whether or not you can see the dumptser. It most certainly exists on every folder in Exchange (when DIR is enabled). The offender does NOT need to have this registry key set for a Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I know I'm one of three people in the company with it enabled, and I use it to get our exec admin's out of trouble quite a bit Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you
RE: [ActiveDir] DC's on VMWare
No I think he's saying they recoup the cost of the VMware licenses by reducing or eliminating the administrative cost of maintaining dual and triple boot machines -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I don't understand your comment We save the $300 licenses. Are you under the impression you don't need a license for each Windows VM running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 7:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare I'm pushing towards having 2 types of boxes - blade servers and 2U servers connecting to external storage/SAN, or housing their data locally. As Al mentioned - the Virtualization people are trying to ignore the laws of physics much like the SAN folks did a few years ago. Taking two systems that are at 25% resource utilization and moving them to virtual machines on the same hardware doesn't mean that hardware is now 50% utilized - its now 50% plus overhead for resource contention. There are areas in which it makes a lot of sense - our customer support teams run it on all their workstations, as they need access to multiple OS's for test and verification of customer issues. Our Presales teams do the same thing for their demo environments. We save the $300 licenses in not having to deal with dual and triple boot machines. I think the key, and I've heard it mentioned from some of the people here that are doing it, is truly understanding the load your systems are under, and only then considering virtualizing things. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I have the same reaction most everyone else does. We're in the middle of server consolidation here, too... the days of sprawl are over. So... we're starting w/ low hanging fruit. None of us know exactly how this whole thing will pan out in terms of support so we're not placing any critical servers on VM at this point. I'd prefer to still hang on to the idea of bricks/blades architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare As I mentioned in one of my posts - I'm looking at using this technology so I can run more than 1 web application platform on one piece of hardware. None of these applications would tax a server by itself, yet they can't all run (at least not at all well) within a single OS instance. I agree, however, that mass consolidation doesn't normally make sense. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare Maybe this is a good chance for me to express my ignorance and hopefully be enlightened. I don't understand the whole concept of replacing N (relatively) inexpensive boxes of cost C with one monster box costing more than N * C. Where are you saving money? You still have N (actually N+1) operating systems to pay for, patch, maintain, monitor, etc. and your hardware costs have went up, not down. I can see that each virtual server potentially has access to a vast amount of memory and CPU horsepower, but realistically, how many applications are going to stress a 3GHz single CPU box with, say, 4GB ram? Also, because all your eggs are in one hardware basket, your hardware has become crucially important and probably warrants some sort of extended 24X7 maintenance contract from the vendor adding even more cost to the picture. For a lab, test or educational environment (where performance isn't going to be an issue), I can see something like VMWare being very handy, but running on one inexpensive box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 14, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare It seems to me that it would be cheaper to buy seperate HW for each DC than to buy one HUGE machine. Example: 4 dual CPU machines with 8GB RAM is going to cost less than 1 8 CPU machine with 64GB RAM -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] DC's on VMWare
Nope - the $300 for the VMWare license. We spent more than that in tech time troubleshooting and configuring multiboot systems. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I don't understand your comment We save the $300 licenses. Are you under the impression you don't need a license for each Windows VM running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 7:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare I'm pushing towards having 2 types of boxes - blade servers and 2U servers connecting to external storage/SAN, or housing their data locally. As Al mentioned - the Virtualization people are trying to ignore the laws of physics much like the SAN folks did a few years ago. Taking two systems that are at 25% resource utilization and moving them to virtual machines on the same hardware doesn't mean that hardware is now 50% utilized - its now 50% plus overhead for resource contention. There are areas in which it makes a lot of sense - our customer support teams run it on all their workstations, as they need access to multiple OS's for test and verification of customer issues. Our Presales teams do the same thing for their demo environments. We save the $300 licenses in not having to deal with dual and triple boot machines. I think the key, and I've heard it mentioned from some of the people here that are doing it, is truly understanding the load your systems are under, and only then considering virtualizing things. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I have the same reaction most everyone else does. We're in the middle of server consolidation here, too... the days of sprawl are over. So... we're starting w/ low hanging fruit. None of us know exactly how this whole thing will pan out in terms of support so we're not placing any critical servers on VM at this point. I'd prefer to still hang on to the idea of bricks/blades architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare As I mentioned in one of my posts - I'm looking at using this technology so I can run more than 1 web application platform on one piece of hardware. None of these applications would tax a server by itself, yet they can't all run (at least not at all well) within a single OS instance. I agree, however, that mass consolidation doesn't normally make sense. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare Maybe this is a good chance for me to express my ignorance and hopefully be enlightened. I don't understand the whole concept of replacing N (relatively) inexpensive boxes of cost C with one monster box costing more than N * C. Where are you saving money? You still have N (actually N+1) operating systems to pay for, patch, maintain, monitor, etc. and your hardware costs have went up, not down. I can see that each virtual server potentially has access to a vast amount of memory and CPU horsepower, but realistically, how many applications are going to stress a 3GHz single CPU box with, say, 4GB ram? Also, because all your eggs are in one hardware basket, your hardware has become crucially important and probably warrants some sort of extended 24X7 maintenance contract from the vendor adding even more cost to the picture. For a lab, test or educational environment (where performance isn't going to be an issue), I can see something like VMWare being very handy, but running on one inexpensive box. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, January 14, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare It seems to me that it would be
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message That's OK Roger. We just need to tell Microsoft to rewrite that KB below else I need to drink more coffee to understand it properly. ;) -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:03 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Hate to say it, but you're wrong on that one Al. The client side registry key simply changes whether or not the client is aware of the "dumpster" in a particular mailbox folder. Remember, the "dumpster" is really nothing more than a view on a database table in which the items are all marked as tombstoned. What you see in the folder in Outlook (or any other client) is simply the list of items in the folder which are not tombstoned. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster No, dumpsteralwayson is used to set the mail properties for the mail folders other than deleted items and to allow for hard deletes to be recovered. Basically, it means that all items must be sent to deleted items retention if they existed in a protected folder. http://support.microsoft.com/default.aspx?scid=kb;en-us;246153 It's not quite that clear though is it? People who have older clients aren't subject to this "feature" at all and only the items that were sent to the Deleted Items folder will have deleted items retention. Basically. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster There are a lot of default settings that most admins change - and deleted item retension is one of them (at least I would hope it is). The DumpsterAlwaysOn setting is client side, and only affects whether or not you can see the dumptser. It most certainly exists on every folder in Exchange (when DIR is enabled). The offender does NOT need to have this registry key set for a Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I know I'm one of three people in the company with it enabled, and I use it to get our exec admin's out of trouble quite a bit Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis
RE: [ActiveDir] GPO and the Outlook Dumpster
Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this CYA type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to prove something. Disabling access to the Recover Deleted Items folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver Marshall Sent: Tue 1/13/2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration Templates, which can be distributed via GPOs, but aren't actually part of the GPO settings. http://www.microsoft.com/office/ork/2003/five/ch18/MntA04.htm There are similar templates for Office XP and Office 2000 that might do the trick. Roger
[ActiveDir] Hiding Menus via a GPO
Does anyone know how I can use a GPO to hide a menu item? You might have been listening to the Outlook thread going on on this list. I'm told that it can be done, but I cant find any mention of it anywhere. Ta olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Good book on AD
I am interested :) Ryan McDonald Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/15/2004 07:53 AM Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Good book on AD There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. Tease! You went to all that trouble to build it up and then not mention the title??? What's the book? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 3:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Good book on AD Another good book is Inside Active directory by By Sakari Kouti and Mika Seitsonen Publisher : Addison-Wesley Pub Co There are reviews on: http://groups.yahoo.com/group/MustHaveBooksForAspNetProgrammers/message/98 And http://btobsearch.barnesandnoble.com/booksearch/isbninquiry.asp?btob=Ypwb=1ean=9780201616217 Both are by me. You already have Robbie's book (which is a gem as well). I will be posting a review on Robbie's book on the yahoo groups, Barnes and Noble, Amazon and programming-reviews.com. In the coming weeks, Robbie (and his technical reviewers *SHOUT OUT* to Tony, Rick, Joe and all the others I left out) really did an awesome job. I will keep you posted. There is one additional book but its not Active Directory specific more how to use System.DirectoryServices (ADSI COM component wrapped for .nET), but it does cover a lot of AD tasks. Let me know if you are interested. LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 15, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Good book on AD I'd recommend Active Directory Forestry by John Craddock and Sally Storey. It has an excellent LDP Primer chapter and goes into some of the finer detail on object classes and attributes. Tony -- Original Message -- Wrom: PNKMBIPBARHDMNNSKVFVWRKJV Reply-To: [EMAIL PROTECTED] Date: Wed, 14 Jan 2004 18:48:22 -0500 I am looking for a few good books on AD to help me re-work on AD here. I have Mission Critical AD, Robbie's second AD book, the cookbook, and Inside AD. lol I know too many books. Is there anything else I am missing? Ryan McDonald List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message Tell Andy to bring you another cup. Isn't that what the Ops team is for, anyway? I read it exactly as I understood it, BTW. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:19 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster That's OK Roger. We just need to tell Microsoft to rewrite that KB below else I need to drink more coffee to understand it properly. ;) -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:03 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Hate to say it, but you're wrong on that one Al. The client side registry key simply changes whether or not the client is aware of the "dumpster" in a particular mailbox folder. Remember, the "dumpster" is really nothing more than a view on a database table in which the items are all marked as tombstoned. What you see in the folder in Outlook (or any other client) is simply the list of items in the folder which are not tombstoned. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster No, dumpsteralwayson is used to set the mail properties for the mail folders other than deleted items and to allow for hard deletes to be recovered. Basically, it means that all items must be sent to deleted items retention if they existed in a protected folder. http://support.microsoft.com/default.aspx?scid=kb;en-us;246153 It's not quite that clear though is it? People who have older clients aren't subject to this "feature" at all and only the items that were sent to the Deleted Items folder will have deleted items retention. Basically. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 7:46 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster There are a lot of default settings that most admins change - and deleted item retension is one of them (at least I would hope it is). The DumpsterAlwaysOn setting is client side, and only affects whether or not you can see the dumptser. It most certainly exists on every folder in Exchange (when DIR is enabled). The offender does NOT need to have this registry key set for a Shift-Delete email to be recovered. Fairly simple to prove to yourself, but I know I'm one of three people in the company with it enabled, and I use it to get our exec admin's out of trouble quite a bit Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 2:18 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to,AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger SeielstadSent: Wed 1/14/2004 4:58 AMTo: '[EMAIL
RE: [ActiveDir] DC's on VMWare
You are correct. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare No I think he's saying they recoup the cost of the VMware licenses by reducing or eliminating the administrative cost of maintaining dual and triple boot machines -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I don't understand your comment We save the $300 licenses. Are you under the impression you don't need a license for each Windows VM running? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 7:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare I'm pushing towards having 2 types of boxes - blade servers and 2U servers connecting to external storage/SAN, or housing their data locally. As Al mentioned - the Virtualization people are trying to ignore the laws of physics much like the SAN folks did a few years ago. Taking two systems that are at 25% resource utilization and moving them to virtual machines on the same hardware doesn't mean that hardware is now 50% utilized - its now 50% plus overhead for resource contention. There are areas in which it makes a lot of sense - our customer support teams run it on all their workstations, as they need access to multiple OS's for test and verification of customer issues. Our Presales teams do the same thing for their demo environments. We save the $300 licenses in not having to deal with dual and triple boot machines. I think the key, and I've heard it mentioned from some of the people here that are doing it, is truly understanding the load your systems are under, and only then considering virtualizing things. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: marcus [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 7:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare I have the same reaction most everyone else does. We're in the middle of server consolidation here, too... the days of sprawl are over. So... we're starting w/ low hanging fruit. None of us know exactly how this whole thing will pan out in terms of support so we're not placing any critical servers on VM at this point. I'd prefer to still hang on to the idea of bricks/blades architecture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, January 14, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DC's on VMWare As I mentioned in one of my posts - I'm looking at using this technology so I can run more than 1 web application platform on one piece of hardware. None of these applications would tax a server by itself, yet they can't all run (at least not at all well) within a single OS instance. I agree, however, that mass consolidation doesn't normally make sense. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DC's on VMWare Maybe this is a good chance for me to express my ignorance and hopefully be enlightened. I don't understand the whole concept of replacing N (relatively) inexpensive boxes of cost C with one monster box costing more than N * C. Where are you saving money? You still have N (actually N+1) operating systems to pay for, patch, maintain, monitor, etc. and your hardware costs have went up, not down. I can see that each virtual server potentially has access to a vast amount of memory and CPU horsepower, but realistically, how many applications are going to stress a 3GHz single CPU box with, say, 4GB ram? Also, because all your eggs are in one hardware basket, your hardware has become crucially important and probably warrants some sort of extended 24X7 maintenance contract from the vendor adding even more cost to the picture. For a lab, test or educational environment (where performance isn't going to be an issue), I can see something like VMWare being very handy, but running on one inexpensive box. -Original
RE: [ActiveDir] NTDS KCC error
IF I were troubleshooting this, I'd remove thebridgehead designations and let everything go over any available server, then wait for the problem to go away.After that,examine your bridgehead designations closely again.You willlikely find outthat the DC in LEX site that you've designated as the bridgehead for that sitedoes NOThave a Connectionto a DC that holds a copy of the DC=coopcam,DC=com partition. Wherever I've seen this error, it's more likely due to the fact that the Domain Naming Master does not have a connection(link) to the LEX Bridgehead. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, RussSent: Wed 1/14/2004 7:14 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] NTDS KCC error All, We're getting these errors on our domain controllers. I see Q271997 says that it's reported if a non-preferred bridgehead was used. What did we do to cause this and what's the recommended best fix? Explicit bridgeheads to support inter-site replication to and from site CN=LEX,CN=Sites,CN=Configuration,DC=coopcam,DC=com over transport CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=coopcam,DC=com have been selected, but none of these servers can replicate the partition DC=coopcam,DC=com. Please use the Active Directory Sites and Services snap-in to do the following: 1. Configure servers that can support replication of the given partition as preferred bridgeheads for this transport. You can do this by modifying the corresponding server objects. 2. Ensure the server objects have an address for this transport. For example, servers performing replication over the SMTP transport must have a mailAddress attribute. This attribute is normally configured automatically after the IIS/SMTP service is installed. In the meantime the KCC will consider all servers in this site as possible bridgeheads for this partition. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing of contacts
Title: Message I have been using Jerry product here and have been successfully been using it to sync 5 organizations. I will be increasing that to 12 eventually. The support services they have provided are very helpful and timely. Overall I am impressed with the product and the service they provide. Works good and is really great for not being too intrusive, install it on one server, and just open up firewall ports and assign account permissions. No client side software needed! Murray Wall, MCSE, B.Ed CCNA/DA Master ASE [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 6:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Importing of contacts Looks like Jerry from CPS already mentioned their company's product, which I've heard very good things about. I would think that you *might* be able to do it with the Exchange Interorg tool, but that's a 5.5 tool, so I'd expect you'd need to be in Mixed mode for Exchange. http://support.microsoft.com/default.aspx?scid=kb;en-us;198789 Without some coding, you're probably going to have to purchase a solution though. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Yusuf Mayet [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Importing of contacts Hi all I have a client that has three exchange organizations in their company. I am looking at synchronizing the Address Lists across each of the forests. I know that I can use MIIS (not joe's favourite word, I apologise joe) to do a GAL synch but the customer refuses to budget for the additional hardware and SQL license cost that is required. I know that I can do some type of import of the users by making them contacts in the other Exchange Orgs but I have never done this before and my programming skills are very shaky Any other ideas guys Thanks in advance yusuf This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the Business Connexion at :[EMAIL PROTECTED] This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This e-mail has been scanned for all viruses by Antigen. The service is powered by Sybari. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.busconnex.co.za �
RE: [ActiveDir] Account Reset after removing old domain
You most likely have the "Logon as a Service" user rights defined on one of your Group Policies (most likely the Default Domain Policy). This is located under Computer Configuration - Windows Settings - Local Policies -User Rights Assignment. You need to either NOT define this right, or add Tr as one of the accounts listed there. HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Wed 1/14/2004 10:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Account Reset after removing old domain Hi All, I was hoping someone might have come across this problem and could offer some suggestions. I recently installed 2 DC and assign domain name Test.local. I had to change the domain name and ran dcpromo to remove AD from both machines. My 2 dcs are running fine under the new domain load.local. I created account tr and assigned log on as service right to the account. The account Tr is running several services. Every night at 12:00 the services are supposed to restart but they alway fail giving a log error message. They only way I can restart the service is to add the log on service account again to service I need to restart. I thought I had cleaned up old domain name but from the naming context and the dns logs but the problem still exist. I will appreciate it if someone can point to the right direction to resolve this. Thanks in advance. Regards Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Backups
Backups don't just protect you from disk failure, and RAID isn't a replacement for backups. It is always possible the data on the disk could get deleted or corrupted in which case RAID won't help. Backups can also be taken off-site. That said, I have used disk mirroring under NT4 and it works *reasonably* well with two main caveats: 1. You will not be able to boot from the mirror disk should the primary disk fail unless certain steps are taken. Only the data partition is mirrored - the MBR is not mirrored. There are steps you can take to get an MBR on the mirror disk, but even then, you still may not be able to boot from it. The NT4 resource kit books have an excellent discussion of what all can trip you up. 2. You get absolutely no warning that a disk has failed. There is only an eventlog entry. I've not looked at 2000 or 2k3 software raid to know if these problems have been rectified. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, January 14, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Backups I wondered that in this whole discussion about how to protect yourself from a harddrive-failure the cheapest way - why don't you just use the built-in SW-Raid features of your Windows Server? Naturally, I'm not really a big fan of this SW-Raid and have truly never used them myself (now why would that be?), but with such a low budged you can't really be too choosy... This would give you all the benefits of an automated failover, obviously at the cost of some CPU of the server - which could well be unnoticible for you. It's at least something to look into. However, I'd be interested to hear, if others have already used the Windows SW-Raid features and how their experience is with these...?? Is it ok for the really small companies with NO budged (but a second disk), or would you keep your fingers off? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor Sent: Mittwoch, 14. Januar 2004 20:23 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups No they are too cheap to buy a few hard drives and a raid card :-\ I'll look into Ghost and pcInspector. Do you know if Drive Image by Symantec will work on Win2k server or just workstations? On Jan 14, 2004, at 11:09 AM, Mark Nold wrote: They would spring for Ghost or pcInspector or the like, but not 80 bucks for a 120G IDE drive that you could slap in there to mirror? Do you have any dead pc's lying around that you can grab the IDE drive from? Not the best I know, but seems like it would be better than re-imaging your drive after every change you made in AD to keep your backup fresh. My 2cents anyway -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups Because it's a small company and I have recommended it a hundred times but in a nutshell, they are too cheap even though we have experienced a server crash which took about almost a week to restore everything (which costs more for paying me) and they don't realize a RAID will solve about almost everything and cheaper. On Jan 14, 2004, at 10:25 AM, Coleman, Hunter wrote: If you're concerned about the hard drive failing, why not just set up a RAID1 (mirror) configuration? Cost would be low, and you won't have to worry about creating disk images and swapping hard drives around. Hunter -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups First of all, thank you for the information :-) I would like to make a complete hard drive backup onto the firewire drive (like a complete image) so that if the one on my system crashed then I can just get the hard drive on the fire wire cable and put it into the IDE ribbons. I probably should have mentioned that what I am using is just a fire wire cable that lets you connect any type of IDE drive to it. So with pcinspector, would it be able to make a complete copy of the hard drive (with all the partitions, bootup stuff, etc) to another hard drive and have that hard drive be exactly the same as the hard drive in the system so in the event of a crash I can just swap the hard drive, start up the system, and everything is back to normal with all my Active Directory users, etc? Thanks once again in advanced. Jake On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: using a FW drive, you may run into issues with available drivers to allow you to copy the data without first re-installing an OS on the box. There are some cool free-utilities (such as a disk-cloner) that you may want to look at - but I have no idea if they support drives connected via FW:
RE: [ActiveDir] GPO and the Outlook Dumpster
That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline server whenever you need to "prove" something. Disabling access to the "Recover Deleted Items" folder will not buy you much with a determined user who wants to cover his/her track. Shift-Del will not send deleted items to that folder, you know? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver Marshall Sent: Tue 1/13/2004 12:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Because while the Recover Deleted Items addin allows you...err...recover deleted items a user can also delete things permanently. We have had people 'covering their tracks' by deleting emails. I don't want to disable the feature all together as it's a useful IT tool for managers etc, but not for users. Olly -Original Message- From: David, Andy [mailto:[EMAIL PROTECTED] Sent: 13 January 2004 19:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I'm just wondering why you would want to implement such a thing. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 12:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster It strikes me that it might be part of the Office Administration
Re: [ActiveDir] Backups
Cool I got only a single drive. Do you know how do I create the boot cd for this application? Jake On Jan 14, 2004, at 3:04 PM, John Witasick wrote: Yes. Hardware RAID (such as a Dell PERC card) needs to have the array configured, but other that, you're good to go. A single drive should need no configuration, other than maybe a format. John x-tad-bigger- Original Message -/x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerJake Connor/x-tad-biggerx-tad-bigger /x-tad-bigger x-tad-biggerTo:/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-bigger[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-bigger x-tad-biggerSent:/x-tad-biggerx-tad-biggerWednesday, January 14, 2004 5:09 PM/x-tad-bigger x-tad-biggerSubject:/x-tad-biggerx-tad-biggerRe: [ActiveDir] Backups/x-tad-bigger On the site in mentions a complete bare metal server restoration. Does that mean it can restore your OS (and all the data of course) on to a completely blank hard drive with no partitions and software installed yet? jake On Jan 14, 2004, at 10:12 AM, John Witasick wrote: Try PowerQuest's V2i Protector (recently acquired by Symantec),http://www.powerquest.com/v2i/protector/. This software will allow you to blast down a real time image of your entire server to the firewire drive. If the server crashes, replace the defective hardware, boot via PowerQuest's recovery CD, restore the latest image, and boot the server. John - Original Message - From:Jake Connor To:[EMAIL PROTECTED] Sent:Wednesday, January 14, 2004 12:59 PM Subject:Re: [ActiveDir] Backups First of all, thank you for the information :-) I would like to make a complete hard drive backup onto the firewire drive (like a complete image) so that if the one on my system crashed then I can just get the hard drive on the fire wire cable and put it into the IDE ribbons. I probably should have mentioned that what I am using is just a fire wire cable that lets you connect any type of IDE drive to it. So with pcinspector, would it be able to make a complete copy of the hard drive (with all the partitions, bootup stuff, etc) to another hard drive and have that hard drive be exactly the same as the hard drive in the system so in the event of a crash I can just swap the hard drive, start up the system, and everything is back to normal with all my Active Directory users, etc? Thanks once again in advanced. Jake On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: > using a FW drive, you may run into issues with available drivers to > allow > you to copy the data without first re-installing an OS on the box. > There > are some cool free-utilities (such as a disk-cloner) that you may want > to > look at - but I have no idea if they support drives connected via FW: >http://www.pcinspector.de/file_recovery/uk/welcome.htm > > so in worst case, you'd have to restore the OS onto the new harddrive > (default install - incl. the FW driver, if this is not in the default) > and > then restore your backup afterwards onto this new drive. > > Otherwise you may preferr using a backup on tape afterall, for which > you can > get routines to completely restore a server from bare-metal fully > automated. > > /Guido > > -Original Message- > From:[EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor > Sent: Mittwoch, 14. Januar 2004 00:04 > To:[EMAIL PROTECTED] > Subject: [ActiveDir] Backups > > I have a schedule backup that just copies everything on my hard drive > to a drive on my firewire drive. > > If my active hard drive crashes, how do I restore it with the data on > my firewire drive so I can just boot up the new hard drive and it will > have all the active directory users and all that stuff? > > Thanks > > List info :http://www.activedir.org/mail_list.htm > List FAQ :http://www.activedir.org/list_faq.htm > List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info :http://www.activedir.org/mail_list.htm > List FAQ :http://www.activedir.org/list_faq.htm > List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info :http://www.activedir.org/mail_list.htm List FAQ :http://www.activedir.org/list_faq.htm List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. This E-mail,
RE: [ActiveDir] LDIFDE and Perl...
You can find a bunch of Perl Net::LDAP examples here: http://www.rallenhome.com/books/managingenterprisead/code.html And the cookbook code page has a lot of Perl ADSI examples: http://www.rallenhome.com/books/adcookbook/code.html Let me know if you have any questions. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 15, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message W2K3AD does single instance store of security descriptors which can save a lot of space over W2K AD. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 8:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message I get different results. Feeling inaccurate, I went and enabled dumpsteralwayson on my computer. Shift+Delete the message. Check the folder it was deleted from and voila (that's my extent of French) it was in the deleted items recovery. Not too happy about that, I removed the setting, and this time went to an IMAP client. DumpsterAlwaysOn was not set at this point. I deleted and purged a message. Closed the IMAP client, and opened Outlook (XP) after resetting the key to 1. Check that folder with deleted items recovery and the message was there to be recovered. Try Shift+Delete on another message, and then was able to recover it. Bottom line, Roger and Ollyare right. The message doesn't go away regardless of client or hard delete. It's marked for deletion and is later purged. You have to go into the deleted item recoveryand purge the message to makeit gone from all but abackup of the mailstore. One note: I didn't need the registry setting to enable the use of recovery on the deleted items folder. That was there by default. I need the registry setting to see the form for other folders however. Thanks for clearing that up :) -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 1:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster your protection against this "CYA" type of deletion is backup. If you maintain a diligent backup of your Exchange Server, you can always do a restore to your offline
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message A number of things are different in the storage of data in the Windows Server 2003 DIT. The most relevant is that the database now uses a single instance store for security descriptors, therefore the application of ACEs to directory object often require less directory space. In HPs case, the single instance store and the deletion of distributed link tracking objects freed a significant amount of directory space. However the actual reduction in DIT size is not actually realized until the DIT undergoes an offline defrag. Of course the reduction is also seen on newly promoted DCs. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, January 15, 2004 5:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: 15 January 2004 13:19 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ... Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little off. Can anyone confirm this?
[ActiveDir] Proposed schema changes research
As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message Following this thread, a related question (taking it even more OT) comes up. Often in email discovery cases, we use ExMerge to suck the dumpster off a server to look at what's there. Would DumpsterAlwaysOn on the host that ExMerge is run from have an effect on what data is recovered from the Dumpster? Diane From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I get different results. Feeling inaccurate, I went and enabled dumpsteralwayson on my computer. Shift+Delete the message. Check the folder it was deleted from and voila (that's my extent of French) it was in the deleted items recovery. Not too happy about that, I removed the setting, and this time went to an IMAP client. DumpsterAlwaysOn was not set at this point. I deleted and purged a message. Closed the IMAP client, and opened Outlook (XP) after resetting the key to 1. Check that folder with deleted items recovery and the message was there to be recovered. Try Shift+Delete on another message, and then was able to recover it. Bottom line, Roger and Ollyare right. The message doesn't go away regardless of client or hard delete. It's marked for deletion and is later purged. You have to go into the deleted item recoveryand purge the message to makeit gone from all but abackup of the mailstore. One note: I didn't need the registry setting to enable the use of recovery on the deleted items folder. That was there by default. I need the registry setting to see the form for other folders however. Thanks for clearing that up :) -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Seielstad Sent: Wed 1/14/2004 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GPO and the Outlook Dumpster But Shift-Delete is not a permanent delete. Assuming you have deleted item retension enabled, shift-delete simply marks the message for deletion, but it is still available within that folder's dumpster until the DIR time expires, and is accessible using the DumpsterAlwaysOn registry setting for Outlook. Scared the crap out of my desktop guy who thought he could hide email... Roger
RE: [ActiveDir] Proposed schema changes research
Robbie Allen did a great presentation and RoundTable at DEC on that subject. Maybe he will chime in with something more current. http://www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundt able.ppt http://www.rallenhome.com/conferences/RAllen_Best_Practices_For_Extendin g_the_Schema.ppt From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While I'm checking into what they need to do, does anyone know some good references for do's and don'ts on this, besides the basic stuff? It'll help if I can point to documentation if I find some problems with what they need to do. Thanks - Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proposed schema changes research
Rich, I realize this is only an outline, and you may already know all this, but this presentation may help you get some ideas on things to specifically research www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundtable.ppt I guess one of the main things I took away from the presentation was that I (that is, the operations team) own the schema, not the development team. We require a well thought-out and documented request before we add an attribute, and we have a small approval group that has to sign off. mc -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.�
RE: [ActiveDir] LDIFDE and Perl...
There is a dragon waiting to bite any who create users programmatically: If you have password policy set that does not allow for blank passwords (you do, right?), you MUST create the user as disabled (ie: do not set the useraccountcontrol property), THEN set an acceptable password, THEN enable (useraccountcontrol = 512) I noticed that Robbie's corrected code reflects this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen (rallen) Sent: Thursday, January 15, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDIFDE and Perl... You can find a bunch of Perl Net::LDAP examples here: http://www.rallenhome.com/books/managingenterprisead/code.html And the cookbook code page has a lot of Perl ADSI examples: http://www.rallenhome.com/books/adcookbook/code.html Let me know if you have any questions. Robbie Allen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 15, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDIFDE and Perl... I need to import 1500 user accounts into a test environment, I would like to use LDIFDE. First is there an easy way to batch or create dummy accounts for a test environment without having to type each one, and second can any of this be done with Perl? I will also be consulting the Cookbook! Thanks in advance. Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proposed schema changes research
He also does a great job in his 'Managing Enterprise Active Directory Services' book (ISBN 0-672-32125-4). Another highly recommended book for those administrators just starting out but wanting some indepth knowledge. mark Free, Bob [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/15/2004 11:52 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] Proposed schema changes research Robbie Allen did a great presentation and RoundTable at DEC on that subject. Maybe he will chime in with something more current. http://www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundt able.ppt http://www.rallenhome.com/conferences/RAllen_Best_Practices_For_Extendin g_the_Schema.ppt From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While I'm checking into what they need to do, does anyone know some good references for do's and don'ts on this, besides the basic stuff? It'll help if I can point to documentation if I find some problems with what they need to do. Thanks - Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Proposed schema changes research
Thank you Mark, Bob, and Robbie (by reference). This will help, I had not seen it before. Thats the approach were taking, unless we get overruled by someone higher up who was a developer dont know what they want to do yet but I suspect it can be done by using an existing attribute. If its really screwy Ill check back here. Thanks again - Rich From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Proposed schema changes research Rich, I realize this is only an outline, and you may already know all this, but this presentation may help you get some ideas on things to specifically research www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundtable.ppt I guess one of the main things I took away from the presentation was that I (that is, the operations team) own the schema, not the development team. We require a well thought-out and documented request before we add an attribute, and we have a small approval group that has to sign off. mc -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
Re: [ActiveDir] Backups
The installation disk is also the recovery disk - there is no need to configure a bootable CD.Boot from the installation CD, and the program loadsinto WindowsPE. From there,you can run the recovery console. John - Original Message - From: Jake Connors To: [EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:11 AM Subject: Re: [ActiveDir] Backups Cool I got only a single drive. Do you know how do I create the boot cd for this application?JakeOn Jan 14, 2004, at 3:04 PM, John Witasick wrote: Yes. Hardware RAID (such as a Dell PERC card) needs to have the array configured, but other that, you're good to go. A single drive should need no configuration, other than maybe a format.John- Original Message -From: Jake Connor To: [EMAIL PROTECTED] Sent:Wednesday, January 14, 2004 5:09 PMSubject:Re: [ActiveDir] BackupsOn the site in mentions a complete bare metal server restoration. Does that mean it can restore your OS (and all the data of course) on to a completely blank hard drive with no partitions and software installed yet?jakeOn Jan 14, 2004, at 10:12 AM, John Witasick wrote:TryPowerQuest's V2i Protector (recently acquired by Symantec),http://www.powerquest.com/v2i/protector/. This software will allow you to blast down a real time image of yourentire server to thefirewire drive. If the server crashes, replace the defective hardware, boot via PowerQuest's recovery CD, restore the latest image, and boot the server.John- Original Message -From:Jake ConnorTo:[EMAIL PROTECTED]Sent:Wednesday, January 14, 2004 12:59 PMSubject:Re: [ActiveDir] BackupsFirst of all, thank you for the information :-)I would like to make a complete hard drive backup onto the firewiredrive (like a complete image) so that if the one on my system crashedthen I can just get the hard drive on the fire wire cable and put itinto the IDE ribbons.I probably should have mentioned that what I am using is just a firewire cable that lets you connect any type of IDE drive to it.So with pcinspector, would it be able to make a complete copy of thehard drive (with all the partitions, bootup stuff, etc) to another harddrive and have that hard drive be exactly the same as the hard drive inthe system so in the event of a crash I can just swap the hard drive,start up the system, and everything is back to normal with all myActive Directory users, etc?Thanks once again in advanced.JakeOn Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: using a FW drive, you may run into issues with available drivers to allow you to copy the data without first re-installing an OS on the box. There are some cool free-utilities (such as a disk-cloner) that you may want to look at - but I have no idea if they support drives connected via FW:http://www.pcinspector.de/file_recovery/uk/welcome.htm so in worst case, you'd have to restore the OS onto the new harddrive (default install - incl. the FW driver, if this is not in the default) and then restore your backup afterwards onto this new drive. Otherwise you may preferr using a backup on tape afterall, for which you can get routines to completely restore a server from bare-metal fully automated. /Guido -Original Message- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor Sent: Mittwoch, 14. Januar 2004 00:04 To:[EMAIL PROTECTED] Subject: [ActiveDir] Backups I have a schedule backup that just copies everything on my hard drive to a drive on my firewire drive. If my active hard drive crashes, how do I restore it with the data on my firewire drive so I can just boot up the new hard drive and it will have all the active directory users and all that stuff? Thanks List info :http://www.activedir.org/mail_list.htm List FAQ :http://www.activedir.org/list_faq.htm List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :http://www.activedir.org/mail_list.htm List FAQ :http://www.activedir.org/list_faq.htm List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info :http://www.activedir.org/mail_list.htmList FAQ :http://www.activedir.org/list_faq.htmList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/This E-mail, including any attachments, may be intended solely for the personaland confidential use of the sender and recipient (s) named above. This messagemay include advisory, consultative and/or deliberative material and, as such,would be privileged and confidential and not a public document. Any Informationin this e-mail identifying a client of the department of Human Services isconfidential. If you have
RE: [ActiveDir] Proposed schema changes research
Rich, one other consideration - sometimes it's *preferable* to define your own attribute rather than using an existing one - depends on how good a match the datais to the existing attribute you're considering. For example, if they want to add a user's title, there's a perfectly good attribute for that already. If they want to store something that's specific to your business - let's say "restaurant code" or some such - there are likely no existing attributes that sound anything like this that are not already in use (or that you're likely to use for their intended purpose at some point). In a case like that, by all means extend the schema - it makes more sense to all who come after you and need to understand what you *really* meant by stuffing values in a seemingly unrelated bucket. I guess what I'm trying to say is that extensions are not to be feared or discouraged IF they make sense - In my opinion, I'd rather do the extension than forever be explaining that the values in Attribute X *really* mean data Y. Ditto for using the 'extension attributes'. Just my opinion. As for the process, just make sure it's clear who owns the decision, what the criteria are for making that decision, and what documentation and testing are required. For example, we have a schema czar (me) who makes the decision, but I have some specific criteria I use to decide. I also require a written description of what the changes are for, and require an LDIF file for the changes. I put them in a 'throwaway' lab and require the developer to do their functional tests there and sign off that it actually meets their needs. Only after that can it go into the normal development forest, and then eventually to production. There's more detail than that, but you get the idea. I think each shop has to craft such a policy in line with how they run their IT. Dave -Original Message-From: Rich Milburn [mailto:[EMAIL PROTECTED]Sent: Thursday, January 15, 2004 12:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Proposed schema changes research Thank you Mark, Bob, and Robbie (by reference). This will help, I had not seen it before. Thats the approach were taking, unless we get overruled by someone higher up who was a developer dont know what they want to do yet but I suspect it can be done by using an existing attribute. If its really screwy Ill check back here. Thanks again - Rich From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Proposed schema changes research Rich, I realize this is only an outline, and you may already know all this, but this presentation may help you get some ideas on things to specifically research www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundtable.ppt I guess one of the main things I took away from the presentation was that I (that is, the operations team) own the schema, not the development team. We require a well thought-out and documented request before we add an attribute, and we have a small approval group that has to sign off. mc -Original Message-From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential
RE: [ActiveDir] Proposed schema changes research
Good points, thanks Dave Rich From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 1:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Proposed schema changes research Rich, one other consideration - sometimes it's *preferable* to define your own attribute rather than using an existing one - depends on how good a match the datais to the existing attribute you're considering. For example, if they want to add a user's title, there's a perfectly good attribute for that already. If they want to store something that's specific to your business - let's say restaurant code or some such - there are likely no existing attributes that sound anything like this that are not already in use (or that you're likely to use for their intended purpose at some point). In a case like that, by all means extend the schema - it makes more sense to all who come after you and need to understand what you *really* meant by stuffing values in a seemingly unrelated bucket. I guess what I'm trying to say is that extensions are not to be feared or discouraged IF they make sense - In my opinion, I'd rather do the extension than forever be explaining that the values in Attribute X *really* mean data Y. Ditto for using the 'extension attributes'. Just my opinion. As for the process, just make sure it's clear who owns the decision, what the criteria are for making that decision, and what documentation and testing are required. For example, we have a schema czar (me) who makes the decision, but I have some specific criteria I use to decide. I also require a written description of what the changes are for, and require an LDIF file for the changes. I put them in a 'throwaway' lab and require the developer to do their functional tests there and sign off that it actually meets their needs. Only after that can it go into the normal development forest, and then eventually to production. There's more detail than that, but you get the idea. I think each shop has to craft such a policy in line with how they run their IT. Dave -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Proposed schema changes research Thank you Mark, Bob, and Robbie (by reference). This will help, I had not seen it before. Thats the approach were taking, unless we get overruled by someone higher up who was a developer dont know what they want to do yet but I suspect it can be done by using an existing attribute. If its really screwy Ill check back here. Thanks again - Rich From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Proposed schema changes research Rich, I realize this is only an outline, and you may already know all this, but this presentation may help you get some ideas on things to specifically research www.rallenhome.com/conferences/RAllen_Extending_the_Schema_Roundtable.ppt I guess one of the main things I took away from the presentation was that I (that is, the operations team) own the schema, not the development team. We require a well thought-out and documented request before we add an attribute, and we have a small approval group that has to sign off. mc -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in
RE: [ActiveDir] GPO and the Outlook Dumpster
Title: Message There is an option in ExMerge to specifically select items in the Dumpster. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 12:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Following this thread, a related question (taking it even more OT) comes up. Often in email discovery cases, we use ExMerge to suck the dumpster off a server to look at what's there. Would DumpsterAlwaysOn on the host that ExMerge is run from have an effect on what data is recovered from the Dumpster? Diane From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:57 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I get different results. Feeling inaccurate, I went and enabled dumpsteralwayson on my computer. Shift+Delete the message. Check the folder it was deleted from and voila (that's my extent of French) it was in the deleted items recovery. Not too happy about that, I removed the setting, and this time went to an IMAP client. DumpsterAlwaysOn was not set at this point. I deleted and purged a message. Closed the IMAP client, and opened Outlook (XP) after resetting the key to 1. Check that folder with deleted items recovery and the message was there to be recovered. Try Shift+Delete on another message, and then was able to recover it. Bottom line, Roger and Ollyare right. The message doesn't go away regardless of client or hard delete. It's marked for deletion and is later purged. You have to go into the deleted item recoveryand purge the message to makeit gone from all but abackup of the mailstore. One note: I didn't need the registry setting to enable the use of recovery on the deleted items folder. That was there by default. I need the registry setting to see the form for other folders however. Thanks for clearing that up :) -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 11:09 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster That is exactly how it operates in the field. UNLESS you have manually enabled DumpsterAlwaysOn on a client, when a client SHIFT-DELETES a piece of mail, that mail is GONE and NOT recoverable without going through an interesting hoop. That hoop involves looking for the most recent backup of the user'sMailbox Server's Information Store. This is what my initial response to Oliver said Now, I'm done. Sincerely,Dj Akmlf, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Oliver MarshallSent: Thu 1/15/2004 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GPO and the Outlook Dumpster Thanks for the interesting comments on this thread. I have had official word from several MS support peeps that would seem to resolve the issue. It would seem that SHIFT+DELETE marks a message as deleted immediately without it being moved to the delted items first. As the message is only MARKED as deleted but not actually deleted it is simply not visible to the user but does still remain in the datastore. If items are sent to the deleted items they are simply moved to the deleted items. Emptying the deleted items marks all the items in that folder as deleted. So SHIFT+DELETE doesn't permanently delete emails, just permanently hides them from the user. The DUMPSTERON reg trick simply makes the dumpster menu item visible on all folders rather than just the deleted items folder. Hope that helps. Olly -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: 15 January 2004 07:18 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO and the Outlook Dumpster I usually refrain from adding to a thread more than once, except to occasionally concur. I have always thought that, all things being equal, Shift-Delete is indeed a permanent delete, given the following circumstances: Assuming you DON'T have deleted item retention enabled - which is the default configuration You have not enabled DumpsterAlwaysOn -which is the default configuration You don't do brick-level backup, you don't have an offline Exchange server you test restore to, AND you are not willing to interrupt other users' access to do a live restore I've been known to be wrong before, but I don't think this is one of those moments :-p Sincerely, Dj Akmlf, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
Re: [ActiveDir] Backups
I don't have the installation disk because I downloaded the trial edition from the website which was not a CD image. It came with a UTILITY folder which has a file called Pqboot32.exe, PartInNT.exe, and a few others. Am I supposed to make those into boot disks? Also, does the drive that contains the backup have to be on an IDE ribbon? THANKS! Jake On Jan 15, 2004, at 10:52 AM, John Witasick wrote: The installation disk is also the recovery disk - there is no need to configure a bootable CD. Boot from the installation CD, and the program loads into WindowsPE. From there, you can run the recovery console. John x-tad-bigger- Original Message -/x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerJake Connors/x-tad-biggerx-tad-bigger /x-tad-bigger x-tad-biggerTo:/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-bigger[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-bigger x-tad-biggerSent:/x-tad-biggerx-tad-biggerThursday, January 15, 2004 11:11 AM/x-tad-bigger x-tad-biggerSubject:/x-tad-biggerx-tad-biggerRe: [ActiveDir] Backups/x-tad-bigger Cool I got only a single drive. Do you know how do I create the boot cd for this application? Jake On Jan 14, 2004, at 3:04 PM, John Witasick wrote: Yes. Hardware RAID (such as a Dell PERC card) needs to have the array configured, but other that, you're good to go. A single drive should need no configuration, other than maybe a format. John - Original Message - From:Jake Connor To:[EMAIL PROTECTED] Sent:Wednesday, January 14, 2004 5:09 PM Subject:Re: [ActiveDir] Backups On the site in mentions a complete bare metal server restoration. Does that mean it can restore your OS (and all the data of course) on to a completely blank hard drive with no partitions and software installed yet? jake On Jan 14, 2004, at 10:12 AM, John Witasick wrote: Try PowerQuest's V2i Protector (recently acquired by Symantec),http://www.powerquest.com/v2i/protector/. This software will allow you to blast down a real time image of your entire server to the firewire drive. If the server crashes, replace the defective hardware, boot via PowerQuest's recovery CD, restore the latest image, and boot the server. John - Original Message - From:Jake Connor To:[EMAIL PROTECTED] Sent:Wednesday, January 14, 2004 12:59 PM Subject:Re: [ActiveDir] Backups First of all, thank you for the information :-) I would like to make a complete hard drive backup onto the firewire drive (like a complete image) so that if the one on my system crashed then I can just get the hard drive on the fire wire cable and put it into the IDE ribbons. I probably should have mentioned that what I am using is just a fire wire cable that lets you connect any type of IDE drive to it. So with pcinspector, would it be able to make a complete copy of the hard drive (with all the partitions, bootup stuff, etc) to another hard drive and have that hard drive be exactly the same as the hard drive in the system so in the event of a crash I can just swap the hard drive, start up the system, and everything is back to normal with all my Active Directory users, etc? Thanks once again in advanced. Jake On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: > using a FW drive, you may run into issues with available drivers to > allow > you to copy the data without first re-installing an OS on the box. > There > are some cool free-utilities (such as a disk-cloner) that you may want > to > look at - but I have no idea if they support drives connected via FW: >http://www.pcinspector.de/file_recovery/uk/welcome.htm > > so in worst case, you'd have to restore the OS onto the new harddrive > (default install - incl. the FW driver, if this is not in the default) > and > then restore your backup afterwards onto this new drive. > > Otherwise you may preferr using a backup on tape afterall, for which > you can > get routines to completely restore a server from bare-metal fully > automated. > > /Guido > > -Original Message- > From:[EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jake Connor > Sent: Mittwoch, 14. Januar 2004 00:04 > To:[EMAIL PROTECTED] > Subject: [ActiveDir] Backups > > I have a schedule backup that just copies everything on my hard drive > to a drive on my firewire drive. > > If my active hard drive crashes, how do I restore it with the data on > my firewire drive so I can just boot up the new hard drive and it will > have all the active directory users and all that stuff? > > Thanks > > List info :http://www.activedir.org/mail_list.htm > List FAQ :http://www.activedir.org/list_faq.htm > List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info :http://www.activedir.org/mail_list.htm > List FAQ :http://www.activedir.org/list_faq.htm > List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info :http://www.activedir.org/mail_list.htm List FAQ
RE: [ActiveDir] Folder redir policy
According to JSI tip 4045, if I clear the Grant exclusive access rights... then it should work. I was trying to avoid allowing the user to be able to change permissions (thus blocking prying administrator eyes). How can I change the owner via script on 5,000 folders? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Damon R. Erickson Sent: Thursday, January 15, 2004 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder redir policy Greetings If my desktop (or my documents or...) is being re-directed to a different folder I need to be the owner of that folder. If you log in as a user and take ownership of the folder the redirection should function next time that user logs in. If you let the group policy create the folders it should set the correct owner. Thanks Damon Erickson Netgain Technology -Original Message- From: Bruce Clingaman [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder redir policy When I ran the RSoP, it gave this reason for it not being applied: this security id may not be assigned as the owner of this object What is this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bruce Clingaman Sent: Wednesday, January 14, 2004 2:17 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Folder redir policy I have a folder redirection policy in place but it doesn't get applied. The path is valid, perms are set (folders are created in advance with a script). The user can browse to their directory and save files. The share is on a DFS volume; I wonder if this is the cause. Any ideas? Bruce Clingaman List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ attachment: winmail.dat
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message You do have to calculate an additional 15-20% of DIT-space on your 2000 DCs during the upgrade of a forest to 2003 (assuming the current 2000 DIT doesn't contain a load of whitespace). This is mainly due to the fact, that ADPREP adds various additional permissions on objects in AD, and as 2000 doesn't support single instance store for the security descriptors, the ACEs get stamped on every object in the namespace... This increase in ACEs will result in a noticibly larger DIT size on your existing 2000 DCs in the forest. As Aric pointet out, the new 2003 DCs implemented at HP immediately showed the benefit of the single instance ACE store, which futher improved quite a bit when - after upgrading/introducing sufficient 2003 DCs - our DNS was changed to leverge APP paritions (this way, no DNS records required to be stamped with ACLs in the Domain Namespace and they were also not replicated to the GC...). Removing the distributed link tracking objects is a recommendation even for folks that keep running 2000 = DLT creates a lot of garbage objects in AD, which is not leveraged by any application (and is turned off by defaultin 2003). So our DIT decrease from 12GB to 7GB is rather typical (MS had similar values) - the sizing guideline in the deployment paper must assume that you will be storing JPG files of your users in AD to identify them ;-) /Guido From: Bernard, Aric [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 15. Januar 2004 18:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size A number of things are different in the storage of data in the Windows Server 2003 DIT. The most relevant is that the database now uses a single instance store for security descriptors, therefore the application of ACEs to directory object often require less directory space. In HPs case, the single instance store and the deletion of distributed link tracking objects freed a significant amount of directory space. However the actual reduction in DIT size is not actually realized until the DIT undergoes an offline defrag. Of course the reduction is also seen on newly promoted DCs. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Thursday, January 15, 2004 5:51 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size I blame it on cold water. Oh, you don't mean that shrinkage. From what I understand, its due to improvements in the database format and how data is stored within. I'm guessing that they've rearranged the table structures to better fit the actual usage patterns. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe Baguley [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 2003 NTDS.DIT size DIT size decreases are certainly what I am seeing in the field, with an 80,000 user AD I deal with shrinking in a similar fashion to the Compaq/HP one described below... Surely some people on here will be able to explain the shrinkage From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: 15 January 2004 13:19To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 2003 NTDS.DIT size According to Tony Redmond's Exchange 2003 book, the HP/Compaq combined DIT file was 12GB in AD on Win2k and dropped to 7GB under 2003. Not sure how typical that is. I'd think worst case you'd end up about the same place you are now. IIRC, there aren't that many schema changes, so the structural size shouldn't change that much. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Parker, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] Hiding Menus via a GPO
Olly, This might be of some help: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/office/office2003/reskit/ork03/html/MntA04.asp Katherine -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Friday, 16 January 2004 2:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hiding Menus via a GPO Does anyone know how I can use a GPO to hide a menu item? You might have been listening to the Outlook thread going on on this list. I'm told that it can be done, but I cant find any mention of it anywhere. Ta olly List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- This e-mail may be confidential. Any opinions expressed herein are the opinion of the writer unless there is an express indication to the contrary. If you are not the intended recipient of this communication please delete and destroy all copies and immediately reply by return e-mail. Ipex ITG disclaims all liability and responsibility for any direct or indirect loss arising from this e-mail and/or any attachments. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Backups
Guido, There are motherboards out these days with a RAID 1 IDE controller on the motherboard which you can use when you cannot get the money for a proper server with a RAID controller. That way at least you get some form of hardware mirroring. I have used SW mirroring in 2k server but have never needed to boot off the other drive so far so I can say how well it works. Personally, I'd keep my hands off anything that needs to be a server and is not running server based hardware. If budget is a problem, RAID 1 IDE on the motherboard I think would be an option worth looking into. Sam K Yusuf Mayet wrote: Guido, In my experience using software raid has many limitations as opposed to the use of hardware raid. For instance hot standby of faulty disks this can't be done without losing the production system for that configuration change. Possibly you could get away at small companies as there reliance on the production system is not high. Yusuf -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]] Sent: 14 January, 2004 23:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Backups I wondered that in this whole discussion about how to protect yourself from a harddrive-failure the cheapest way - why don't you just use the built-in SW-Raid features of your Windows Server? Naturally, I'm not really a big fan of this SW-Raid and have truly never used them myself (now why would that be?), but with such a low budged you can't really be too choosy... This would give you all the benefits of an automated failover, obviously at the cost of some CPU of the server - which could well be unnoticible for you. It's at least something to look into. However, I'd be interested to hear, if others have already used the Windows SW-Raid features and how their experience is with these...?? Is it ok for the really small companies with NO budged (but a second disk), or would you keep your fingers off? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jake Connor Sent: Mittwoch, 14. Januar 2004 20:23 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups No they are too cheap to buy a few hard drives and a raid card :-\ I'll look into Ghost and pcInspector. Do you know if Drive Image by Symantec will work on Win2k server or just workstations? On Jan 14, 2004, at 11:09 AM, Mark Nold wrote: They would spring for Ghost or pcInspector or the like, but not 80 bucks for a 120G IDE drive that you could slap in there to mirror? Do you have any "dead" pc's lying around that you can grab the IDE drive from? Not the best I know, but seems like it would be better than re-imaging your drive after every change you made in AD to keep your "backup" fresh. My 2cents anyway -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 14, 2004 11:03 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups Because it's a small company and I have recommended it a hundred times but in a nutshell, they are too cheap even though we have experienced a server crash which took about almost a week to restore everything (which costs more for paying me) and they don't realize a RAID will solve about almost everything and cheaper. On Jan 14, 2004, at 10:25 AM, Coleman, Hunter wrote: If you're concerned about the hard drive failing, why not just set up a RAID1 (mirror) configuration? Cost would be low, and you won't have to worry about creating disk images and swapping hard drives around. Hunter -Original Message- From: Jake Connor [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 14, 2004 11:00 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Backups First of all, thank you for the information :-) I would like to make a complete hard drive backup onto the firewire drive (like a complete image) so that if the one on my system crashed then I can just get the hard drive on the fire wire cable and put it into the IDE ribbons. I probably should have mentioned that what I am using is just a fire wire cable that lets you connect any type of IDE drive to it. So with pcinspector, would it be able to make a complete copy of the hard drive (with all the partitions, bootup stuff, etc) to another hard drive and have that hard drive be exactly the same as the hard drive in the system so in the event of a crash I can just swap the hard drive, start up the system, and everything is back to normal with all my Active Directory users, etc? Thanks once again in advanced. Jake On Jan 14, 2004, at 4:25 AM, GRILLENMEIER,GUIDO (HP-Germany,ex1) wrote: using a FW drive, you may run into issues with available drivers to allow you
RE: [ActiveDir] 2003 NTDS.DIT size
Title: Message You probably should actually see a decrease in size simply from the new ACL storage alone. It is easy enough to prove out in the lab though. Thedoc doesn't know what kind of data you specifically are storing, it is making some assumptions that may not be valid for you. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parker, EdwardSent: Thursday, January 15, 2004 8:03 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 2003 NTDS.DIT size All, We have 53,000 user AD environment. The current size of the NTDS.DIT is just under 2GB. I am reading Chapter 9 of the 2003 planning document and on page 368 it states: "On the drive that will contain the Active Directory database, NTDS.dit, provide 0.4 gigabytes (GB) of storage for each 1,000 users. ..." Now, if this is true, that is saying when I upgrade to 2003, my database will grow from 2GB to 21GB. This seems a little hard to believe. We are going to be doing this in the lab shortly, but we are planning additional hardware, and this seems a little "off". Can anyone confirm this?
RE: [ActiveDir] AD in .NET Visual Basic
Title: Message
I think his filter was supposed to be
(objectcategory=person)(objectclass=user)
and he typoed objectclass with objectcategory.
Something that should be faster (assuming objectclass not
indexed) but I haven't proven out is
(objectcategory=person)(samccountname=*)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent: Thursday, January 15, 2004 9:19 AMTo:
'[EMAIL PROTECTED]'Cc:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD in .NET Visual
Basic
Yep. Didn't mean to indicate otherwise Carlos, just that his bind
was to a container/OU and not really looking for the objects contained; Thanks
for the pointers. Great newsgroup for this subject too
:)
As a
side note, I'm curious about the filter string you used. Why use
objectCategory=User AND objectCategory=Person in the same filter. Wouldn't
one or the other do for your search or am I missing
something?
-Original Message-From: Carlos Magalhaes
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 4:05
AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] AD in .NET Visual Basic
Marc,
I would also STRONGLY
recommend you don't do this, the amount of overhead you have on your server
for one and the time taken to return the results will really make life a
nightmare.
You have been
provided with the link to the paging example, this is the best practice to
use. It is not uncommon that ppl change the paging size. I just have been
bitten way too many times. It can even be used as a DOS attack
:P
Al, the code does no
actually create a bind to the directory until findall() or Findone()
is called. During the
process of
Dim entry As New
DirectoryServices.DirectoryEntry("LDAP://ou=tele_domusers,DC=PROD,DC=TELENET,DC=BE") Dim mySearcher As New
System.DirectoryServices.DirectorySearcher(entry)
mysearcher.Filter =
"((objectCategory=user)(objectCategory=person))"
Dim results As SearchResultCollection
Dim result As
SearchResult results =
mysearcher.FindAll
You are merely
setting properties on the directoryentry and directorySearcher object.
ldap_bind_s (_s is because it's a secure connection) the LDAP API bind call
only really happens at "results = mysearcher.FindAll" (through the ADSI COM
object).
This is supposedly
done to prevent premature or unnecessary (i.e. if an error occurs) binding to
the directory.
I hope that is
understandable and explains the situation to you
correctly...
LDAP
(Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices
Carlos
Magalhaes.
From: joe
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 15,
2004 5:59
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
NO do not do
this.Incorrect answer.
The proper way to
handle this is to specify a page size in the calls to active directory,
something less than 1000 and then retrieve the data in multiple pages.
I would hate to see
someone slowly increasing the page size on their server as the number of
objects gets higher and higher. Heck I would have to set the page size to
100,000 on one of my domains to return all the users and I would hate to see
how long that query would run and how dead the DC would be trying to buffer
that queries return set.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Clay
PerrineSent: Wednesday,
January 14,
2004 4:33
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Per RFC the LDAP
query limit is 1000 items. You can change that limit to reflect the additional
number of items that you want to return.
This is done with the
ntdsutil utility. Use the LDAP policies. Change the MaxPageSize
value.
Clay Perrine,
MCSE
Microsoft Directory
Services Support Team
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of De Schepper
MarcSent: Wednesday,
January 14,
2004 2:57
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Thanks
Carlos,
It works, But it
only gives me the first 1000 users. Any Idea how I can see more than that?
I've gat about 2000 Users.
Marc
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Carlos
MagalhaesSent: woensdag 14
januari 2004 21:19To:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD in .NET
Visual Basic
Hello
Marc,
Welcome
to the world of System.DirectoryServices. Could you please post the extended
error to the list?
Just a
few things, 1.
You should specify a search filter for your query, this will limit the amount
of time it takes for your query return results. An example to specify the
search query =
RE: [ActiveDir] Proposed schema changes research
Inside Active Directory has one of the best sections on the Schema I have seen. IAD 2/E is even better which should get you drooling... Not sure when that is coming out though, the chapter updates seem to be going really slow. Probably because Rick is so slow at reviewing this stuff... :op joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Thursday, January 15, 2004 12:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Proposed schema changes research As was inevitable, development wants (needs) to modify and/or extend our AD schema. While Im checking into what they need to do, does anyone know some good references for dos and donts on this, besides the basic stuff? Itll help if I can point to documentation if I find some problems with what they need to do. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
[ActiveDir] Authoritative Restore - What am I missing?
I'm practicing authoritative restores with my test AD (which has 2 DC's). We've been fortunate in never having to do one in production, but I figured I should become familiar with the process before I really need it. My test is pretty simple. I used NTBackup to backup the system state (but nothing on the file system since AD is in the system state; that's right, right?), deleted an OU, performed a restore of the system state, then used ntdsutil to perform an authoritative restore. But no joy. Here are the steps I followed: 1. Backed up system state on DC1 2. Deleted OU1 3. Rebooted into DS Restore Mode and performed a restore of the system state on DC1 4. Without rebooting, I ran ntdsutil - authoritative restore - restore database 5. It goes through, updating the USN's, and says it completed successfully. 6. I reboot into normal mode, check AD, but OU1 isn't there. So, I tried the same thing on another OU, but I rebooted after the restore to see if that would help. I rebooted back into DS Restore Mode, not normal mode. Process says it completed, but still no OU1 when I'm back in normal mode. I tried it a 3rd time by using the 'restore subtree ou=ou1,dc=domain,dc=com option instead of the full database restore. It said it found 3 objects (which was correct) and updated their USN's, but they're still not there when I boot back into normal mode. The restore of the system state shows no errors and when I look at the ntds.dit file it's a different size, so it appears to be restoring ok. And the ntdsutil command says it's successful. Is there something I'm missing? The two DC's are SP4, btw. TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] re: Authoritative Restore - What am I missing?
Ahh... Just as I send the message, one of the OU's decides to show up. :/ Still, only one of the OU's returned. This is the one I used the restore subtree ou=ou1,dc=domain,dc=com command. The first OU I deleted and tried restoring via the restore database command is still MIA. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD in .NET Visual Basic
Title: Message Has anyone noticed that you can do (objectCategory=user) or (objectCategory=contact) instead of ((objectCategory=person)(objectClass=user))? Im not sure I understand why this works, but it does. The other thing I have noticed is that the first two queries will be much much faster that the query that contains objectClass. It sort of begs the question as to why you would ever use objectClass in your query. I also dont understand how it works. But then again, objectCategory is a DN attribute, so Im not quite sure what magic takes place under the hood that makes any of these objectCategory queries work. Anyone know? Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 15, 2004 7:55 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic I think his filter was supposed to be (objectcategory=person)(objectclass=user) and he typoed objectclass with objectcategory. Something that should be faster (assuming objectclass not indexed) but I haven't proven out is (objectcategory=person)(samccountname=*) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 15, 2004 9:19 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD in .NET Visual Basic Yep. Didn't mean to indicate otherwise Carlos, just that his bind was to a container/OU and not really looking for the objects contained; Thanks for the pointers. Great newsgroup for this subject too :) As a side note, I'm curious about the filter string you used. Why use objectCategory=User AND objectCategory=Person in the same filter. Wouldn't one or the other do for your search or am I missing something? -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 4:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Marc, I would also STRONGLY recommend you don't do this, the amount of overhead you have on your server for one and the time taken to return the results will really make life a nightmare. You have been provided with the link to the paging example, this is the best practice to use. It is not uncommon that ppl change the paging size. I just have been bitten way too many times. It can even be used as a DOS attack :P Al, the code does no actually create a bind to the directory until findall() or Findone() is called. During the process of Dim entry As New DirectoryServices.DirectoryEntry(LDAP://ou=tele_domusers,DC=PROD,DC=TELENET,DC=BE) Dim mySearcher As New System.DirectoryServices.DirectorySearcher(entry) mysearcher.Filter = ((objectCategory=user)(objectCategory=person)) Dim results As SearchResultCollection Dim result As SearchResult results = mysearcher.FindAll You are merely setting properties on the directoryentry and directorySearcher object. ldap_bind_s (_s is because it's a secure connection) the LDAP API bind call only really happens at results = mysearcher.FindAll (through the ADSI COM object). This is supposedly done to prevent premature or unnecessary (i.e. if an error occurs) binding to the directory. I hope that is understandable and explains the situation to you correctly... LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic NO do not do this.Incorrect answer. The proper way to handle this is to specify a page size in the calls to active directory, something less than 1000 and then retrieve the data in multiple pages. I would hate to see someone slowly increasing the page size on their server as the number of objects gets higher and higher. Heck I would have to set the page size to 100,000 on one of my domains to return all the users and I would hate to see how long that query would run and how dead the DC would be trying to buffer that queries return set. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay Perrine Sent: Wednesday, January 14, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Per RFC the LDAP query limit is 1000 items. You can change that limit to reflect the additional number of items that you want to return. This is done with the ntdsutil utility. Use the LDAP policies. Change the MaxPageSize value. Clay Perrine, MCSE Microsoft Directory Services Support Team From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Wednesday, January 14, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Thanks Carlos, It works, But it only gives me the first 1000 users. Any Idea
RE: [ActiveDir] AD in .NET Visual Basic
Title: Message Yip, DAM gremlins they held a gun to my head I had to type it wrong :P Well spotted guys! Carlos From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 16, 2004 3:55 AM To: [EMAIL PROTECTED] Cc: Carlos Magalhaes Subject: RE: [ActiveDir] AD in .NET Visual Basic I think his filter was supposed to be (objectcategory=person)(objectclass=user) and he typoed objectclass with objectcategory. Something that should be faster (assuming objectclass not indexed) but I haven't proven out is (objectcategory=person)(samccountname=*) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, January 15, 2004 9:19 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD in .NET Visual Basic Yep. Didn't mean to indicate otherwise Carlos, just that his bind was to a container/OU and not really looking for the objects contained; Thanks for the pointers. Great newsgroup for this subject too :) As a side note, I'm curious about the filter string you used. Why use objectCategory=User AND objectCategory=Person in the same filter. Wouldn't one or the other do for your search or am I missing something? -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 4:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Marc, I would also STRONGLY recommend you don't do this, the amount of overhead you have on your server for one and the time taken to return the results will really make life a nightmare. You have been provided with the link to the paging example, this is the best practice to use. It is not uncommon that ppl change the paging size. I just have been bitten way too many times. It can even be used as a DOS attack :P Al, the code does no actually create a bind to the directory until findall() or Findone() is called. During the process of Dim entry As New DirectoryServices.DirectoryEntry(LDAP://ou=tele_domusers,DC=PROD,DC=TELENET,DC=BE) Dim mySearcher As New System.DirectoryServices.DirectorySearcher(entry) mysearcher.Filter = ((objectCategory=user)(objectCategory=person)) Dim results As SearchResultCollection Dim result As SearchResult results = mysearcher.FindAll You are merely setting properties on the directoryentry and directorySearcher object. ldap_bind_s (_s is because it's a secure connection) the LDAP API bind call only really happens at results = mysearcher.FindAll (through the ADSI COM object). This is supposedly done to prevent premature or unnecessary (i.e. if an error occurs) binding to the directory. I hope that is understandable and explains the situation to you correctly... LDAP (Active Directory , iPlanet, NDS?) programming? Http://groups.yahoo.com/group/adsianddirectoryservices Carlos Magalhaes. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 5:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic NO do not do this.Incorrect answer. The proper way to handle this is to specify a page size in the calls to active directory, something less than 1000 and then retrieve the data in multiple pages. I would hate to see someone slowly increasing the page size on their server as the number of objects gets higher and higher. Heck I would have to set the page size to 100,000 on one of my domains to return all the users and I would hate to see how long that query would run and how dead the DC would be trying to buffer that queries return set. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay Perrine Sent: Wednesday, January 14, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Per RFC the LDAP query limit is 1000 items. You can change that limit to reflect the additional number of items that you want to return. This is done with the ntdsutil utility. Use the LDAP policies. Change the MaxPageSize value. Clay Perrine, MCSE Microsoft Directory Services Support Team From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Schepper Marc Sent: Wednesday, January 14, 2004 2:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD in .NET Visual Basic Thanks Carlos, It works, But it only gives me the first 1000 users. Any Idea how I can see more than that? I've gat about 2000 Users. Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: woensdag 14 januari 2004 21:19 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD in .NET Visual Basic Hello Marc, Welcome to the world of System.DirectoryServices. Could you please post the extended error to the list? Just a few things, 1. You should specify a search filter for your query, this will limit the amount of time it takes for your query return results. An example to specify the search
