RE: [ActiveDir] DFS
I was only thinking about replication between two servers and the data would be small. Maybe 20 mb here and there - as files are updated. Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Tuesday, May 11, 2004 4:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS 1 TB is too much for DFS to replicate between two servers, not to mention four. The replication (FRS) in DFS is flawed. Have you looked into shadow copy or a utility like Robocopy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, May 11, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS The main objective to to remove the single point of failure I have now - one big file server. If this goes down, we are SOL. From what I read/tested, DFS will allow you to point a single folder to shares on different physical locations. (basically, the user sees one server but in reality I have four) Replication is also something I could take advantage of; However, can you schedule replication in DFS? Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, May 11, 2004 1:59 PM To: Salandra, Justin A.; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Justin, I don't think this is correct. With DFS, I can set up different subfolders to point to different physical locations. These physical locations can be setup a redundant pairs, but this is not required. Denny -Original Message- From: Salandra, Justin A. [EMAIL PROTECTED] Sent: 5/11/04 1:41:37 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Sensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47 To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] Replacing Shared Storage on a two node cluster
I have added additional drives and proceeded to move the data using clusterrecorvery tool. I have been successful in moving all my data except the quorum disk to the new drive. Attempt to move the data generates an error Failed to switch resource. Any ideas? thanks Nathan TradeWeb LLC Harborside Financial Center 2200 Plaza five Jersey City, NJ 07311-4993 Tel: (201) 536-5846 Fax: (201) 915-3161 [EMAIL PROTECTED] -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replacing Shared Storage on a two node cluster Essentially, your concern is about disk signatures. http://support.microsoft.com/default.aspx?scid=kb;en-us;305793 should help explain about that some. What I'm curiuos about is why you don't just add disk and move the data over to it? Expand vs. replace? Al -Original Message- From: Nathan Danso [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 9:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Replacing Shared Storage on a two node cluster Greetings to all, As always, many thanks for your quick responses to problems and questions posted on this forum. I am currently running an Active/ Passive Cluster service on 2 dell power edge 2650 connected to another Dell 220s Power vault subsystem. I have 3 X 18G (RAID 5) drives in my subsystem configured as 3 separate virtual logical array disk. I am about to embark on a mission to move the data from the virtual disk to its own disk by adding additional drives and configuring them as RAID 5 for my data and RAID 1 for my log files. Knowing how sensitive cluster service is to disk changes, I will like to approach this task very carefully without destroying my cluster installation and having to rebuild the whole cluster. I was hoping someone may have already gone through this process and will kindly enlightened me to any obstacles that I should be aware of. My numerous searches have produced different confusing approaches. Any help will be greatly appreciated. Thanks in advance. Nathan This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. TradeWeb reserves the right to monitor all e-mail communications through its networks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Desktop security solutions
What's everyone's opinion of desktop security software solutions like Cisco's ACS, which every time some application tries to change the registry or a file or something and it's not part of your pre-configured security template, it pops up an alert asking you if it's OK? Mgmt is asking for this and I personally think it will be too much of a bear to make servers with their applications play well with it (or user desktops). ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Desktop security solutions
Weve deployed CSA (Cisco Secure ACS) on several of our Internet-facing servers and for a few clients. It works surprisingly well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 11, 2004 7:58 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Desktop security solutions What's everyone's opinion of desktop security software solutions like Cisco's ACS, which every time some application tries to change the registry or a file or something and it's not part of your pre-configured security template, it pops up an alert asking you if it's OK? Mgmt is asking for this and I personally think it will be too much of a bear to make servers with their applications play well with it (or user desktops). ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Desktop security solutions
Title: Message With applications like this (also CheckPoint VPN) we've created a batch file that we run on the local computer which changes the permissions registery and in program files to allow the user to have read/write to that spacific folder. As you said below becasue it's a adhoc type request it's a pain to have to go around to the specific computers and run the file - but it's better than the alternative. Regards, Andrew -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Wednesday, May 12, 2004 9:58 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Desktop security solutions What's everyone's opinion of desktop security software solutions like Cisco's ACS, which every time some application tries to change the registry or a file or something and it's not part of your pre-configured security template, it pops up an alert asking you if it's OK? Mgmt is asking for this and I personally think it will be too much of a bear to make servers with their applications play well with it (or user desktops). ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] Senior Microsoft Solution Architect
Hello members of ActiveDir, I'd like to inform you all of an opportunity for a Senior Microsoft Solution Architect. Below you'll find the details of the position as well as my contact information. Immediate Opening for a Senior Microsoft Solution Architect Our client is a Fortune 10 company, and provides customers the ability to out-task or completely out-source IT infrastructure programs and projects. Sales and Service delivery capabilities in major North American markets across the United States and Canada are augmented through strategic partners to provide global coverage. Seeking a Senior Level Solutions Architect with detailed experience with Windows, Exchange and Active Directory. Willing to travel in the New York City area. Job Description: The Solution Architect's role is to ensure that solutions delivered are technically sound and conform to leading-edge standards in the IT industry. He plays a leadership role in supporting the company's partners and clients, acting as a lead technical representative towards customers, gathering information and proposing solutions. The Solution Architect is a leader who has the judgment, determination, people and technical skills to ensure smooth and successful implementation and completion of all consulting assignments. The successful candidate will play a key role in both the pre-sales process and implementation of Microsoft solutions. Requirements: Detailed knowledge of Microsoft Windows, Exchange and Active Directory Experience in large-scale IT projects Strong analytical, technical and communication skills Must have broad business and technical expertise 7+ Years experience Willing to Travel in North America Qualified candidates should send their resume to [EMAIL PROTECTED] or call 650-627-9919. --- Josh Lopez Kain Management Group, LLC 1650 Borel Place, Suite 125 San Mateo, CA 94402 [EMAIL PROTECTED] (650) 627-9919 www.kainmg.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Desktop security solutions
But would you recommend it on an all server and all desktop deployment solution? Or just internet facing servers and a few select clients? And why? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Tuesday, May 11, 2004 7:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Desktop security solutions We've deployed CSA (Cisco Secure ACS) on several of our Internet-facing servers and for a few clients. It works surprisingly well. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Tuesday, May 11, 2004 7:58 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Desktop security solutions What's everyone's opinion of desktop security software solutions like Cisco's ACS, which every time some application tries to change the registry or a file or something and it's not part of your pre-configured security template, it pops up an alert asking you if it's OK? Mgmt is asking for this and I personally think it will be too much of a bear to make servers with their applications play well with it (or user desktops). ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
[ActiveDir] Reccomendations Please
Title: Reccomendations Please Hello All This may be off topic so please forgive me if it is but I thought I might get some usefull suggestions from the other list members. Due to a serious shortfall in staffing and increasingly complexity and growth my challenge is to find something we can use in a Windows 2000 AD domain to do some remote monitoring of servers for the basics like disk space, memory and the like (basic system checks and monitoring, nothing too deep just the facts and thats it really) and if it did event traps it would also be usefull but not neccesary, we are dealing with 140 sites and some 300 servers but would be looking at something that handled a core of 50 servers to start. We really do not know where to start and being completely honest we just dont have the time and staff to dig into this, patch management is eating us alive as it is so ANY suggestions anyone can give us or reccomendations would be great. Oh and if anyone knows anything which is freeware or low cost that would be even better, as usual the need is now and the budget is nil as usual. So suggestions please all would be much appreciated. Thanks in Advance all. John Harvey Network Administrator Brisbane Catholic Education Phone +61 7 3840 0588 Mobile +61 0418 189 689 email: [EMAIL PROTECTED] ** This e-mail (including all attachments) is intended solely for the named addressee/s and may contain confidential information. If you have received this e-mail in error please inform the sender and delete it from your computer system and destroy any copies. This e-mail is subject to copyright. Any unauthorised disclosure, modification or distribution is expressly prohibited. Unless explicitly attributed, the opinions expressed in this e-mail do not necessarily represent the official position or opinions of Brisbane Catholic Education. Brisbane Catholic Education gives no warranties that this e-mail is free from computer viruses or other defects. Except for responsibilities implied by law that cannot be excluded, Brisbane Catholic Education, its employees and agents will not be responsible for any loss, damage or consequence arising from this e-mail.
RE: [ActiveDir] Reccomendations Please
Title: Message John, Good afternoon, a colleague of mine has used the following software before: http://www.bb4.com and highly recommends it. Apparently it takes a little bit to set it up but is very stable and works very well. Personally I haven't had a look at it yet, but I've seen it work in a production environment and it seems to work quite well. I hope this is what you were after. Regards, Andrew Andrew Caple Infrastructure Engineer Phone:+61 3 9861 5425 Facsimile:+61 3 9861 5510 [EMAIL PROTECTED] 105 Camberwell Road,Hawthorn East, Vic 3123 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John HarveySent: Wednesday, May 12, 2004 3:07 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Reccomendations Please Hello All This may be off topic so please forgive me if it is but I thought I might get some usefull suggestions from the other list members. Due to a serious shortfall in staffing and increasingly complexity and growth my challenge is to find something we can use in a Windows 2000 AD domain to do some remote monitoring of servers for the basics like disk space, memory and the like (basic system checks and monitoring, nothing too deep just the facts and thats it really) and if it did event traps it would also be usefull but not neccesary, we are dealing with 140 sites and some 300 servers but would be looking at something that handled a core of 50 servers to start. We really do not know where to start and being completely honest we just dont have the time and staff to dig into this, patch management is eating us alive as it is so ANY suggestions anyone can give us or reccomendations would be great. Oh and if anyone knows anything which is freeware or low cost that would be even better, as usual the need is now and the budget is nil as usual. So suggestions please all would be much appreciated. Thanks in Advance all. John Harvey Network Administrator Brisbane Catholic Education Phone +61 7 3840 0588 Mobile +61 0418 189 689 email: [EMAIL PROTECTED] ** This e-mail (including all attachments) is intended solely for the named addressee/s and may contain confidential information. If you have received this e-mail in error please inform the sender and delete it from your computer system and destroy any copies. This e-mail is subject to copyright. Any unauthorised disclosure, modification or distribution is expressly prohibited. Unless explicitly attributed, the opinions expressed in this e-mail do not necessarily represent the official position or opinions of Brisbane Catholic Education. Brisbane Catholic Education gives no warranties that this e-mail is free from computer viruses or other defects. Except for responsibilities implied by law that cannot be excluded, Brisbane Catholic Education, its employees and agents will not be responsible for any loss, damage or consequence arising from this e-mail.
RE: [ActiveDir] DNS settings
I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope that's what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR - there must be an answer :P CM _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, May 10, 2004 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally or from their RRAS server? Al _ From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS settings Hey all, I have a weird issue; all our laptop users have their own third part dial up's (RRAS and RAS) for their convenience. When the users dial up to their third party ISP's (all users) they obtain an IP address from the ISP but their DNS settings are being forced to the networks internal DNS servers, remembering that this is a PPP connection. This causes havoc on their dial ups. I have had a look at the DNS settings the GPO and even the DHCP server. I don't see anything that would force a PPP connection to use the internal DNS servers. The settings are not hard coded into the PPP connections IP settings. Anyone have an idea of what this is or maybe I over looked something. Thanks! Carlos attachment: winmail.dat
RE: [ActiveDir] DNS settings
Title: Message It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick ReynoldsSent: 11 May 2004 08:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos MagalhaesSent: Monday, May 10, 2004 11:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie KaiserSent: Monday, May 10, 2004 8:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, May 10, 2004 4:31 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally or from their RRAS server? Al From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 9:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS settings Hey all, I have a weird issue; all our laptop users have their own third part dial up's (RRAS and RAS) for their convenience. When the users dial up to their third party ISP's (all users) they obtain an IP address from the ISP but their DNS settings are being forced to the networks internal DNS servers, remembering that this is a PPP connection. This causes havoc on their dial ups. I have had a look at the DNS settings the GPO and even the DHCP server. I don't see anything that would force a PPP connection to use the internal DNS servers. The settings are not hard coded into the PPP connections IP settings. Anyone have an idea of what this is or maybe I over looked something. Thanks! Carlos The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited. If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes. �
RE: [ActiveDir] DNS settings
Title: Message We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, May 10, 2004 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally or from their RRAS server? Al From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DNS settings Hey all, I have a weird issue; all our laptop users have their own third part dial up's (RRAS and RAS) for their convenience. When the users dial up to their third party ISP's (all users) they obtain an IP address from the ISP but their DNS settings are being forced to the networks internal DNS servers, remembering that this is a PPP connection. This causes havoc on their dial ups. I have had a look at the DNS settings the GPO and even the DHCP server. I don't see anything that would force a PPP connection to use the internal DNS servers. The settings are not hard coded into the PPP connections IP settings. Anyone have an idea of what this is or maybe I over looked something. Thanks! Carlos The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes.
RE: [ActiveDir] DNS settings
Title: Message Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick ReynoldsSent: 11 May 2004 08:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos MagalhaesSent: Monday, May 10, 2004 11:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie KaiserSent: Monday, May 10, 2004 8:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, May 10, 2004 4:31 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally or from their RRAS server? Al From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 9:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS settings Hey all, I have a weird issue; all our laptop users have their own third part dial up's (RRAS and RAS) for their convenience. When the users dial up to their third party ISP's (all users) they obtain an IP address from the ISP but their DNS settings are being forced to the networks
RE: [ActiveDir] DNS settings
Title: Message Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, May 10, 2004 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally
RE: [ActiveDir] Setting \winlogon\welcome by ADM
Title: Message
Hi
I have
tried it on the default domain policy.
Ronen
-Original Message-From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Sunday, May 09, 2004 7:05 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Setting
\winlogon\welcome by ADM
Ronen-
What I've seen is that the key you've listed below is populated when I
set local policy on a machine that is part of a domain, but I'm not connected
to the domain. My guess is that this is Windows' way of preventing a
disconnected user from overriding domain policy by simply setting it locally
when they're offline. Are you setting this policy in a local GPO and if so,
are you connected to the domain when you set it?
-Original Message- From:
[EMAIL PROTECTED]on behalf ofYakir, Ronen
Sent: Sun 5/9/2004 5:24 AM To:
[EMAIL PROTECTED] Cc: Subject: RE:
[ActiveDir] Setting \winlogon\welcome by ADM
HiWhat I see is the the following key is generated
when I set the policyin the gpo
mmc[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GroupPolicyObjects\{15087322-E2C5-4C7A-902A-E813FA21EB66}Machine\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]"Welcome"=hex(2):25,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,6e,00,\
61,00,6d,00,65,00,25,00,00,00But after that, the actual registry key
(Software\Microsoft\WindowsNT\currentversion\Winlogon\welcome) is not
created and the value is notset.Does this key needs to be setup
by the policies
regkey(hklm\software\microsoft\windows\currentversion\policies\system)
ordirectly?Ronen-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Darren Mar-EliaSent: Thursday, May 06, 2004 8:30 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Setting
\winlogon\welcome by ADMOk. I'm not sure I understand what
you're seeing. You say that the"group policy objects reg key is being
updated". Does that mean you seeit appearing in the GPO Editor UI as
being enabled but when you processthe GPO, it does not get stamped on
the workstation's registry?If so, this might be a separate problem.
Can you run Gpresult on theworkstation and see what it
returns?-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Yakir, RonenSent: Thursday, May 06, 2004 12:24 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Setting
\winlogon\welcome by ADMHiOnly tested it today.Well
- it does not work.The ADM template is loading, the group policy
objects reg key is beingupdated.But, the actual desired registry
key is not affected (after secedit.Logoff and
logon)Ronen-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Darren Mar-EliaSent: Wednesday, May 05, 2004 8:20 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Setting
\winlogon\welcome by ADMHi-I think this might work. Give it
a go. I made the assumption that youwanted %computername% to be resolved
to the actual machinename. If not,then go ahead and remove the
EXPANDABLETEXT keyword.CLASS MACHINECATEGORY "set
welcome"POLICY "Display Computer
Name" KEYNAME
"Software\Microsoft\Windows
NT\currentversion\Winlogon"
PART "Enter Message:" EDITTEXT
EXPANDABLETEXT
DEFAULT
"%computername%"
VALUENAME
"Welcome" END PARTEND
POLICYEND CATEGORYDarren-Original
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]
On Behalf Of Yakir, RonenSent: Tuesday, May 04, 2004 2:17 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Setting
\winlogon\welcome by ADMHiI am trying to set the
\software\microsoft\windowsnt\currentversion\winlogon\welcome key so
that the text will appear inthe alt-ctrl-del screen.Doing so
directly works, but not by gpo.This is the adm I have
tried:CLASS MACHINECATEGORY
"set welcome"POLICY "Display Computer Name"KEYNAME
"Software\Microsoft\Windows
NT\currentversion\Winlogon"
PART "Computer
name"VALUENAME "Welcome"Value text "%computername%"END
PARTEND POLICYEND
CATEGORY==But no
successAny help?ThanksRonenList
info : http://www.activedir.org/mail_list.htmList
FAQ : http://www.activedir.org/list_faq.htmList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/mail_list.htmList
FAQ : http://www.activedir.org/list_faq.htmList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/mail_list.htmList
FAQ : http://www.activedir.org/list_faq.htmList
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List
info : http://www.activedir.org/mail_list.htmList
RE: [ActiveDir] LDAP stress tool for AD 2003
Hello, all Eric, can you point to the location of such a cool tool like ADPerf? I've google'd but have got no results... -- Best regards, Alex. - Original Message - From: Eric Fleischman To: [EMAIL PROTECTED] Sent: Sunday, May 09, 2004 5:22 PM Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 I'll weigh in here a bit... I would argue there are lots of types of stress one can put on a DC and no single metric measures everything. In my brain, I typically first go through the following checklist of sorts to figure out what I'm looking at when testing a given DC: 0) Will the entire DIT on this DC be cached in memory - how much physical memory do we have? If dit=2gb and ram2gb, probably yes; if dit=2.6gb and ram3gb, are we using /3gb?; if 64bit, how much physical memory do we have (as that is the only limit really)? 1) What is functionality level of this domain (2k mixed or 2k native or 2k03 functional) and is the DC also a GC? 2) How many other domains in forest? 3) How many trusts to domains in other forests and downlevel domains? 4) What does the disk subsystem look like on this box? Where are dit and logs stored? After that is in mind, I ask myself this question: what is the most important thing this DC will be doing that need be finished quickly? For many DCs, the answer authentication probably comes to mind. For some others (say GCs servicing Exchange) queries (such as ANR) may be your answer. Still others might be some other application which it need satisfy. It just depends upon the box. Then, I look at the box and say logically is this thing optimized for this scenario. That's hard for me to quantify really. ;) Now you indicated ldap calls specifically...within ldap calls we typically think of a few common things: 0) can the query be satisfied from info already in cache 1) is the query hitting solid indexes 2) within a slow query, there are fundamentally two reasons a query can be slow: a. cpu-bound (such as a large index intersection) b. i/o-bound (badly-designed search filter that need walk a lot of objects as it isn't hitting good indexes) With the info in those three items, there should be something painstakingly obvious to you: no single test can adequately measure each of these items. Further, any item from that list or my earlier list of general things this DC does can bog down the DC. We have some thresholds in place with default values that are typically good (for example, only 4 LDAP op's processed per physical CPU at a time by default, or perhaps for you MaxConcurrentAPI will be your bottleneck..I have no idea) to prevent swamping other subsystems, like I/O or secure channel. These things can be tweaked, but it's hard to give huge advice that is general enough to be of any use..that's what the defaults try to do. ;) I have seen boxes tuned to ANR before that got abused by a bad authentication setup and consequently, despite the amazing disk i/o subsystem and other things done, came to its knees due to some bad client requests and bad authentication configuration server-side. It's worth watching everything the box does. ADPerf is a great tool for this. If you give us some further insight in to the types of queries this box will be servicing we might be of more help. At least I think I might be. ;) ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Sunday, May 09, 2004 10:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 There is a load test tool for AD, called ADTest. Check it out at: http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4 871-b8a4-99f98b3f4338DisplayLang=en -Original Message- From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Sun 5/9/2004 8:40 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 Hi Steve I'm not aware of anything specific. The ldclt tool (comes with iPlanet) might also work for AD, but I haven't tried it. Being an ASP.NET guru you should be able to script something quite easily :-) You can track expensive and inefficient queries (good for a stress test) by using the method described in the link below. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdi r/html/efficientadapps.asp Also be aware that the LDAP policies in place on the DCs will protect the DC to a certain extent. For example, the maximum number of records returned for a single query is 1000, although you can change these by modifying the MaxPageSize policy or by paging the results using the pagedResultsControl LDAP control. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Sonntag, 9. Mai 2004 16:07 To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP stress tool for AD 2003 i have a need to find a tool that will help stress test LDAP calls to AD. Anyone aware of a tool such as this? I know in the web world
RE: [ActiveDir] LDAP stress tool for AD 2003
I also should have probably pointed you to adtest. Adtest can do some load testing as well but be sure you keep in mind the caveats below. http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4 871-b8a4-99f98b3f4338DisplayLang=en Bottom line: nothing is as good as actually perf monitoring when you deploy and proactively looking for issues. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Monday, May 10, 2004 3:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 Thanks for the replies, Didn't realize i was getting someone in trouble but I won't get in the middle of that. I'll sit on the sidelines and enjoy someone else getting the hard-time! Steve Schofield - MCP, CCA [EMAIL PROTECTED] Windows Server Architecture Ext - (616)-791-3773 Int - 13773 [EMAIL PROTECTED] 05/09/04 09:55PM I've dissected a bit and put some info inline. I'm a bit tired so sorry if it is a bit incoherent. ;) Eric (would have been ~Eric but Joe's been making fun of that as of late ;)) Eric Fleischman Escalation Engineer Platforms Critical Problem Resolution (CPR) - Directory Services -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Sunday, May 09, 2004 6:33 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] LDAP stress tool for AD 2003 Good questions Eric, there will be five DC's in this site that will be doing authentication. Exchange server and DC's that are dedicated to exchange are in another site. The main type of authentication will be two types, regular logins via a logon on a client, others will be LDAP enabled web/client applications making a connection checking credentials(mostly web-based). In our test environment we have the domain controllers already behind a hardware load-balancer doing this and app's calling a VIP. Applications and clients haven't seen any difference nor has this affected the directory. My background is from the web world of ASP.NET/ ASP. Things like scalability, well designed applications is something I can influence to insure the directory. I suppose I could write my own stress tools but would rather use a proven tool. 0) Will the entire DIT on this DC be cached in memory - how much physical memory do we have? If dit=2gb and ram2gb, probably yes; if dit=2.6gb and ram3gb, are we using /3gb?; if 64bit, how much physical memory do we have (as that is the only limit really)? Servers each have 2.5 gig of ram, some are DL380's g2/g3 models running 5 drives (OS/Logs on one mirrored set, database on another RAID 5 set of disks) There are a couple of 4 proc ML570's, 2.5 gig ram 7 HD set (mirror OS, mirror - Logs, RAID 5 - database) [EFLEIS] - Getting the DIT and logs on different physical gives you an umph in perf, I'd go down that road if it is an option. How big is the DIT? 1) What is functionality level of this domain (2k mixed or 2k native or 2k03 functional) and is the DC also a GC? 2003 functionality [EFLEIS] - Reason I asked: users in a domain which is 2k native or greater needs to talk to a GC during auth. Therefore, you want GCs to be plentiful. I really like making all of my DCs in to GCs in high-load sites. 2) How many other domains in forest? This only has two domains in production Forest, one root domain, one child domain. 3) How many trusts to domains in other forests and downlevel domains? Three one way trusts to lab domains, the lab domains trust the production domain but production doesn't trust the lab. 4) What does the disk subsystem look like on this box? Where are dit and logs stored? Most DC's have a 5 drive set. Mirrored OS, Logs together and one drive set RAID 5 that holds the database, as I stated we have a couple DC's that have a 7 drive set, Mirrored OS, Mirrored Logs, RAID 5 Set for database. Note: these servers that have the 7 drive setup hold the FSMO roles (RID, PDC emulator) Now you indicated ldap calls specifically...within ldap calls we typically think of a few common things: 0) can the query be satisfied from info already in cache Not sure how to answer, I'm going to have to research how to utilize the cache in AD. Is this similiar to using the TEMPDB in SQL to store stuff in memory? [EFLEIS] - We do it for you, it's not something you utilize per se. We cache stuff for you and have algorithms to decide what to cache. In 2k03, we'll cache up to 2gb of stuff (or less if there is memory pressure of coursewe back off if we see memory being used heavily) without /3gb, up to about 2.6gb if you have /3gb enabled. Oh, that's on 32bit. On 64bit the sky's the limit. If your dit is 2gb (2.6 if you have more physical ram and /3gb) you'll want to think a bit about this and what sorts of inefficient searches you have. If the whole thing fits in cache, sure we want efficient searches, but it isn't nearly as bad as we don't take a huge i/o hit typically. 1)
RE: [ActiveDir] DNS settings
Title: Message DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA
RE: [ActiveDir] (OT) DNS settings
Title: Message I take it that you also use DHCP in your internal networks, i.e. you don't assign static IP'sto your internal NIC's? As a test could you just disable the internal NIC and try the dialup again? Are all the machine exactly the same, i.e. same model with same NIC's? Sorry if I seem to be shooting all over the place but we will home in eventually. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 13:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 12:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 10:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to
RE: [ActiveDir] DNS settings
Title: Message Well, thats what the intention is with ISP DHCP, but for some reason its not change JUST the DNS settings for that connection. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I would try pointing your DNS settings to your ISP DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Tuesday, May 11, 2004 8:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the
RE: [ActiveDir] (OT) DNS settings
Title: Message Not a problem I might have overlooked something and thank you for taking the time to help. Ok Yes we use DHCP. No Static IP addies. Machines are all different models and NICs I could disable the internal NIC why would that make a diff (just trying to understand the logic?) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] (OT) DNS settings I take it that you also use DHCP in your internal networks, i.e. you don't assign static IP'sto your internal NIC's? As a test could you just disable the internal NIC and try the dialup again? Are all the machine exactly the same, i.e. same model with same NIC's? Sorry if I seem to be shooting all over the place but we will home in eventually. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 13:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP.
RE: [ActiveDir] DNS settings
Title: Message The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick ReynoldsSent: 11 May 2004 08:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos MagalhaesSent: Monday, May 10, 2004 11:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie KaiserSent: Monday, May 10, 2004 8:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] DNS settings
Title: Message Have you run a network trace on the PPP adapter while its logging in? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 5:03 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISPs DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network. Thats what I dont get and I dont get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 10:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick ReynoldsSent: 11 May 2004 08:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos MagalhaesSent: Monday, May 10, 2004 11:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie KaiserSent: Monday, May 10, 2004 8:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... **Charlie KaiserMCSE,
RE: [ActiveDir] DNS settings
Title: Message Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just DNS. Thank you and Keep well! CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, May 10, 2004 4:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Trying to remember exactly, but wouldn't they get their DNS settings from the ISP upon connection either through their software locally or from their RRAS server? Al From: Carlos Magalhaes
RE: [ActiveDir] DNS settings
Title: Message I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Al, Yeah all the settings are suppose to be set via the ISP , most ISP's run DHCP so yes the settings should be set. The weird thing is that only the DNS settings are being forced to our network, the user gets a valid third party IP address and default gateway, just not a DNS setting, that's what made me think it might be something on our network. We done run WINS just
RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall
Nope, wasnt me maybe my counterpart did though. He knows I subscribe to this list, so he asked me to post the initial query to this group. He probably wanted to see what other kinds of rants he could raise J Thanks for the advice, as always! mc -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 9:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall It get's better. I saw the EXACT same post in the newsgroups over the weekend. PWI, but figured that I sent the same message. Be interesting to hear Mark's Experience this week (unless Mark posts as his alternate self on occasion of course :) ajm From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall Least wrong way to do it is indeed continue with an upgrade to have asecond forest in the DMZ, without any trusts. I'd also suggest a different operations model, one in which the developers have no elevated permissions to the production environment. Take it from much personal experience that no good can come from that situation. They need to develop and test against a staging environment, and then let the operations staff promote the changes into the production systems. I completely understand that its unrealistic to expect that culture change to happen over night, however. So, I'd insist on them having different accounts (i.e. no trust), to help drive home the point that this is a special set of systems. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 4:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall Hi Al, good rant J I think I can elaborate a bit...We can't use the separate forest idea that you mention as a best practice, because it's not a 2000 or above domain (the one in the DMZ). In fact, my first question was why don't we upgrade it first (as its own forest, of course). The goal is that we have developers who manage the content and apps on these web servers, and we're trying to eliminate the accounts in the domain in the DMZ. So we're trying to see if there is a good way to allow the developers to use their internal AD accounts to authenticate to the DMZ domain via a one-way trust. Anything more specific on what risks we'd face? (e.g. would it be possible with a one-way trust for a person who breaks in to an account in a DMZ domain to then cross over into the other domain on the other side of the firewall?) Is there a least wrong way to do this? mc -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 3:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DMZ to Internal LAN one-way trust via firewall shudder So, if I read this correctly, somebody wants to put lipstick on a pig? My first question is why? My second question is also why? Why would you ever want to have authentication handled inside your firewall for web servers? Why would you want to put in a single point of failure only relying on the PDCe? Why would you want to fly in the face of best practices (use separate forests internal and external?) IPSec is something that would be nice to have if they had a 2000 forest out there, but then again, see above. Overall, I'd say that this is a bad idea for many reasons including the single point of failure (what if your PDCe goes down?), the lowered security possibilities of NT4 etc. Hacking NT 4 is not going to provide much of a challenge to most script kiddies these days,IMHO. Opening ports from a DMZ to your internal network doesn't buy anything but convenience in this situation and since it flies in the face of good practices, I hate to see it running. Fix your BAS DMZ domain permissions and upgrade it to 2003 AD for control purposes. The PPTP that he's asking about is available in Win2K and above, but for Win2K it doesn't work at start up. That would only be shared secret vs. kerberos negotiation. /rant From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 2:43 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DMZ to Internal LAN one-way trust via firewall L G, I'm sending this on behalf of one of our project engineers. Thanks for any assistance or advice. 1. We have a 12-server (mostly 2000 web servers) NT 4.0 domain in our Checkpoint firewall-protected DMZ subnet. All support is currently a mess of local and domain users, no security policy, etc. Making it a Workgroup isn't a popular choice given the number of servers and differences between. 2. Therefore, we are looking to setup a one-way trust to our internal 2000 AD
RE: [ActiveDir] DNS settings
Title: Message Good call If that doesn't work then why don't u add some external DNS entries statically to the PPP adapt and see if they stick. -Original Message-From: Charlie Kaiser [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:26To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS settings How about this... Perhaps your ISP's DHCP is not providing DNS, and the laptop is using it's last known good DNS entries. Try doing an ipconfig /release, then ipconfig /all to verify the release, maybe even do a registry search for the internal DNS address, then, dial up and see what settings you get from the ISP... **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 5:11 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 12:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISP's DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network That's what I don't get and I don't get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 10:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We haven't and still don't use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISP's are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are "forced" to use ours...
RE: [ActiveDir] DNS settings
Title: Message Definitely! I have a similar setup as you. We use ISP for DNS but our router handles the DHCP. Mixing ISP with network services has to be the culprit I would think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Tuesday, May 11, 2004 9:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey
RE: [ActiveDir] DNS settings
Title: Message Hey Charlie, They have multiple ISPs and all of the ISPs dial ups have the same symptoms DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS I will try reg searches on all the machines. Its the weirdest thing I have ever seen (so far :P) CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, May 11, 2004 3:26 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings How about this... Perhaps your ISP's DHCP is not providing DNS, and the laptop is using it's last known good DNS entries. Try doing an ipconfig /release, then ipconfig /all to verify the release, maybe even do a registry search for the internal DNS address, then, dial up and see what settings you get from the ISP... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 5:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 196.2.45.82 Subnet Mask . . . . . . . . . . . : ispSubnetMask Default Gateway . . . . . . . . . : ispGateWay DHCP Server . . . . . . . . . . . : ispDHCPServer DNS Servers . . . . . . . . . . . : internal/localDNS From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 12:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings For some reason I thought you were using a VPN to connect I'm an idiot and should have read the detail. Can you humour me and justpost an IPCONFIG /ALL dump from a troubled client.. just type local DNS in place of your internal IP range if required. Thanks, Rob -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 10:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Hey Robert, Ok there is nothing wrong with the internal DNS at all, they can resolve everything they want when logged onto the network. Their problem is when they go home and are off the network they use their own third party ISP accounts with the default windows dialer to create a 56k Dial up PPP connection to a third party ISP. This is for their own email and internet usage. At this stage (when they dial up) they are not connected to us in any way what so ever. What I am finding strange is that the ISP usually assigns them a valid IP, DNS and gateway from the ISP's DHCP server. The weird thing here is that they are assigned a valid IP and gateway but the DNS servers for that PPP connection is using our internal DNS server address. Which causes a nightmare when they try to resolve names while connected to the ISP. As you can see the ISP can not resolve names cause its trying to use the DNS settings of our internal network That's what I don't get and I don't get why its doing this either L Thanks for your time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We haven't and still don't use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISP's are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution
RE: [ActiveDir] DNS settings
Title: Message The only VPN clients they have is the default windows VPN client you create with Add New Connection there is no third party VPN clients at all. There are some third party dialers but not VPN clients. The symptoms are true whether they use a third party dialer or a windows dialer to any ISP (accept RRAS to our network) L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Carlos, have you got any VPN client software running on these machines at all or was there? -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE:
RE: [ActiveDir] DNS settings
Title: Message So XP is holding onto the old IP address now that youre on W2k3 AD, but didnt do it before is that accurate? Does right-clicking on the dial connection systray icon and choosing repair fix the problem as well? Thats at least friendlier than ipconfig but obviously not the end solution h Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, May 11, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, May 10, 2004 8:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS settings Is there any hard coding of DNS settings on the laptop's network connection properties? This will override any server-assigned DNS settings...
RE: [ActiveDir] DNS settings
Title: Message Carlos did you check RSOP on a client to see if its getting the Computer Configuration Administrative Templates Network DNS Client DNS Servers setting from somewhere? Warning: The list of the DNS servers defined in this setting supersedes DNS servers configured locally and those configured using DHCP. The list of DNS servers is applied to all network connections of multihomed computers to which this setting is applied. With a new AD could someone have set this? Everything would work as expected internally, and only fail in the situation you are seeing. And this setting requires Windows XP. Rich Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, May 11, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Nope thats what gets me, and its happening to ALL the laptops, (they are the only machines using third party dialers) AGRRR there must be an answer :P CM From:
RE: [ActiveDir] DFS
Title: Message You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message-From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47To: [EMAIL PROTECTED]Subject: [ActiveDir] DFSSensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited. If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes. �
RE: [ActiveDir] DFS
Title: DFS DFS can be used for load balancing and redundancy redundancy. Do not install it on a DC, especially with 1 tb of data. A DFS share will have at least 2 servers. I would recommend looking into 3rd party software for this. I have heard the limit for DFS is about 250 to 500 gb depending on the traffic.Read thru the documentation in the resource kit thoroughly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer FountainSent: Tuesday, May 11, 2004 8:47 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DFSSensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915
RE: [ActiveDir][OT] LDAP stress tool for AD 2003
And to think I _was_ a bit sad about missing the Summit ;) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, May 10, 2004 8:15 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir][OT] LDAP stress tool for AD 2003 Um. Rick, given Joe's last post about Dean and playing with butter knives, it would be my humble opinion that you a[1]) shouldn't post as Rick-sey and b) really should keep the sharp shiny objects locked up next time Joe's in the area. Not that I'm paranoid, but... Al [1] shoot. If Joe's correct, Rick only saw that as garble)shgarbleldn't pgarble -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, May 10, 2004 2:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir][OT] LDAP stress tool for AD 2003 OK, OK, I GIVE. ROTLMAO!!! YUO RAELLY AER TOO FUNY JOE. RIKC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 10, 2004 1:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir][OT] LDAP stress tool for AD 2003 I agree with most of that. Though I think it was Jimmy that smelled funny and that was simply because he never made it back to his room to change. Of course you still read [1]... That is why I knew I could sucker you into posting. :o) Anyway, when I was at the summit, I had no chance with the females with Dean always standing next to me. That handsome english bastard... He had all three traits for picking up the ladies... Foreign Accent, Sparkling Eyes / Nicely dressed look, Don Johnson Shaving Methodology. Heck, *I* could barely keep my eyes off of him. Was ready to scoop him up and take him home to meet mum. Oh btw, the Dr's say I can officially use butter knives again so I am slowly working back up to the world of normal. joe [1] Rick doesn't really read, he pays his kid to read the posts to him. Rick is challenged by the vowels a,e,i,o,u (and occasionally y) and all of the consonants b-z inclusive. He is however able to handle the uppercase versions... So an email like the above would read something like I garble garble T garble garble J garble garble O garble garble T... Then garble he spends an hour trying to find ITJOT in the various language dictionaries. So that is why the kid comes into the picture and why, interestingly enough, I always spell my name joe. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, May 10, 2004 1:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 Rick has given me a very bad reputation of being mean or something. Oh, for crying out loud. I haven't been POSTING much. I still READ! Eric, joe is a pretty nice guy. Just socially unacceptable. At Summit, we had to keep him away from females, sharp objects, and alcohol. Plus, he farts a lot. Otherwise, joe's great. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 10, 2004 12:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 I'm not making fun of ~Eric. That is your call sign, when I say ~Eric, there isn't a single person who confuses that with any other Eric's that are running around. BTW, I am guessing you mean me when you say this, I would know for sure if you had written: (would have been ~Eric but joe's been making fun of that as of late ;)) Rick has given me a very bad reputation of being mean or something. I am very nice, I am just outspoken when something is stupid or wrong which is unusual in this overly politicaly correct world. Also people think I hate Exchange and the Exchange Dev guys, this is simply untrue, I just don't think the code flows as well as it probably should (not elegant) and was based on many bad security assumptions and uses Active Directory like a red headed step child instead of as a respectable directory. I like to question things, not sit back and say, hmm ok, they want me to do it that way, I guess I better change everything I had planned for how this was going to go so it fits how they want me to be configured. To think I was going to say your initial response to the LDAP Stress Tool topic was an outstanding response and that I had bookmarked it for later regurgitation to anyone else who asked a question like that... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, May 09, 2004 9:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP stress tool for AD 2003 I've dissected a bit and put some info inline. I'm a bit tired so sorry if it is a bit
[ActiveDir] Enumerating User Rights
Does anyone know how to connect to a remote machine and enumerate the User Rights that are assigned on it? I'd prefer a VBscript technique but I could use a command line utility. I already know about ntrights.exe in the Resource Kit but it only modifies selected rights it doesn't list what is there. Thanks in Advance List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to identify the servers (Domain Controllers) us ing File Replication service - - - And how to enable/disable FRS servi ce on these servers
I received a development request = time to check your backups and update your resume J Sounds like the developers want to fix something they probably dont understand at all. If so, thats almost like disabling the netlogon service on all your workstations because theres an LSASS exploit out there not really the best way to do it.. Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, May 10, 2004 5:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify the servers (Domain Controllers) us ing File Replication service - - - And how to enable/disable FRS service on these servers Its doable with code, I can find you the DC or GCs, and if you REALLLY want disable the FRS services but you would really be screwing up some important services that your DC needs. Do you really want to do this? Carlos Magalhaes AD programming? http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Durairaj K. Avasi Sent: Monday, May 10, 2004 12:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify the servers (Domain Controllers) using File Replication service - - - And how to enable/disable FRS service on these servers Honestly I am not sure why my sys. Admin needs it I received a development request with the following spec. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 10, 2004 2:41 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] how to identify the servers (Domain Controllers) using File Replication service - - - And how to enable/disable FRS service on these servers can you add, roughly WHY you want to do this? FRS is enabled on ALL DCs in an AD forest, and that's the way it should be as SYSVOL replication uses FRS.FRS is one of those special services, that you don't want to screw around with (such as turning off, make a lot of file-system changes, turning back on), unless you really know what you're doing or you really want to have more trouble. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Durairaj K. Avasi Sent: Sonntag, 9. Mai 2004 23:59 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ActiveDir] how to identify the servers (Domain Controllers) using File Replication service - - - And how to enable/disable FRS service on these servers AD Gurus:: I hope all had very good weekend.. Here is my requirement where I stuck and I need your hand on this In short: This is what I want: Script 1: identify the servers (Domain Controllers) using File Replication service (FRS). Script 2: Disable these found in Script 1. (When I say disable, I just meant to say FRS service on these servers) Script 3: Enable these found in Script 1. (When I say enable, I just meant to say FRS service on these servers) The following is the detail of what I found = How to identify the servers (Domain Controllers) using File Replication service (FRS)? I found the repadmin /replsum in Active Directory cookbook. However I need the same output in a txt file just servernames (Note not the status) and how to disable and enable the FRS service on the above identified servers? I thought of using cscript service.vbs /X /N ntfrs /S __SERVERNAME /U avasi /W password /O c:\temp.txt I dont know how this is going to workout. Thanks in advance. Durairaj K. Avasi ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
[ActiveDir] Managing accounts for 'outsiders'
I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] disk configuration
I have a question about the best way to separate the AD DB and AD log files.My standard server build is a Compaq DL380 with six 36GB drives and one Compaq Smart Array 5i Controller.Normally I mirror the first two HD's for OS and apps use the other fourdisks for RAID5 with hot spare.For Active Directory would it be best to use my standard configuration and putthe AD DB on the mirror with the OS and put the AD log files on the RAID5 orshould I take the six disks and make three mirrors:Mirror1 = OS and appsMirror2 = AD DBMirror3 = AD logs Any advice would be appreciated.
RE: [ActiveDir] Replacing Shared Storage on a two node cluster
Essentially, your concern is about disk signatures. http://support.microsoft.com/default.aspx?scid=kb;en-us;305793 should help explain about that some. What I'm curiuos about is why you don't just add disk and move the data over to it? Expand vs. replace? Al -Original Message- From: Nathan Danso [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 05, 2004 9:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Replacing Shared Storage on a two node cluster Greetings to all, As always, many thanks for your quick responses to problems and questions posted on this forum. I am currently running an Active/ Passive Cluster service on 2 dell power edge 2650 connected to another Dell 220s Power vault subsystem. I have 3 X 18G (RAID 5) drives in my subsystem configured as 3 separate virtual logical array disk. I am about to embark on a mission to move the data from the virtual disk to its own disk by adding additional drives and configuring them as RAID 5 for my data and RAID 1 for my log files. Knowing how sensitive cluster service is to disk changes, I will like to approach this task very carefully without destroying my cluster installation and having to rebuild the whole cluster. I was hoping someone may have already gone through this process and will kindly enlightened me to any obstacles that I should be aware of. My numerous searches have produced different confusing approaches. Any help will be greatly appreciated. Thanks in advance. Nathan This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. TradeWeb reserves the right to monitor all e-mail communications through its networks. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS settings
Title: Message Id be tempted to setup a reservation in DHCP internally and set different DNS settings (whatever u like) to a test machine ipconfig/release and renew... see if it obtains the new settings or still holds the old settings. -Original Message-From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 15:30To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings So XP is holding onto the old IP address now that youre on W2k3 AD, but didnt do it before is that accurate? Does right-clicking on the dial connection systray icon and choosing repair fix the problem as well? Thats at least friendlier than ipconfig but obviously not the end solution h Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Tuesday, May 11, 2004 8:31 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT DepartmentSent: Tuesday, May 11, 2004 3:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger SeielstadSent: Tuesday, May 11, 2004 8:36 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message-From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick ReynoldsSent: 11 May 2004 08:14To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS settings I have always pushed lmhosts and hosts files to the machines... -Original
RE: [ActiveDir] DFS
Title: Message Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Sensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47 To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes.
[ActiveDir] disk configuration
I have a question about the best way to separate the AD DB and AD log files.My standard server build is a Compaq DL380 with six 36GB drives and one Compaq Smart Array 5i Controller.Normally I mirror the first two HD's for OS and apps use the other fourdisks for RAID5 with hot spare.For Active Directory would it be best to use my standard configuration and putthe AD DB on the mirror with the OS and put the AD log files on the RAID5 orshould I take the six disks and make three mirrors:Mirror1 = OS and appsMirror2 = AD DBMirror3 = AD logs Any advice would be appreciated.
RE: [ActiveDir] Managing accounts for 'outsiders'
We don't mix authentication schemes. Internal is internal, and external is external. We require VPN access to internal resources- nothing is published externally. I'd be really leery of doing it any other way. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Managing accounts for 'outsiders' I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Cookbook sample scripts
I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] disk configuration
Either of those configurations would work depending on what performance you would need. For optimal configuration, you first want to separate the I/O stream for Log files. That's because they tend to be very write expensive and they are typically sequential I/O. Separating that to a separate I/O stream to a high-speed write set of spindles, provides the first greatest performance benefit. In other words, RAID 5 won't provide the same level of performance since you typically get a 4x increase in write latency with RAID 5 vs. 0. Putting the db on either RAID 5 or 1 is going to give similar results in the low-end, but likely would get faster response in the high-end due to splitting the data across spindles. RAID5 is read optimized up to a certain number of disks. I think in your case, given the parameters and limitations without knowing how large you need to scale a single DC, the three mirror set would be my choice. With Active Directory it's often better to scale out than scale up for DC's. If you need that extra bit of performance, you may want to consider using a separate enclosure and a RAID 5 or 0+1 configuration for your DB's. My 0.02 (USD) anyway. Al From: Nathan Casey [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 11:38 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] disk configuration I have a question about the best way to separate the AD DB and AD log files.My standard server build is a Compaq DL380 with six 36GB drives and one Compaq Smart Array 5i Controller.Normally I mirror the first two HD's for OS and apps use the other fourdisks for RAID5 with hot spare.For Active Directory would it be best to use my standard configuration and putthe AD DB on the mirror with the OS and put the AD log files on the RAID5 orshould I take the six disks and make three mirrors:Mirror1 = OS and appsMirror2 = AD DBMirror3 = AD logs Any advice would be appreciated.
RE: [ActiveDir] disk configuration
Nathan, My recomendation would be to use 3 mirrors. This would avoid mixing log files with the OS, or placing log files on a raid5 Denny -Original Message- From: Nathan Casey [EMAIL PROTECTED] Sent: 5/11/04 1:45:33 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: [ActiveDir] disk configuration I have a question about the best way to separate the AD DB and AD log files. My standard server build is a Compaq DL380 with six 36GB drives and one Compaq Smart Array 5i Controller. Normally I mirror the first two HD's for OS and apps use the other four disks for RAID5 with hot spare. For Active Directory would it be best to use my standard configuration and put the AD DB on the mirror with the OS and put the AD log files on the RAID5 or should I take the six disks and make three mirrors: Mirror1 = OS and apps Mirror2 = AD DB Mirror3 = AD logs Any advice would be appreciated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS
Title: Message Replication of data is optional in DFS, but a domain root will replicate the configuration to all domain controllers. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 12:37 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFSSensitivity: Private Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, RobertSent: Tuesday, May 11, 2004 10:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFSSensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message-From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47To: [EMAIL PROTECTED]Subject: [ActiveDir] DFSSensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited. If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes.
RE: [ActiveDir] Managing accounts for 'outsiders'
That's a pretty common scenario in many types of business. We all do business with partners and have to face this at some point. Most businesses have since they started with EDI, but they security wasn't as high-profile as it is these days for many of them. To paraphrase the question, how do you securely grant access to internal resources for non-employees (FTE's)? Do you use AD or some other way? Unfortunately for this conversation I think the only accurate answer could be that it depends. If you work in a place where there is a risk that your administrative process could allow improper access to a resource, I would say you should firewall non-FTE access away from sensitive systems. If your process and policy can withstand the risk, then why not make it easier to manage for you and your staff? Active Directory is handling your Identification, Authentication, and Authorization for your internal employees and you are extending some level of trust to these others. Many shops don't use Active Directory for their Authorization, especially when it comes to web/intranet. Tends to be better products for that. Not a lot of better products for Identification and Authorization (many as good using the same technology for the most part; they don't tend to be as reliable from a topology standpoint) That said, if you don't use Active Directory for this access, what would you use instead? Would you store the identity in the AD and use something else for authentication and authorization? Would you create a totally separate IAA scheme to handle this? Is it worth it? My own personal belief is that contractors are under the exact same obligations as my FTE's and are no more trustworthy (nor less). I believe I have an obligation to provide them with the service and to make it as secure as I can, while keeping everything as simple and cost-effective as I can. I have no problems giving that kind of access via Active Directory as long as my account lifecycle management processes and systems are where they should be. I think it is critical to have these policies and enforcement mechanisms in place to ensure that access is only given where it belongs regardless of mistakes etc. Al -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Managing accounts for 'outsiders' I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS
Justin, I don't think this is correct. With DFS, I can set up different subfolders to point to different physical locations. These physical locations can be setup a redundant pairs, but this is not required. Denny -Original Message- From: Salandra, Justin A. [EMAIL PROTECTED] Sent: 5/11/04 1:41:37 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Sensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47 To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cookbook sample scripts
Did you change the strDomain value to match your environment? mc -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Managing accounts for 'outsiders'
I don't treat a 3rd party account in AD any differently from normal user accounts. They should be given the least privelege required to do their job, which will typically mean logon access is restricted to whatever server they are supporting. One personal annoyance is when admins set up generic AD accounts for 3rd party companies rather than following the best practice of setting up several specific accounts for the named support staff who need access to your network. -Original Message- From: [EMAIL PROTECTED] on behalf of Fugleberg, David A Sent: Tue 11/05/2004 16:14 To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Managing accounts for 'outsiders' I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Cookbook sample scripts
?? Did you modify it? Strdomain looks the same as the default. Al -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cookbook sample scripts
strDomain = mydomain.com ' e.g. emea.rallencorp.com needs to be mydomain.com (minus the ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Payne Sent: Tuesday, May 11, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cookbook sample scripts
You can try the slightly modified one I use - it writes the roles out to a text file versus displaying them on the screen ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' MODIFIED by Lou Vega - added output to file versus screen ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com OutfileName = AD FSMO Roles - Replace(date,/,) .txt ' -- File Constants -- Const ForReading = 1 Const ForWriting = 2 Const ForAppending = 8 ' -- Open the extract file -- Set Filesys = CreateObject(Scripting.FileSystemObject) Set Outfile = Filesys.OpenTextFile(OutfileName, ForWriting, True) ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) outfile.writeline PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) outfile.writeline RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) outfile.writeline Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) outfile.writeline Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) outfile.writeline Domain Naming Master: objDNFsmo.fsmoroleowner msgbox(All done Chief! vbcrlf Errors: err.number) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Payne Sent: Tuesday, May 11, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cookbook sample scripts
Unless your domain is named mydomain.com, you need to change line 11 -Original Message- From: James Payne [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 10:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cookbook sample scripts I just bought the Active Directory Cookbook and started looking at some of the sample scripts posted on the author's website. When I attempt to use this one it tells me the server is not operational, line 14 character 1. Can anyone take a look at this and let me know if you see something I have done wrong? Thanks a bunch. ' This VBScript code prints the FSMO role owners for the specified domain. ' --- ' From the book Active Directory Cookbook by Robbie Allen ' Publisher: O'Reilly and Associates ' ISBN: 0-596-00466-4 ' Book web site: http://rallenhome.com/books/adcookbook/code.html ' --- ' -- SCRIPT CONFIGURATION -- strDomain = mydomain.com ' e.g. emea.rallencorp.com ' -- END CONFIGURATION - set objRootDSE = GetObject(LDAP://; strDomain /RootDSE) strDomainDN = objRootDSE.Get(defaultNamingContext) strSchemaDN = objRootDSE.Get(schemaNamingContext) strConfigDN = objRootDSE.Get(configurationNamingContext) ' PDC Emulator set objPDCFsmo = GetObject(LDAP://; strDomainDN) Wscript.Echo PDC Emulator: objPDCFsmo.fsmoroleowner ' RID Master set objRIDFsmo = GetObject(LDAP://cn=RID Manager$,cn=system, strDomainDN) Wscript.Echo RID Master: objRIDFsmo.fsmoroleowner ' Schema Master set objSchemaFsmo = GetObject(LDAP://; strSchemaDN) Wscript.Echo Schema Master: objSchemaFsmo.fsmoroleowner ' Infrastructure Master set objInfraFsmo = GetObject(LDAP://cn=Infrastructure,; strDomainDN) Wscript.Echo Infrastructure Master: objInfraFsmo.fsmoroleowner ' Domain Naming Master set objDNFsmo = GetObject(LDAP://cn=Partitions,; strConfigDN) Wscript.Echo Domain Naming Master: objDNFsmo.fsmoroleowner List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Got a good one for everybody
Im looking for a way to have a 3rd party app call a mapped drive on a remote server at anytime without any user account being logged on at the Application server with a persistence drive mapping. The remote server has the file shared out as well. The Application needs to have a drive letter mapped and not a UNC path. (For example E: instead of \\servername\share) Thanks in advance Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] DFS
Title: DFS Yes. I use it for load balancing the file servers which serve MSIs assigned via GP. I have it running on DCs as well. Works like a charm once you get all your ducks in a row. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 8:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] disk configuration
For a truly high perf situation, youre probably going be best with an OS Mirror, a RAID5 for the DB, and a mirror for the logs. How big is your database and how busy will the DC be? This isnt really relevant/an issue in smaller/medium size configs --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 From: Nathan Casey [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 10:38 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] disk configuration I have a question about the best way to separate the AD DB and AD log files. My standard server build is a Compaq DL380 with six 36GB drives and one Compaq Smart Array 5i Controller. Normally I mirror the first two HD's for OS and apps use the other four disks for RAID5 with hot spare. For Active Directory would it be best to use my standard configuration and put the AD DB on the mirror with the OS and put the AD log files on the RAID5 or should I take the six disks and make three mirrors: Mirror1 = OS and apps Mirror2 = AD DB Mirror3 = AD logs Any advice would be appreciated. smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] DFS
The main objective to to remove the single point of failure I have now - one big file server. If this goes down, we are SOL. From what I read/tested, DFS will allow you to point a single folder to shares on different physical locations. (basically, the user sees one server but in reality I have four) Replication is also something I could take advantage of; However, can you schedule replication in DFS? Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, May 11, 2004 1:59 PM To: Salandra, Justin A.; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Justin, I don't think this is correct. With DFS, I can set up different subfolders to point to different physical locations. These physical locations can be setup a redundant pairs, but this is not required. Denny -Original Message- From: Salandra, Justin A. [EMAIL PROTECTED] Sent: 5/11/04 1:41:37 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Sensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47 To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS settings
Title: Message Ok (all the clients are XP ) - In Computer Configuration|Admin Templates|Network|DNS Client There is a setting for DNS Servers to our internal DNS server. And this would apply to PPP connections??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 6:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Id be tempted to setup a reservation in DHCP internally and set different DNS settings (whatever u like) to a test machine ipconfig/release and renew... see if it obtains the new settings or still holds the old settings. -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 15:30 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings So XP is holding onto the old IP address now that youre on W2k3 AD, but didnt do it before is that accurate? Does right-clicking on the dial connection systray icon and choosing repair fix the problem as well? Thats at least friendlier than ipconfig but obviously not the end solution h Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Tuesday, May 11, 2004 8:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings I tried that and it seems to work. The problem though is I cant expect the users to do this every time they want to use their connections, there must be something that is going wacky here. Dont you agree? CM From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Tuesday, May 11, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Maybe trying some actions from the cmd line would help such as: IPCONFIG /release [adapter] Release the IP address for the specified adapter. IPCONFIG /renew [adapter] Renew the IP address for the specified adapter. IPCONFIG /flushdns Purge the DNS Resolver cache. IPCONFIG /registerdns Refresh all DHCP leases and re-register DNS names. IPCONFIG /displaydns Display the contents of the DNS Resolver Cache -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Tuesday, May 11, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings The problem is that the mobile users are dialed up to the Internet, say just to surf, and they are holding onto their internal DNS settings. Since its systemic, I'm wondering if its not either a driver issue or a policy issue, but I can't think of a single good reason for either of those to cause this issue. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings Sorry I think I have lost track here somewhere... I probably didn't read your problem correctly. I would actually think that it is better for them to resolve to your internal DNS servers. I have seen loads of issues with people trying to get it to work the other way round. The only thing is that do your internal DNS servers forward out? If they did then you would probably be in an ok situation? I'd still like to find out how your machines are getting their DNS entries though?? Strange. -Original Message- From: Carlos Magalhaes [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 09:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings We havent and still dont use WINS , this network only uses DNS. The problem I am having is that the user logged onto our network can work fine DNS is working etc. The user dialed up to their own ISPs are being forced to our internal DNS servers, they still get a valid IP addy from the ISP they just are forced to use ours From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS settings It's either got to be WINS or Hosts files while using the standard W2K VPN dial-up. I don't think WINS is a bad solution to be honest unless you want to dig into your pocket. If you use a 3rd party, i.e. Checkpoint, then their technology allows for overlay of your DNS setting post connection. I mentioned IPass earlier and they can do a similar thing with their client, i.e. push on your internal DNS server post connection to an IPass ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds Sent: 11 May 2004 08:14 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS
RE: [ActiveDir] Got a good one for everybody
Well, you could have itcall ascript that does: "net use E: \\server\share /persistent:no" The next time the user logs in, it will not be there (it is the same as -not- checking the "Reconnect at login" box in Map Network Drive). However, until they logout, they will see the E: drive. But an idea anyways. Chris - Christopher England Systems Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University - Bloomington From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, May 11, 2004 1:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Got a good one for everybody Im looking for a way to have a 3rd party app call a mapped drive on a remote server at anytime without any user account being logged on at the Application server with a persistence drive mapping. The remote server has the file shared out as well. The Application needs to have a drive letter mapped and not a UNC path. (For example E: instead of \\servername\share) Thanks in advance Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] Got a good one for everybody
If I understand your question correctly, my thoughts on this are good luck. With NT4 you could pull this off, 2K and K3 are tightening down perms and making cross process/security context access of shared resources very difficult if not impossible. Using drive letters was never a recommended practive from anyone I know (including MS) for services. If I had to guess I would guess that this is a service that is being made into a service with like srvany or firedaemon or something?If that is the case, back it up a bit and have the process try to fire a batch file that sets up the connection and then fires the app. That *might* work. Mostly this would be a great one to go kick the vendor on and ask them if they are serious about playing in the Windows space. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, May 11, 2004 2:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Got a good one for everybody Im looking for a way to have a 3rd party app call a mapped drive on a remote server at anytime without any user account being logged on at the Application server with a persistence drive mapping. The remote server has the file shared out as well. The Application needs to have a drive letter mapped and not a UNC path. (For example E: instead of \\servername\share) Thanks in advance Mike Mike Hogenauer [EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149
RE: [ActiveDir] Got a good one for everybody
Create an AD account for the application to run under and give it full permission to that share. Then right a script for the app to run every time it needs to access that share. Seems logical and it is something we do quite often here. Julie Julie A. Wilson University Network Coordinator Microsoft Network Administrator Information Technology Services Eastern Illinois University 217-581-7808 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of England, Christopher M Sent: Tuesday, May 11, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Got a good one for everybody Well, you could have it call a script that does: net use E: \\server\share /persistent:no The next time the user logs in, it will not be there (it is the same as -not- checking the Reconnect at login box in Map Network Drive). However, until they logout, they will see the E: drive. But an idea anyways. Chris - Christopher England Systems Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University - Bloomington _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, May 11, 2004 1:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Got a good one for everybody I'm looking for a way to have a 3rd party app call a mapped drive on a remote server at anytime without any user account being logged on at the Application server with a persistence drive mapping. The remote server has the file shared out as well. The Application needs to have a drive letter mapped and not a UNC path. (For example E: instead of \\servername\share file:///\\servername\share ) Thanks in advance Mike Mike Hogenauer [EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] Rendition Networks, Inc. 10735 Willows Rd NE, Suite 150 Redmond, WA 98052 425.636.2115 | Fax: 425.497.1149 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DFS
1 TB is too much for DFS to replicate between two servers, not to mention four. The replication (FRS) in DFS is flawed. Have you looked into shadow copy or a utility like Robocopy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, May 11, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS The main objective to to remove the single point of failure I have now - one big file server. If this goes down, we are SOL. From what I read/tested, DFS will allow you to point a single folder to shares on different physical locations. (basically, the user sees one server but in reality I have four) Replication is also something I could take advantage of; However, can you schedule replication in DFS? Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Tuesday, May 11, 2004 1:59 PM To: Salandra, Justin A.; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Justin, I don't think this is correct. With DFS, I can set up different subfolders to point to different physical locations. These physical locations can be setup a redundant pairs, but this is not required. Denny -Original Message- From: Salandra, Justin A. [EMAIL PROTECTED] Sent: 5/11/04 1:41:37 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Having a DFS structure would mean that you would have 4 servers each with 1 TB of information on them because everything gets replicated to all locations in the DFS. DFS will NOT put 250 GB on one server, 250 GB on another server and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, May 11, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DFS Sensitivity: Private You can install a DFS root on a DC or member server. It should work fine, in terms of splitting down a server and distributing the data over a number of other servers. I'm assuming you only want to use DFS to make a central share access hierarchy? I would not use the replication side of it though as it's inherently flawed... well it was on 2000 and have read it hasn't changed that significantly on 2k3. If you do want to use the replication then I would only use it for read only data, i.e. Application distribution points. BR, Rob -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 11 May 2004 14:47 To: [EMAIL PROTECTED] Subject: [ActiveDir] DFS Sensitivity: Private Does anyone here use DFS? If so, do you use it for load balancing? Did you install it on a DC? It's own server? We are looking into breaking our one huge file server (1 tb of space) into 4 smaller servers (more manageable and wanted to look into DFS. We do have NT/95 clients but that should not stop me because I can install the AD client on them. Thanks for any info! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
