date:20040519

i bounced the server, srv records are all there. the old server is not in dhcp and an 
nslookup in safe mode shows me there is connectivity to dns server and all the prpoer 
srv reords are enumerated.
i hahdn't hpought of ms04-011. what are some other symptoms?
thanks

-Original Message- 
From: deji Agba [mailto:[EMAIL PROTECTED] 
Sent: Wed 5/19/2004 3:04 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] dns issues

More likely DNS than WINS. Trying bouncing the new Server, then restart 
netlogon on it (in case the MS04-011 is hurting you), then check DNS for the relevant 
SRV records. I know you said you looked in DHCP, but I have to ask if you made sure 
that the dead DC is no listed as a DNS server in your DHCP scopes. And, after the 
client have connected in Safe Mode, what does nslookup say?

Lastly, anything in eventlog (on both server and clients?

Sincerely,

Dj Akmlf, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon

  _  

From: Mulnick, Al
Sent: Tue 5/18/2004 2:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] dns issues

WINS? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, May 18, 2004 5:17 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] dns issues

I had my primary fsmo role holder(pdc,infra,rid) go down. It was also a dns
server(ad intergrated). i ran ntdutil and removed the server from AD. I also
had another dns server running. 
I transfered all the fsmo roles to this server. 
Now however, i have a ton of what i think are dns issuses. I have clients
who are stuck at applying security settings and never logon(however, they
can when in safe mode with networking).
also, i tried to join a workstation to my domain and it gave me a connot
contact domain error.
the clients are all pointing to the new dns server via dhcp.
there are no errors in the dns log or in directory services log.
this is a child domain and the zone was delegated from the root.

what gives?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

winmail.dat

RE: [ActiveDir] VPN users and their AD passwords

2004-05-19 Thread Rimmerman, Russ

Wow!  This looks like the real answer.  Thanks for that!  Looks like our WAN
dept gets to do some work.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart
Sent: Tuesday, May 18, 2004 11:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords

Check out the Cisco documentation on configuring the concentrator to support
the NT/AD password expiration feature.  We are doing this and it works like
a charm and nobody has to hit cancel.  Clients with expired password get
warned at VPN login and given an opportunity to change the password.  

See:  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
_example09186a00800946b9.shtml

or search cisco.com for VPN concentrator password expiration and take the
first result.

MS IAS config for Cisco VPN is documented here - 
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
_example09186a0080094700.shtml

-Stuart

-Original Message-
From: Ayers, Diane
To: [EMAIL PROTECTED]
Sent: 5/18/2004 5:56 PM
Subject: RE: [ActiveDir] VPN users and their AD passwords

Gee... you give them remote access to the company via the internet from
anywhere and their complaining about having to hit cancel?I would
tell them to get over it... :-)

Actually with my client, I can just type in my password in the
ctrl-alt-del login box and just ignore the VPN client if I am on the
compnay network.   It will authenticate via normal channels.
Externally, I can choose to authenticate via the VPN client.  

Only if you don't let the VPN client initialize fully do you get the big
cancel button when you hit ctrl-alt-del.  Either hit cancel or wait for
the VPN client to initialize before they hit the keyboard.

Diane

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 18, 2004 4:34 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords

The complaint here from users is that if they ARE on the network, they
have to hit cancel on the Cisco VPN client login so they can get to the
CTRL-ALT-DEL screen.  Is there any workaround for this, or just tell the
users to get over it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane
Sent: Tuesday, May 18, 2004 4:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VPN users and their AD passwords

I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff
describes below (logon to VPN before laptop logon).  I had my domain
password expire and IIRC, I was able to change my password at my usual
ctrl-alt-del logon after I had done my VPN login.

This was after a few adult beverages so I may have been confused... :-)

Diane 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury
Sent: Tuesday, May 18, 2004 1:21 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords

Russ - With the newer versions of the Cisco VPN client you can configure
the client to allow logon to the network via VPN before you logon to the
notebook. When you first start up the system and hit Ctrl-Alt-Del to get
the regular logon box, a Cisco VPN connection dialog comes up instead.
You use this dialog to connect by VPN first so that you are actually
authenticating your account with a domain controller, then you get a
logon box again for logging on to the machine. This keeps the cached
account information and the domain account information in synch.

If users change their password while connected by VPN, the cached
credentials on the notebook are not updated. If they restart the
notebook, they have to logon using their old password. When they next
connect by VPN they will have to provide their new password. As soon as
their machine tries to access network resources, it passes the old
password information and causes the user's account to lockout very
quickly (assuming you have account lockout enabled).

On the 3.6.3 client, you would go into Options - Windows Logon
Properties and select Enable Start Before Logon. You would also want to
select Disconnect VPN Connection While Logging Off. I believe this
requires a system restart so that it hooks into the security dialog
(msgina?). 

If you need to go update your remote clients and you use SMS 2003, you
may also want to upgrade your VPN clients at the same time to the 4.x
VPN Client. Microsoft's notes say that the 4.x client will accurately
report the IP address assigned by your VPN concentrator, as opposed to
the IP address the notebook has on the user's personal network, so that
the SMS 2003 Client boundary calculations will work properly.

We also have a ton of users with non-expiring passwords because they
needed remote access in the past. One of my tasks this week is to get
them to change their passwords, then we will set them to start expiring.
We still need to figure out how to

Recall: [ActiveDir] Anonymous bind

Eric Fleischman would like to recall the message, [ActiveDir] Anonymous bind.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

Title: firma








Sorry for the double post.please dont
CC the alias I accidentally CCd when I first sent this.

Thanks!

~Eric













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman
Sent: Wednesday, May 19, 2004 6:51
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anonymous
bind





Im going to respectfully disagree
with the approach being taken here. It is, IMHO, misguided.



What has been described as a security hole
(opening your AD for a subset of operations being allowed by ANONYMOUS) has
somehow been justified in the OpenLDAP world. Make no mistake about it:
anonymous is anonymous on any platform. Allowing ANONYMOUS to read from one
directory vs. another is the same threat. Why they are being viewed is a
mystery to me.



That said, from an order of complexity
perspective, a sync solution will be substantially harder to set up and
maintain over the long haul.

If this were my project, I would do the
following:

1) Flip 7th bit of dsHeuristics to 2, enabling the ability
to have anonymous binds to the DS (part one of the solution)

2) We need to now ACL things to ANONYMOUS has access to the data
required. Fundamentally, there are two approaches:

a. Target the objects that your auth client will be searching (perhaps
a single subtree under an OU) and grant ANONYMOUS the minimum required perms
for itmy bet is that just read to a subset of attributes is sufficient.

b. You can try to flip the reg value
EveryoneIncludesAnonymous to 1 on a single DC and see if that
satisfies your needs. 
NOTE: this approach, if it works, is particularly advantageous as it is localized
to a single DC, IE only a subset of DCs would have increased abilities for
ANONYMOUS.



Many comments Guy made confuse me,
especially this one:

 You will definitely not
want that in production

So you want to have a second directory
with ANONYMOUS able to read it, but not a single one? How is OpenLDAP with
ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? I fail to see
the difference here. If your difference was the localization problem, my
EveryoneInludesAnonymous solution might do that for you a bit more gracefully.



I dont recall all of the ACLs that
Everyone has in 2k03 out of the box, but if there is a problem there send me a
trace of a failure and I can show you what need change to make it work. I bet
it is small though.



~Eric













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Aitzol Naberan Burgaña
Sent: Wednesday, May 19, 2004 1:47
AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Anonymous
bind





OK, I will try the second approach. 
So I have to copy (sync) all the AD data into my
local openLDAP??? creating a local schema with the user info???
--



Aitzol Naberan Burgaña
CodeSyntax
[EMAIL PROTECTED]
www.codesyntax.com
Tel: 943 82 17 80





Guy Teverovsky(e)k dio: 

There are several solutions to that:1) Grant Everyone read permissions (this object and all child objects)to the domain object. The drawbacks are obvious: you are opening a HUGEsecurity hole. You will definitely not want that in production.2) Setup OpenLDAP and sync the needed attributes from AD. From what Ican find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),you will need to use top, account and simpleSecurityObjectobjectClasses. userPassword attribute can be a pointer to the user's Kerberos principalin AD Kerberos realm in the following form:userPassword: {[EMAIL PROTECTED]In that way you can allow anonymous searches in OpenLDAP while exposingthe bare minimum data and yet authenticate the users through LDAP.What happens in such a configuration is something like this:1) OpenGroupware binds anonymously to OpenLDAP and performs the searchfor user object.2) After the user object is found, OpenGroupware tries to bind as userto OpenLDAP (you should configure SSL/TLS if you do not want thepasswords to travel in clear text)3) OpenLDAP proxies the authentication request and passes it to AD'sKerberos.4) AD's KDC verifies the user/password and returns OK to OpenLDAP.5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated.As you can figure it out, this approach greatly depends on the size ofyour AD (I have tested this at a small size network when implementingsingle sign-on for Linux clients. Have no idea how it will behave, if atall, with larger than single site implementation.Have a look at the following link for a HOWTO I used:http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.htmlAgain, I have not tested it with OG and the mentioned aboveobjectClasses (I needed top, person and posixAccount), but I guess thisshould work the same. Guy On Tue, 2004-05-18 at 17:17, Aitzol Naberan Burgaña wrote: 

It's not so easy rewrite the source code, I will need spend a lot oftime to understand the source and to change it. But I think that Ihave to do it, and change the bind method (I think it will work...).OpenGroupware is for unix systems, you can learn more

RE: [ActiveDir] Anonymous bind

2004-05-19 Thread Dean Wells

Title: firma

I'd
tend to agree with Eric here though it is somewhat dependant upon how much
sensitive data you intend on dumping from AD into the other
directory.

PS -
With regard to Eric's point; "1)
Flip 7th bit
of dsHeuristics to 2, enabling the ability to have anonymous binds ... "; Eric
made a real small typo here ... and a very easy one to make as it's something of
an anomaly when contrasted with other enumeration-like attributes ... it should
say "1)
Flip 7th
byte of
...".

Dean
-- Dean Wells MSEtechnology ( Tel: +1 (954)
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com

-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of Eric
FleischmanSent: Wednesday, May 19, 2004 6:51 AMTo:
[EMAIL PROTECTED]Cc: ADS Customer
FeedbackSubject: RE: [ActiveDir] Anonymous
bind

Im going to
respectfully disagree with the approach being taken here. It is, IMHO,
misguided.

What has been
described as a security hole (opening your AD for a subset of operations being
allowed by ANONYMOUS) has somehow been justified in the OpenLDAP world. Make
no mistake about it: anonymous is anonymous on any platform. Allowing
ANONYMOUS to read from one directory vs. another is the same threat. Why they
are being viewed is a mystery to me.

That said, from an
order of complexity perspective, a sync solution will be substantially harder
to set up and maintain over the long haul.
If this were my
project, I would do the following:
1)
Flip
7th bit of dsHeuristics to 2, enabling the ability to have
anonymous binds to the DS (part one of the
solution)
2)
We need
to now ACL things to ANONYMOUS has access to the data required. Fundamentally,
there are two approaches:
a.
Target
the objects that your auth client will be searching (perhaps a single subtree
under an OU) and grant ANONYMOUS the minimum required perms for itmy bet is
that just read to a subset of attributes is
sufficient.
b.
You can
try to flip the reg value EveryoneIncludesAnonymous to 1 on a single DC and
see if that satisfies your needs. NOTE: this approach, if it works, is
particularly advantageous as it is localized to a single DC, IE only a subset
of DCs would have increased abilities for
ANONYMOUS.

Many comments Guy
made confuse me, especially this one:

You will definitely not want that in production
So you want to have a
second directory with ANONYMOUS able to read it, but not a single one? How is
OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads
enabled? I fail to see the difference here. If your difference was the
localization problem, my EveryoneInludesAnonymous solution might do that for
you a bit more gracefully.

I dont recall all of
the ACLs that Everyone has in 2k03 out of the box, but if there is a problem
there send me a trace of a failure and I can show you what need change to make
it work. I bet it is small though.

~Eric

From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Aitzol Naberan
BurgañaSent: Wednesday, May
19, 2004 1:47 AMTo:
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous
bind

OK, I will try the second approach.
So I have to copy (sync) all the AD data into my local
openLDAP??? creating a local schema with the user
info???--

Aitzol Naberan
BurgañaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel:
943 82 17 80
Guy Teverovsky(e)k dio:
There are several solutions to that:1) Grant Everyone read permissions (this object and all child objects)to the domain object. The drawbacks are obvious: you are opening a HUGEsecurity hole. You will definitely not want that in production.2) Setup OpenLDAP and sync the needed attributes from AD. From what Ican find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),you will need to use top, account and simpleSecurityObjectobjectClasses. userPassword attribute can be a pointer to the user's Kerberos principalin AD Kerberos realm in the following form:userPassword: {[EMAIL PROTECTED]In that way you can allow anonymous searches in OpenLDAP while exposingthe bare minimum data and yet authenticate the users through LDAP.What happens in such a configuration is something like this:1) OpenGroupware binds anonymously to OpenLDAP and performs the searchfor user object.2) After the user object is found, OpenGroupware tries to bind as userto OpenLDAP (you should configure SSL/TLS if you do not want thepasswords to travel in clear text)3) OpenLDAP proxies the authentication request and passes it to AD'sKerberos.4) AD's KDC verifies the user/password and returns OK to OpenLDAP.5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated.As you can figure it out, this approach greatly depends on the size ofyour AD (I have tested this at a small size network when

RE: [ActiveDir] dns issues










Id probably recommend a few action items
here:

1) On DC,  perform a dcdiag /v and netdiag /v as well; look for
failure and be sure to clear them up

2) On client, point to same place that DC is pointed for DNS

3) If all else fails, a userenv log and network trace of client boot
(trace taken from a second machine that is on a little hub with affected
client) should show us what client is waiting on during bootup



A few questions:

1) Are client and DC on same subnet?

2) Where are client and DC pointed for DNS
(primary and secondary would be great)

3) What is connectivity between client and
dc (same subnet, across a wan, etc.)



Hope this is a helpful start!

~Eric













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 5:20
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] dns
issues







i bounced the server, srv records are all there. the old server is not
in dhcp and an nslookup in safe mode shows me there is connectivity to dns
server and all the prpoer srv reords are enumerated.





i hahdn't hpought of ms04-011. what are some other symptoms?





thanks







-Original
Message- 
From: deji Agba
[mailto:[EMAIL PROTECTED] 
Sent: Wed 5/19/2004 3:04 AM 
To: [EMAIL PROTECTED]

Cc: 
Subject: RE: [ActiveDir] dns
issues







More likely DNS than WINS. Trying
bouncing the new Server, then restart netlogon on it(in case the MS04-011 is hurting you), then
checkDNS for the relevant SRV records. I know you said you looked in
DHCP, but I have to ask if you made sure that the dead DC is no listed as a DNS
server in your DHCP scopes. And, after the client have connected in Safe
Mode, what does nslookup say?

















Lastly, anything in eventlog (on both
server and clients?











Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft MVP -Directory Services





www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon

















From: Mulnick,
Al
Sent: Tue 5/18/2004 2:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] dns
issues



WINS? -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Tuesday, May 18, 2004 5:17 PMTo: ActiveDir (E-mail)Subject: [ActiveDir] dns issuesI had my primary fsmo role holder(pdc,infra,rid) go down. It was also a dnsserver(ad intergrated). i ran ntdutil and removed the server from AD. I alsohad another dns server running. I transfered all the fsmo roles to this server. Now however, i have a ton of what i think are dns issuses. I have clientswho are stuck at applying security settings and never logon(however, theycan when in safe mode with networking).also, i tried to join a workstation to my domain and it gave me a connotcontact domain error.the clients are all pointing to the new dns server via dhcp.there are no errors in the dns log or in directory services log.this is a child domain and the zone was delegated from the root.what gives?thanksList info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info   : http://www.activedir.org/mail_list.htmList FAQ    : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

Title: firma









Im going to respectfully disagree with
the approach being taken here. It is, IMHO, misguided.



What has been described as a security hole
(opening your AD for a subset of operations being allowed by ANONYMOUS) has
somehow been justified in the OpenLDAP world. Make no mistake about it:
anonymous is anonymous on any platform. Allowing ANONYMOUS to read from one
directory vs. another is the same threat. Why they are being viewed is a
mystery to me.



That said, from an order of complexity
perspective, a sync solution will be substantially harder to set up and
maintain over the long haul.

If this were my project, I would do the
following:

1) Flip 7th bit of dsHeuristics to 2, enabling the ability
to have anonymous binds to the DS (part one of the solution)

2) We need to now ACL things to ANONYMOUS has access to the data
required. Fundamentally, there are two approaches:

a. Target the objects that your auth client will be searching (perhaps
a single subtree under an OU) and grant ANONYMOUS the minimum required perms
for itmy bet is that just read to a subset of attributes is sufficient.

b. You can try to flip the reg value EveryoneIncludesAnonymous to 1
on a single DC and see if that satisfies your needs. 
NOTE: this approach, if it works, is particularly advantageous as it is
localized to a single DC, IE only a subset of DCs would have increased
abilities for ANONYMOUS.



Many comments Guy made confuse me,
especially this one:

 You will definitely not
want that in production

So you want to have a second directory
with ANONYMOUS able to read it, but not a single one? How is OpenLDAP with
ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? I fail to see
the difference here. If your difference was the localization problem, my
EveryoneInludesAnonymous solution might do that for you a bit more gracefully.



I dont recall all of the ACLs that
Everyone has in 2k03 out of the box, but if there is a problem there send me a
trace of a failure and I can show you what need change to make it work. I bet
it is small though.



~Eric













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Aitzol Naberan Burgaña
Sent: Wednesday, May 19, 2004 1:47
AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Anonymous
bind





OK, I will try the second approach. 
So I have to copy (sync) all the AD data into my
local openLDAP??? creating a local schema with the user info???
--



Aitzol Naberan Burgaña
CodeSyntax
[EMAIL PROTECTED]
www.codesyntax.com
Tel: 943 82 17 80





Guy Teverovsky(e)k dio: 

There are several solutions to that:1) Grant Everyone read permissions (this object and all child objects)to the domain object. The drawbacks are obvious: you are opening a HUGEsecurity hole. You will definitely not want that in production.2) Setup OpenLDAP and sync the needed attributes from AD. From what Ican find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),you will need to use top, account and simpleSecurityObjectobjectClasses. userPassword attribute can be a pointer to the user's Kerberos principalin AD Kerberos realm in the following form:userPassword: {[EMAIL PROTECTED]In that way you can allow anonymous searches in OpenLDAP while exposingthe bare minimum data and yet authenticate the users through LDAP.What happens in such a configuration is something like this:1) OpenGroupware binds anonymously to OpenLDAP and performs the searchfor user object.2) After the user object is found, OpenGroupware tries to bind as userto OpenLDAP (you should configure SSL/TLS if you do not want thepasswords to travel in clear text)3) OpenLDAP proxies the authentication request and passes it to AD'sKerberos.4) AD's KDC verifies the user/password and returns OK to OpenLDAP.5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated.As you can figure it out, this approach greatly depends on the size ofyour AD (I have tested this at a small size network when implementingsingle sign-on for Linux clients. Have no idea how it will behave, if atall, with larger than single site implementation.Have a look at the following link for a HOWTO I used:http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.htmlAgain, I have not tested it with OG and the mentioned aboveobjectClasses (I needed top, person and posixAccount), but I guess thisshould work the same. Guy On Tue, 2004-05-18 at 17:17, Aitzol Naberan Burgaña wrote:  

It's not so easy rewrite the source code, I will need spend a lot oftime to understand the source and to change it. But I think that Ihave to do it, and change the bind method (I think it will work...).OpenGroupware is for unix systems, you can learn more inwww.opengroupware.orgThanks--Aitzol Naberan BurgañaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel: 943  82 17 80joe(e)k dio: 

Ah. Interesting, so it sounds like they want to compare the hashesinstead of actually use the authentication of the system. Well sinceit is OpenSource, that should be easy to

RE: [ActiveDir] Anonymous bind

Title: firma



I agree with Eric, any anonymous access is a start down the 
path to insecurity. K3 tries to lock down the anonymous access that was 
available in 2K. 

I think for Eric's 1, mucking with dsheuristics is actually 
to enable anonymous queries on K3 correct? By default you can do that on 2K. 
Anonymous binds are always allowed, but queriesother than a base level 
search of the rootdse are refused with an Operations Error, specifically 


Error Message: : LdapErr: DSID-0C0905FF, comment: 
In order to perform this operation a successful bind must be completed on the 
connection., data 0, vece

That error message comment isn't even entirely correct, it 
should be successful authenticated bind must be completed.

Also that attribute is a string, not an integer. It is kind 
of a weird attribute and some positions of the string can be 0,1, and 2. I 
haven't seen any other documented values but realistically (but not necessarily 
due to back end code), they could useany characters if they wanted, not 
just a couple of numbers. It isn't a "bit flag" so you aren't setting a bit, you 
are setting the character at position 7 or even byte 7 might be the proper way 
to state it.


I would agree with Eric that you would rather do this in 
the one directory versus trying to sync. Syncing can be a pain and it is one 
more thing you have to watch over.

Finally... I would try to avoid setting the 
EveryoneIncludesAnonymous. If you have enabled Pre-W2K Access then Everyone is 
tattooed all over the place via the compatible access security group. 


I still think the correct solution is to correct the app 
from using anonymous binds at all. If you want to be really cute, get rid of the 
whole user search. You don't need to do that with AD if you know the user's UPN 
or domain\user format of the userid. User Bind DNs are so pre-AD man... 
:oP

 joe







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric FleischmanSent: Wednesday, May 19, 2004 7:51 
AMTo: [EMAIL PROTECTED]Cc: ADS Customer 
FeedbackSubject: RE: [ActiveDir] Anonymous bind


Im going to 
respectfully disagree with the approach being taken here. It is, IMHO, 
misguided.

What has been described 
as a security hole (opening your AD for a subset of operations being allowed by 
ANONYMOUS) has somehow been justified in the OpenLDAP world. Make no mistake 
about it: anonymous is anonymous on any platform. Allowing ANONYMOUS to read 
from one directory vs. another is the same threat. Why they are being viewed is 
a mystery to me.

That said, from an 
order of complexity perspective, a sync solution will be substantially harder to 
set up and maintain over the long haul.
If this were my 
project, I would do the following:
1) 
Flip 
7th bit of dsHeuristics to 2, enabling the ability to have anonymous 
binds to the DS (part one of the solution)
2) 
We need to 
now ACL things to ANONYMOUS has access to the data required. Fundamentally, 
there are two approaches:
a. 
Target the 
objects that your auth client will be searching (perhaps a single subtree under 
an OU) and grant ANONYMOUS the minimum required perms for itmy bet is that just 
read to a subset of attributes is sufficient.
b. 
You can 
try to flip the reg value EveryoneIncludesAnonymous to 1 on a single DC and 
see if that satisfies your needs. NOTE: this approach, if it works, is 
particularly advantageous as it is localized to a single DC, IE only a subset of 
DCs would have increased abilities for ANONYMOUS.

Many comments Guy made 
confuse me, especially this one:
 You 
will definitely not want that in production
So you want to have a 
second directory with ANONYMOUS able to read it, but not a single one? How is 
OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? 
I fail to see the difference here. If your difference was the localization 
problem, my EveryoneInludesAnonymous solution might do that for you a bit more 
gracefully.

I dont recall all of 
the ACLs that Everyone has in 2k03 out of the box, but if there is a problem 
there send me a trace of a failure and I can show you what need change to make 
it work. I bet it is small though.

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Aitzol Naberan 
BurgañaSent: Wednesday, May 
19, 2004 1:47 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous 
bind

OK, I will try the second approach. 
So I have to copy (sync) all the AD data into my local 
openLDAP??? creating a local schema with the user 
info???--

Aitzol Naberan 
BurgañaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel: 
943 82 17 80
Guy Teverovsky(e)k dio: 
There are several solutions to that:1) Grant Everyone read permissions (this object and all child objects)to the domain object. The drawbacks are obvious: you are opening a HUGEsecurity hole. You will definitely not want that in production.2) Setup OpenLDAP and sync the needed attributes from AD. From what Ican find (

RE: [ActiveDir] Anonymous bind

Title: firma



Heh. Dean, stop reading my mind man...

In ~Eric's defense, the original publishing of the KB 
article for doing this said specifically flip the 7th bit as well. I recall 
hitting that and sending in a correction to MS aftersmiling fora 
bit. 

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Wednesday, May 19, 2004 8:09 AMTo: AD mailing 
list (Send)Subject: RE: [ActiveDir] Anonymous 
bind

I'd 
tend to agree with Eric here though it is somewhat dependant upon how much 
sensitive data you intend on dumping from AD into the other 
directory.

PS - 
With regard to Eric's point; "1) 
Flip 7th bit 
of dsHeuristics to 2, enabling the ability to have anonymous binds ... "; Eric 
made a real small typo here ... and a very easy one to make as it's something of 
an anomaly when contrasted with other enumeration-like attributes ... it should 
say "1) 
Flip 7th 
byte of 
...".

Dean
-- Dean Wells MSEtechnology ( Tel: +1 (954) 
501-4307 * Email: dwells@msetechnology.com http://msetechnology.com 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Eric 
  FleischmanSent: Wednesday, May 19, 2004 6:51 AMTo: 
  [EMAIL PROTECTED]Cc: ADS Customer 
  FeedbackSubject: RE: [ActiveDir] Anonymous 
bind
  
  Im going to 
  respectfully disagree with the approach being taken here. It is, IMHO, 
  misguided.
  
  What has been 
  described as a security hole (opening your AD for a subset of operations being 
  allowed by ANONYMOUS) has somehow been justified in the OpenLDAP world. Make 
  no mistake about it: anonymous is anonymous on any platform. Allowing 
  ANONYMOUS to read from one directory vs. another is the same threat. Why they 
  are being viewed is a mystery to me.
  
  That said, from an 
  order of complexity perspective, a sync solution will be substantially harder 
  to set up and maintain over the long haul.
  If this were my 
  project, I would do the following:
  1) 
  Flip 
  7th bit of dsHeuristics to 2, enabling the ability to have 
  anonymous binds to the DS (part one of the 
  solution)
  2) 
  We need 
  to now ACL things to ANONYMOUS has access to the data required. Fundamentally, 
  there are two approaches:
  a. 
  Target 
  the objects that your auth client will be searching (perhaps a single subtree 
  under an OU) and grant ANONYMOUS the minimum required perms for itmy bet is 
  that just read to a subset of attributes is 
  sufficient.
  b. 
  You can 
  try to flip the reg value EveryoneIncludesAnonymous to 1 on a single DC and 
  see if that satisfies your needs. NOTE: this approach, if it works, is 
  particularly advantageous as it is localized to a single DC, IE only a subset 
  of DCs would have increased abilities for 
  ANONYMOUS.
  
  Many comments Guy 
  made confuse me, especially this one:
   
  You will definitely not want that in production
  So you want to have a 
  second directory with ANONYMOUS able to read it, but not a single one? How is 
  OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads 
  enabled? I fail to see the difference here. If your difference was the 
  localization problem, my EveryoneInludesAnonymous solution might do that for 
  you a bit more gracefully.
  
  I dont recall all of 
  the ACLs that Everyone has in 2k03 out of the box, but if there is a problem 
  there send me a trace of a failure and I can show you what need change to make 
  it work. I bet it is small though.
  
  ~Eric
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Aitzol Naberan 
  BurgañaSent: Wednesday, May 
  19, 2004 1:47 AMTo: 
  [EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous 
  bind
  
  OK, I will try the second approach. 
  So I have to copy (sync) all the AD data into my local 
  openLDAP??? creating a local schema with the user 
  info???--
  
  Aitzol Naberan 
  BurgañaCodeSyntax[EMAIL PROTECTED]www.codesyntax.comTel: 
  943 82 17 80
  Guy Teverovsky(e)k dio: 
  There are several solutions to that:1) Grant Everyone read permissions (this object and all child objects)to the domain object. The drawbacks are obvious: you are opening a HUGEsecurity hole. You will definitely not want that in production.2) Setup OpenLDAP and sync the needed attributes from AD. From what Ican find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),you will need to use top, account and simpleSecurityObjectobjectClasses. userPassword attribute can be a pointer to the user's Kerberos principalin AD Kerberos realm in the following form:userPassword: {[EMAIL PROTECTED]In that way you can allow anonymous searches in OpenLDAP while exposingthe bare minimum data and yet authenticate the users through LDAP.What happens in such a configuration is something like this:1) OpenGroupware binds anonymously to OpenLDAP and performs the searchfor user object.2) After the user object is found, OpenGroupware tries to bind as userto OpenLDAP (you

RE: [ActiveDir] FATAL kerberos error on W2K3 server




I hate to say it but when I see endpoint mapper issues one 
of my first responses is a reboot of the offensive box. Hopefully ~Eric or 
otherswill come along and club me for that and say a good way to 
troubleshoot it that doesn't include debugging LSASS. 

The fact that you had machines not getting tickets before 
but are now is a wee bit scary as well. 

 joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, May 18, 2004 10:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we 
haven't disjointed namespace in the first place. This kerberos error was on 
every W2K3 member server only. I've promoted one of them to DC and 
thatmade keberos happy - no more complains...
No erorrs 
reported in dcpromo logs either...Although I do have an issue with replication 
to this new DC -for some reason NTDS settings in ADSSare empty and 
the event log on the DC, from which it suppossed to replicate, mentions "there 
are no more endpoints available from an endpoints mapper", which I am currently 
trying to sort out, but no problems in netdiag and dcdiag 
anymore...

Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 18 May 2004 14:39To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Oh, so did you have a disjoint on the namespace? And if so 
is this intentional? Is it on all machines or just this one? If not intentional 
and just on that one you should pop the NV DomainName attribute and bring it in 
line with the rest of the environment. If it is on all machines, you will most 
likely find you have the same kerberos errors on them unless this one computer 
object was set up incorrectly.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, May 18, 2004 4:29 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

You right about 
DC, Joe. Guess what happenned after dcpromo? - kerberos error in 
netdiag...dissapeared! Now - imagine how I feel after wasting so much time 
trying to fix it!
Wish Microsoft 
could warn about such "little" things...

Lana


Domain controllers don't have the problem because the 
localsystem account ofa DC can write whatever the heck it wants to write in 
AD. joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
On Behalf Of SvetlanaKouznetsovaSent: Monday, May 17, 2004 5:12 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL 
kerberos error on W2K3 serverH...I don't see any disjoint 
namespace...but don't know what do you meanunder "proper permissions 
are not set on the computer object " But I've actually, took responsibility 
and done dcpromo now...so fareverything looks normal...Maybe it was - a 
netdiag bug? [I hope it was!] Thanks for input.Lana-Original 
Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 17 May 2004 21:50To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on 
W2K3 serverDo you have a disjoint name space?I have seen this 
when there is a disjoint namespace and the properpermissions are not set on 
the computer object so that it can update its owninformation 
properly.The UDP/TCP thing Al mentioned is a good thought too but 
usually when thatis occurring you will see some hellacious slow downs. Like 
logons taking30-40 minutes when they go fast. I have seen this occur when a 
Cisco CSM wasthrowing away fragmented kerberos packets because of too many 
groupmemberships and I have seen it when a NIC had bad configurations for 
(Ithink) max frame size. joe-Original 
Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] 
On Behalf Of SvetlanaKouznetsovaSent: Monday, May 17, 2004 11:46 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] FATAL kerberos 
error on W2K3 serverHello ,I wonder if anyone seen this before: 
W2K active directory, few W2K3 member servers. All of them display 
kerberoserror message when running netdiag kerberos test: "[FATAL] 
Kerberos does not have a ticket for host/domain.com" I am not receiving 
any errors or warnings in event logs; replication in ADis fine and no W2K 
domain controllers show this problem. Run Kerbtray- all tickets seems to be 
there. DC list test and all the rest of netdiagtests - "passed".Also 
some of W2K3 servers are happily running applications with noproblems. 
The intention is to make W2K3 domain controller, but with this 
kind of errorseems a little risky, unless this is a "feature by design" in 
W2K3... Thanks in advance for any ideas sharedLana List info 
 : http://www.activedir.org/mail_list.htmList FAQ  : 
http://www.activedir.org/list_faq.htmList 
archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info  : http://www.activedir.org/mail_list.htmList FAQ  : 
http://www.activedir.org/list_faq.htmList

[ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet email in 
the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying security 
settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain, because it 
can't contact the domain. this client(win2k) does not have the hotfix installed yet, 
but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape and ipsec 
issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] LDAP filter




Hey all, 


Ok I have a LDAP 
filter that works but I am sure it can get faster, the likes of Joe , Roger etc 
I am sure we can make it really fast.

Now the point of the 
filter ---

From the schema I 
need to return a list of attributes that match a list of ldapdisplay names, So I 
immediately thinksomething like (the example below)for a single 
attribute.

((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))


But to minimize the 
calls to the dirI need be able to dynamically specify a list that can be 
any amount of different attribute ldapdisplaynames.

For 
example one timeI might call the filter with 

cn
instanceType
createTimeStamp

And on 
a different call i might just call the filter with:

displayName
description
fromEntry

The 
number and ldapdisplaynames of the attributes are programmatically built, so i 
need a filter that will be able to handel this type of randomized amount of 
attribute ldapDisplayNames.

What 
are the methods we can use here? I am trying to return (the quickest way 
possible) a list of properties (the list of properties isnot the problem) 
for the given attribute ldapDisplayNames.

So boys and girls 
what do we think (no rude answers :P)

carlos

RE: [ActiveDir] Anonymous bind

Title: firma



Fix the BAS app. is the only real solution if security is 
ever going to be a concern. You can see from the post that there are many 
ways to work around, but only one real solution. Fix the BAS app. 


Interesting info regarding workarounds though. 


I'd have to say Eric, if it were my project I'd want to fix 
the BAS app. or find another app. that doesn't reduce my 
security.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, May 19, 2004 8:33 AMTo: 
[EMAIL PROTECTED]Cc: 'ADS Customer 
Feedback'Subject: RE: [ActiveDir] Anonymous bind

I agree with Eric, any anonymous access is a start down the 
path to insecurity. K3 tries to lock down the anonymous access that was 
available in 2K. 

I think for Eric's 1, mucking with dsheuristics is actually 
to enable anonymous queries on K3 correct? By default you can do that on 2K. 
Anonymous binds are always allowed, but queriesother than a base level 
search of the rootdse are refused with an Operations Error, specifically 


Error Message: : LdapErr: DSID-0C0905FF, comment: 
In order to perform this operation a successful bind must be completed on the 
connection., data 0, vece

That error message comment isn't even entirely correct, it 
should be successful authenticated bind must be completed.

Also that attribute is a string, not an integer. It is kind 
of a weird attribute and some positions of the string can be 0,1, and 2. I 
haven't seen any other documented values but realistically (but not necessarily 
due to back end code), they could useany characters if they wanted, not 
just a couple of numbers. It isn't a "bit flag" so you aren't setting a bit, you 
are setting the character at position 7 or even byte 7 might be the proper way 
to state it.


I would agree with Eric that you would rather do this in 
the one directory versus trying to sync. Syncing can be a pain and it is one 
more thing you have to watch over.

Finally... I would try to avoid setting the 
EveryoneIncludesAnonymous. If you have enabled Pre-W2K Access then Everyone is 
tattooed all over the place via the compatible access security group. 


I still think the correct solution is to correct the app 
from using anonymous binds at all. If you want to be really cute, get rid of the 
whole user search. You don't need to do that with AD if you know the user's UPN 
or domain\user format of the userid. User Bind DNs are so pre-AD man... 
:oP

 joe







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric FleischmanSent: Wednesday, May 19, 2004 7:51 
AMTo: [EMAIL PROTECTED]Cc: ADS Customer 
FeedbackSubject: RE: [ActiveDir] Anonymous bind


I'm going to 
respectfully disagree with the approach being taken here. It is, IMHO, 
misguided.

What has been described 
as a security hole (opening your AD for a subset of operations being allowed by 
ANONYMOUS) has somehow been justified in the OpenLDAP world. Make no mistake 
about it: anonymous is anonymous on any platform. Allowing ANONYMOUS to read 
from one directory vs. another is the same threat. Why they are being viewed is 
a mystery to me.

That said, from an 
order of complexity perspective, a sync solution will be substantially harder to 
set up and maintain over the long haul.
If this were my 
project, I would do the following:
1) 
Flip 
7th bit of dsHeuristics to 2, enabling the ability to have anonymous 
binds to the DS (part one of the solution)
2) 
We need to 
now ACL things to ANONYMOUS has access to the data required. Fundamentally, 
there are two approaches:
a. 
Target the 
objects that your auth client will be searching (perhaps a single subtree under 
an OU) and grant ANONYMOUS the minimum required perms for it...my bet is that just 
read to a subset of attributes is sufficient.
b. 
You can 
try to flip the reg value "EveryoneIncludesAnonymous" to 1 on a single DC and 
see if that satisfies your needs. NOTE: this approach, if it works, is 
particularly advantageous as it is localized to a single DC, IE only a subset of 
DCs would have increased abilities for ANONYMOUS.

Many comments Guy made 
confuse me, especially this one:
 You 
will definitely not want that in production
So you want to have a 
second directory with ANONYMOUS able to read it, but not a single one? How is 
OpenLDAP with ANONYMOUS somehow different than AD with ANONYMOUS reads enabled? 
I fail to see the difference here. If your difference was the localization 
problem, my EveryoneInludesAnonymous solution might do that for you a bit more 
gracefully.

I don't recall all of 
the ACLs that Everyone has in 2k03 out of the box, but if there is a problem 
there send me a trace of a failure and I can show you what need change to make 
it work. I bet it is small though.

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Aitzol Naberan 
BurgañaSent: Wednesday, May 
19, 2004 1:47 AMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Anonymous 
bind

OK, I will try the

RE: [ActiveDir] OT: WINS configuration question

Brian presented a great plan. 

I fully agree with building the new infrastructure and hooking up the
replication between them and make sure it is all working properly. Drop in a
few records and make sure they make it around properly. You can do that by
either pointing a machine at one of the new WINS Servers or by creating a
dynamic record in the new structure with netsh like so... This will
eventually expire and be cleaned up.


[Wed 05/19/2004  8:58:58.26]
C:\WINDOWSnetsh wins server \\w2kasdc1 add name name=winsrocks rectype=1
IP={192.168.69.69}

***You have Read and Write access to the server w2kasdc1***

Command completed successfully.

[Wed 05/19/2004  8:59:18.18]
C:\WINDOWSnetsh wins server \\w2kasdc1 show name winsrocks

***You have Read and Write access to the server w2kasdc1***

Name  : WINSROCKS  [20h]
NodeType  : 1
State : ACTIVE
Expiration Date   : Tuesday, May 25, 2004 8:58:21 AM
Type of Rec   : UNIQUE
Version No: 0 1623
RecordType: DYNAMIC
IP Address: 192.168.69.69

Name  : WINSROCKS  [00h]
NodeType  : 1
State : ACTIVE
Expiration Date   : Tuesday, May 25, 2004 8:58:21 AM
Type of Rec   : UNIQUE
Version No: 0 1624
RecordType: DYNAMIC
IP Address: 192.168.69.69

Name  : WINSROCKS  [03h]
NodeType  : 1
State : ACTIVE
Expiration Date   : Tuesday, May 25, 2004 8:58:21 AM
Type of Rec   : UNIQUE
Version No: 0 1622
RecordType: DYNAMIC
IP Address: 192.168.69.69
Command completed successfully.

[Wed 05/19/2004  8:59:22.83]
C:\WINDOWS


Once you know that the replication is all cool around that new
infrastructure, you will probably want to tie into the old for a bit. If
there is some reason you DON'T want to pull entries from the old into the
new like say you don't want to drag in Static entries or something what you
can do is ascertain all machines you want to be found via WINS name
resolution (most likely your servers mainly), and then register them in the
new system as specified above and set up a connection to send entries down
to the old WINS Servers. Then repoint the servers to the new structure. 

As for the clients, depending on your DHCP leases and how fast you want them
cut over, you may consider reducing your lease times up front. The
migrations I have been involved in we usually chopped the lease times down
to a day or two. It created more traffic but not like killer amounts more.
When you did the DHCP config change then most everything got the change
within a day. 

I also agree with Brian's idea of watching to see if the old equipment is
still being used. However I would reset the stats on the service (restart
the service or do a netsh wins server \\servername reset stat) and then let
them sit for a couple of hours or days and then do a 

Netsh wins server \\servername show stat

And see if anything has hit them. If so, then pull out the netmon or
ethereal and start capturing port 137 traffic. Either way will work, I
mention this way so you don't have to go into a net sniffer unless you
really have to. Not that going into one is bad and in fact any chance to use
a sniffer is a good. :o) Just offering alternatives. Another alternative is
that I believe I have a little simple sniff program I wrote laying around
that can watch specific ports and will dump to screen traffic to specific
ports. I was/am working towards a tool to pull off LDAP binds/Queries to
watch them and stuff them into a text file without having to pull out a full
blown network monitor tool. Nice thing about it is that it is self
contained, nothing to install. You say hacker tool, I say tool that I don't
have to worry about an install futzing with the registry or file system... 

  joe





 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, May 18, 2004 10:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT: WINS configuration question

Well, what I'd do is get your 2003 infrastructure fully inplace first. Then
I'd setup replication amongst the new infrastructure. However it floats your
boat is fine. Then, get a new server in each site pulling form the old hub
to the new ring. This should get you initially setup with data, and you can
see if there's replication problems and what have you. You'll also need to
push out from the new infrastructure into the old until things are working. 

Next, I'd get as many of the clients transitioned over to the new hardware
as possible. This means a DHCP change and waiting a minimum of the length of
a lease. You'll need to update all your servers and statically addressed
machines if they're not using reservations in DHCP. Then, get out your
trusty copy of netmon, and figure out how much traffic is hitting the old
boxes. When that gets

RE: [ActiveDir] LDAP filter

2004-05-19 Thread Gil Kirkpatrick









The objectClass _expression_ is redundant
and unnecessary. Construct something like ((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))



-gil











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Magalhaes
Sent: Wednesday, May 19, 2004 6:02
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP filter







Hey all, 











Ok I have a LDAP filter that works but I am sure it can get
faster, the likes of Joe , Roger etc I am sure we can make it really fast.











Now the point of the filter ---











From the schema I need to return a list of attributes that
match a list of ldapdisplay names, So I immediately thinksomething like
(the example below)for a single attribute.











((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName=
  matchldapDisplayName  ))

















But to minimize the calls to the dirI need be able to
dynamically specify a list that can be any amount of different attribute
ldapdisplaynames.











For example one timeI might call the filter with 











cn





instanceType





createTimeStamp











And on a different call i might just call the filter with:











displayName





description





fromEntry











The number and ldapdisplaynames of the attributes are
programmatically built, so i need a filter that will be able to handel this
type of randomized amount of attribute ldapDisplayNames.











What are the methods we can use here? I am trying to return
(the quickest way possible) a list of properties (the list of properties
isnot the problem) for the given attribute ldapDisplayNames.











So boys and girls what do we think (no rude answers :P)











carlos

Re: [ActiveDir] ms04-011

2004-05-19 Thread John Singler

Here are all of the published issues:
http://support.microsoft.com/default.aspx?kbid=835732
Most applicable for you (i think):
http://support.microsoft.com/default.aspx?kbid=841382
Kern, Tom wrote:
i know this has been sopken of before, but i can't seem to find a pertinet email in 
the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying security 
settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain, because it 
can't contact the domain. this client(win2k) does not have the hotfix installed yet, 
but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape and ipsec 
issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania
3800 Spruce Street
Philadelphia, PA 19104-6044
life is a killer -- John Giorno
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: WINS configuration question

2004-05-19 Thread Depp, Dennis M.

Mike.

I would set up a new WINS server in one of the datacenters.  Configure one WINS server 
in each of the other datacenters to replicate w/ this new server.  Systematically 
remove WINS servers from the BU's.  Once you are down to the desired number of WINS 
server, replace the older serverb w/ W2K3.

Denny
-Original Message-
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: 5/18/04 10:37:13 PM
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Subject: [ActiveDir] OT: WINS configuration question
   
We're combining 7 business units together into a new Server 2003 forest.  We'll 
have an empty root and the 7 BUs will be combined into an AMER domain.  Some BUs 
already have AD with Server 2000 and others still have NT4.0.  All BUs are running 
WINS and we believe that we'll still need WINS.  However, 7 WINS environments are not 
the way we want to continue and there are way too many WINS servers around right now.  
Setting up push/pull replication between them doesn't seem to make sense either.  We 
wish to reduce the number of WINS servers to just our 8 major datacenters (each are 
hubs in our current WAN -- we hope to get that fixed but not soon enough).

Question is this...

Do we build one WINS server using Server 2003 in each of the datacenters and 
either specify automatic partner configuration or replication partners based on the 
WAN, shut down the old WINS servers on a Friday night, reconfigure all servers and 
workstations to new WINS addresses (scripted), and pray that all's well by Monday?  Or 
do we work to reduce the number of WINS servers in each of the BUs, upgrade them to 
2003, and set up replication, thus preserving our current entries?

I know that I may not be giving you much information.  Can and will provide more 
if you need.


Thanks,
Mike
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] ms04-011

2004-05-19 Thread John Singler

forgot about the 2nd part of yr. question
see this thread:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html
Kern, Tom wrote:
i know this has been sopken of before, but i can't seem to find a pertinet email in 
the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying security 
settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain, because it 
can't contact the domain. this client(win2k) does not have the hotfix installed yet, 
but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape and ipsec 
issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania
3800 Spruce Street
Philadelphia, PA 19104-6044
life is a killer -- John Giorno
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP filter




Gil good catch thanks!
CM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 3:23 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] LDAP filter




Not a lot to monkey around with here though I wouldn't mind 
hearing ~Eric's thoughts andDmitry Gavrilov's / Don 
Hatcherl'sthoughts if they lurk here as it might point out some previously 
unknown to me AD optimizer / query engine internals info... 

It is kind of a trick question because the search scope is 
exceedingly small and the main attribute is indexed... However just to work 
through the logic you would do for any optimization


The first thing I saw that I would do is remove the 
objectClass=attributeSchema, it is redundant and if you think in the very 
strictest sense will slow you down the slightest bit (probably almost 
immeasurably) on the filter expansion, optimization, parsing routines. 
Basically, you have more characters to tear through than you need and it is 
handled in the objectcategory piece which is indexed. 

lDAPDisplayName is indexed so even 
objectcategory=attributeSchema in this case isnot needed. 



The fastest thing if you have an App that has to keep going 
back to the schema to do this would obviously be to grab all of it up front and 
parse out the info and throw it into memory somewhere where you can just access 
it. 

If, however, you do this once or twice or even just 5 times 
with only a small percentage of the total attributes then doing the individual 
searches is probably faster.

Obviously do a single level search, no point in a subtree 
search here.

Taking the simplest case of two ldapdisplaynames and 
chasing them through the STATS control in the various ways:

Filter 1
===
Sent in Filter:
((objectCategory=attributeSchema)(objectClass=attributeSchema)(|(ldapDisplayName=drink)(ldapdisplayname=member)))

Used Filter:
( | (  
(objectCategory=CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com) 
(objectClass=attributeSchema) (lDAPDisplayName=member) ) ( 
 
(objectCategory=CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com) 
(objectClass=attributeSchema) (lDAPDisplayName=drink) ) ) 



Filter 2
==
Sent in Filter:

((objectCategory=attributeSchema)(|(ldapDisplayName=drink)(ldapdisplayname=member)))


Used Filter:

( | (  
(objectCategory=CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com) 
(lDAPDisplayName=member) ) (  
(objectCategory=CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com) 
(lDAPDisplayName=drink) ) ) 



Filter 3
==
Sent in Filter:

(|(ldapDisplayName=drink)(ldapdisplayname=member))


Used Filter:

( | (lDAPDisplayName=drink) 
(lDAPDisplayName=member) ) 



The same indices were used all three times. 


My take away is that there probably isn't a lot of speed to 
be gained in this but if I was trying to get every drop out I would say use the 
third filter example in this specific case, at the very leastthere is less 
to parse through, no filter manipulation required, less to send across the 
network, etc. However the difference istrivial. If you were doing this a 
lot in a single program, say in a loop, it would start to add up, but again at 
that point, pull all attributes into memory and cache them. 


Hope that helps. 


 joe





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 19, 2004 9:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter

Hey all, 


Ok I have a LDAP 
filter that works but I am sure it can get faster, the likes of Joe , Roger etc 
I am sure we can make it really fast.

Now the point of the 
filter ---

From the schema I 
need to return a list of attributes that match a list of ldapdisplay names, So I 
immediately thinksomething like (the example below)for a single 
attribute.

((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))


But to minimize the 
calls to the dirI need be able to dynamically specify a list that can be 
any amount of different attribute ldapdisplaynames.

For 
example one timeI might call the filter with 

cn
instanceType
createTimeStamp

And on 
a different call i might just call the filter with:

displayName
description
fromEntry

The 
number and ldapdisplaynames of the attributes are programmatically built, so i 
need a filter that will be able to handel this type of randomized amount of 
attribute ldapDisplayNames.

What 
are the methods we can use here? I am trying to return (the quickest way 
possible) a list of properties (the list of properties isnot the problem) 
for the given attribute ldapDisplayNames.

So boys and girls 
what do we think (no rude answers :P)

carlos

RE: [ActiveDir] LDAP filter




Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] ms04-011

The issue is that some of the SRV records may not get registered for DCs.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395

I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 8:59 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet
email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying
security settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain,
because it can't contact the domain. this client(win2k) does not have the
hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape
and ipsec issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

still doesn't work. when i try to join a win2k worstation to a domain, i get domain 
cannot be contacted. check dns error.
dns settings are fine, i can ping my dc's and dns servers from the pc.
i rebooted my dc, diabled ipsec policy agent, checked the srv records in my domain, no 
replication errors on my dc's. 

also, suddenly no win98 clients can logon. wins settings are correct, i can ping the 
wins server from my win98 clients, no errors in the wins log. i restarted the service, 
recreated the wins db. no errors on the pdc fsmo. still same issue.
i'm at a loss.
help! ack!!

thanks

-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ms04-011


forgot about the 2nd part of yr. question

see this thread:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html

Kern, Tom wrote:

 i know this has been sopken of before, but i can't seem to find a pertinet email in 
 the archives, so i apologize for this retread.
 what are the issuses with ms04-011 hot fix?
 i ask because i have some clients that are preptually stuck at the applying 
 security settings screen and never log on.
 also, i have on e newly formated client that i can't join to the domain, because it 
 can't contact the domain. this client(win2k) does not have the hotfix installed yet, 
 but my dns server does.
 is there a know issue with this fix affecting dns? i know about the dltape and ipsec 
 issues already, but i don't have these drivers loaded.
 thanks, and sorry for the rehash.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

-- 
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania
3800 Spruce Street
Philadelphia, PA 19104-6044

life is a killer -- John Giorno
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

could this affect my child domain from logging in if the root dc's have this issue?

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

The issue is that some of the SRV records may not get registered for DCs.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395

I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 8:59 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet
email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying
security settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain,
because it can't contact the domain. this client(win2k) does not have the
hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape
and ipsec issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

all srv records are in my dns zone and the root zone.
i'm truly at a loss. aside from the long and non logons(win2k and win98) and the 
inability to join the domain, everything seems fine.
and the long logons are only affecting certain users, not everyone.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

The issue is that some of the SRV records may not get registered for DCs.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395

I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 8:59 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet
email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying
security settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain,
because it can't contact the domain. this client(win2k) does not have the
hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape
and ipsec issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

This could affect a ton of things. Remember, AD is very DNS dependent. 

Something you may consider doing is going to your DNS servers and setting up
a network sniffer and look for DNS calls, what is being asked for, what is
not being answered correctly.

   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

could this affect my child domain from logging in if the root dc's have this
issue?

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


The issue is that some of the SRV records may not get registered for DCs.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395

I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 8:59 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet
email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying
security settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain,
because it can't contact the domain. this client(win2k) does not have the
hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape
and ipsec issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

2004-05-19 Thread deji Agba




For the first part of this question, look at the TCP/IP properties of the new client you are trying to join to the Domain. Make sure that "Enable LMHosts lookup" is unchecked, then make sure you are pointing at the correct INTERNAL DNS server ONLY (no ISP DNS in there), reboot the machine and re-attempt your join.



For the Win98 problem, have you tried DSCLIENT? http://download.microsoft.com/download/0/0/A/00A7161E-8DA8-4C44-B74E-469D769CE96E/dsclient9x.msi

I know you said that you were sure that you successfully seized all the FSMO roles, but does your new DC think so? Have you tried "netdom /query FSMO" on the DC to see what it thinks?


Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP -Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Kern, TomSent: Wed 5/19/2004 7:19 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ms04-011
still doesn't work. when i try to join a win2k worstation to a domain, i get "domain cannot be contacted. check dns" error.
dns settings are fine, i can ping my dc's and dns servers from the pc.
i rebooted my dc, diabled ipsec policy agent, checked the srv records in my domain, no replication errors on my dc's. 

also, suddenly no win98 clients can logon. wins settings are correct, i can ping the wins server from my win98 clients, no errors in the wins log. i restarted the service, recreated the wins db. no errors on the pdc fsmo. still same issue.
i'm at a loss.
help! ack!!

thanks

-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ms04-011


forgot about the 2nd part of yr. question

see this thread:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html

Kern, Tom wrote:

 i know this has been sopken of before, but i can't seem to find a pertinet email in the archives, so i apologize for this retread.
 what are the issuses with ms04-011 hot fix?
 i ask because i have some clients that are preptually stuck at the "applying security settings" screen and never log on.
 also, i have on e newly formated client that i can't join to the domain, because it can't contact the domain. this client(win2k) does not have the hotfix installed yet, but my dns server does.
 is there a know issue with this fix affecting dns? i know about the dltape and ipsec issues already, but i don't have these drivers loaded.
 thanks, and sorry for the rehash.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

-- 
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania
3800 Spruce Street
Philadelphia, PA 19104-6044

"life is a killer" -- John Giorno
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



Download the DSClient package now..url
Description: Download the DSClient package now..url

RE: [ActiveDir] ms04-011

My personal thought would be to do a network trace on both issues. If there
is a name res issue or a slow responding DC it should show up rather
quickly. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

all srv records are in my dns zone and the root zone.
i'm truly at a loss. aside from the long and non logons(win2k and win98) and
the inability to join the domain, everything seems fine.
and the long logons are only affecting certain users, not everyone.

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


The issue is that some of the SRV records may not get registered for DCs.

See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395

I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 8:59 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] ms04-011

i know this has been sopken of before, but i can't seem to find a pertinet
email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying
security settings screen and never log on.
also, i have on e newly formated client that i can't join to the domain,
because it can't contact the domain. this client(win2k) does not have the
hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the dltape
and ipsec issues already, but i don't have these drivers loaded.
thanks, and sorry for the rehash.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

2004-05-19 Thread James Payne

the syntax should be:

netdom query /domain:nameofdomainhere

Kern, Tom
[EMAIL PROTECTED]
M To
Sent by: [EMAIL PROTECTED]
[EMAIL PROTECTED] cc
ail.activedir.org
Subject
RE: [ActiveDir] ms04-011
05/19/2004 10:55
AM

Please respond to
[EMAIL PROTECTED]
tivedir.org

tcp/ip settings are correct. lmhosts lookup is disabled.
i never had an issue with win98 clients till this week

the query switch for netdom, is that from support tools for win2k3, because
on a win2k machine i get invalid argument
thanks for your help
-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 10:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

For the first part of this question, look at the TCP/IP properties of
the new client you are trying to join to the Domain. Make sure that
Enable LMHosts lookup is unchecked, then make sure you are pointing
at the correct INTERNAL DNS server ONLY (no ISP DNS in there), reboot
the machine and re-attempt your join.

For the Win98 problem, have you tried DSCLIENT?

http://download.microsoft.com/download/0/0/A/00A7161E-8DA8-4C44-B74E-469D769CE96E/dsclient9x.msi

I know you said that you were sure that you successfully seized all
the FSMO roles, but does your new DC think so? Have you tried netdom
/query FSMO on the DC to see what it thinks?

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: Kern, Tom
Sent: Wed 5/19/2004 7:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

still doesn't work. when i try to join a win2k worstation to a
domain, i get domain cannot be contacted. check dns error.
dns settings are fine, i can ping my dc's and dns servers from the
pc.
i rebooted my dc, diabled ipsec policy agent, checked the srv records
in my domain, no replication errors on my dc's.

also, suddenly no win98 clients can logon. wins settings are correct,
i can ping the wins server from my win98 clients, no errors in the
wins log. i restarted the service, recreated the wins db. no errors
on the pdc fsmo. still same issue.
i'm at a loss.
help! ack!!

thanks

-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ms04-011

forgot about the 2nd part of yr. question

see this thread:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html

Kern, Tom wrote:

i know this has been sopken of before, but i can't seem to find a
pertinet email in the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the
applying security settings screen and never log on.
also, i have on e newly formated client that i can't join to the
domain, because it can't contact the domain. this client(win2k) does
not have the hotfix installed yet, but my dns server does.
is there a know issue with this fix affecting dns? i know about the
dltape and ipsec issues already, but i don't have these drivers
loaded.
thanks, and sorry for the rehash.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

--
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania

RE: [ActiveDir] OT : File/Folder/Storage Reporting

2004-05-19 Thread Passo, Larry

Title: Message








Treesize Pro will do almost everything



http://www.jam-software.com/treesize/











From: Rutherford,
Robert [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 19, 2004 2:59
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT :
File/Folder/Storage Reporting







Hi All,











Well I'm at that stage
again - reviewing backup and data storage. I'm hunting for duplicate files, old
unmodified files, greediest user, etc.











I'm basically looking for
some software that can report such things in one package. any experiences
or recommendations?











Thanks in advance.











Rob




The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any use (including retransmission or copying)
of this information by persons or entities other than the intended
recipient is prohibited. If you are not the intended recipient of this
transmission, please contact the sender and delete the material
from any computer. The sender is not responsible for the 
completeness or accuracy of this communication as it has been
transmitted over a public network. Any replies to this email may be
monitored by the MCPS-PRS Alliance for quality control and other 
purposes.

RE: [ActiveDir] ms04-011

Yup that's what I meant, we'd want to do that logging on affected
client. And network trace of that client (perhaps from second box on a
simple little hub) of the boot/logon would also be telling if the
userenv doesn't give us the answer (could go either way).


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

I believe Eric meant the client experiencing the slowness. You will note
that the DC seems to be having no issues as that ripped through the
process
in like half a second according to the logs.

  joe

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

this is the output of my userenv.log on my fsmo pdc.





SERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:  Starting computer Group
Policy
processing...
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:359 EnterCriticalPolicySection: Machine
critical
section has been claimed.  Handle = 0x74
USERENV(e4.34c) 10:45:11:359 ProcessGPOs:  Machine role is 3.
USERENV(e4.34c) 10:45:11:359 PingComputer: PingBufferSize set as 2048
USERENV(e4.34c) 10:45:11:359 PingComputer:  First time:  0
USERENV(e4.34c) 10:45:11:375 PingComputer:  Fast link.  Exiting.
USERENV(e4.34c) 10:45:11:375 ProcessGPOs:  User name is:
CN=ADSERVER1,OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET,
Domain
name is:  CHARMERNYDOM
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Domain controller is:
\\adserver1.CHARMERNYDOM.CSG-IT.NET  Domain DN is
CHARMERNYDOM.CSG-IT.NET
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Calling GetGPOInfo for normal
policy mode
USERENV(e4.34c) 10:45:11:375 GetGPOInfo:

USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Entering...
USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Server connection established.
USERENV(e4.34c) 10:45:11:406 GetGPOInfo:  Bound successfully.
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Searching OU=Domain
Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Found GPO(s):
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  Deferring search for
LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Searching
DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Found GPO(s):
[LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://CN={276E7B50-A050-497E-8996-BB4A
2562
2B20},CN=Policies,CN=System,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://C
N={3
1B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHARMERNYD
OM,D
C=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={276E7B50-A050-497E-8996-BB4A25622B20},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:453 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:453 ProcessGPO:  Deferring search for
LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:468 SearchDSObject:  Searching
CN=CHARMER-ASTORIA,CN=Sites,CN=Configuration,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:468 SearchDSObject:  No GPO(s) for this object.
USERENV(e4.34c) 10:45:11:468 EvaluateDeferredGPOs:  Searching for GPOs
in
cn=policies,cn=system,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:484 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:484 ProcessGPO:  Searching
CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,DC=CHAR
MERN
YDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:484 ProcessGPO:  Machine has access to this
GPO.
USERENV(e4.34c) 10:45:11:500 ProcessGPO:  Found functionality version
of:  2
USERENV(e4.34c) 10:45:11:500 ProcessGPO:  Found file system path of:
\\CHARMERNYDOM.CSG-IT.NET\SysVol\CHARMERNYDOM.CSG-IT.NET\Policies\{776B
44AB
-9D12-4BE6-84D3-EB26EA1DD649}
USERENV(e4.34c) 10:45:11:515 ProcessGPO:  Found common name of:
{776B44AB-9D12-4BE6-84D3-EB26EA1DD649}
USERENV(e4.34c) 10:45:11:515 ProcessGPO:  Found display name of:  IE
Policy
USERENV(e4.34c) 10:45:11:515 ProcessGPO:

RE: [ActiveDir] LDAP filter

2004-05-19 Thread Gil Kirkpatrick




Hey, whaddaya want for 6 in the morning? 
:)

WRT objectCategory not being needed, is there a restriction 
that a classSchema object cannot have the same ldapDisplayName as an 
attributeSchema object?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, May 19, 2004 6:51 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] OT : File/Folder/Storage Reporting

2004-05-19 Thread Rutherford, Robert

Title: Message

Yeh
I've used it before... I don't think it does file age, duplicate finding etc?
Its probably more that side of things I'm looking for.

Thanks
Larry

-Original Message-From: Passo, Larry
[mailto:[EMAIL PROTECTED] Sent: 19 May 2004
16:13To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] OT : File/Folder/Storage Reporting

Treesize Pro will do
almost everything

http://www.jam-software.com/treesize/

From:
Rutherford, Robert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19,
2004 2:59 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] OT :
File/Folder/Storage Reporting

Hi
All,

Well I'm at that
stage again - reviewing backup and data storage. I'm hunting for duplicate
files, old unmodified files, greediest user,
etc.

I'm basically looking
for some software that can report such things in one package. any
experiences or recommendations?

Thanks in
advance.

Rob
The information transmitted is intended only for
the person or entityto which it is addressed and may contain confidential
and/orprivileged material. Any use (including retransmission or
copying)of this information by persons or entities other than the
intendedrecipient is prohibited. If you are not the intended recipient of
thistransmission, please contact the sender and delete the
materialfrom any computer. The sender is not responsible for the
completeness or accuracy of this communication as it has
beentransmitted over a public network. Any replies to this email may
bemonitored by the MCPS-PRS Alliance for quality control and other
purposes.The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited. If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes.

RE: [ActiveDir] OT : File/Folder/Storage Reporting

2004-05-19 Thread Rutherford, Robert

Title: Message



Ooh 
just checked and it does..

That'll do.

Thanks

  
  -Original Message-From: Rutherford, 
  Robert Sent: 19 May 2004 16:46To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT : 
  File/Folder/Storage Reporting
  Yeh 
  I've used it before... I don't think it does file age, duplicate finding etc? 
  Its probably more that side of things I'm looking for.
  
  Thanks Larry
  

-Original Message-From: Passo, Larry 
[mailto:[EMAIL PROTECTED] Sent: 19 May 2004 
16:13To: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] OT : File/Folder/Storage Reporting

Treesize Pro will 
do almost everything

http://www.jam-software.com/treesize/





From: 
Rutherford, Robert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 
2004 2:59 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT : 
File/Folder/Storage Reporting


Hi 
All,



Well I'm at that 
stage again - reviewing backup and data storage. I'm hunting for duplicate 
files, old unmodified files, greediest user, 
etc.



I'm basically 
looking for some software that can report such things in one package. 
any experiences or 
recommendations?



Thanks in
advance.



Rob
The information transmitted is intended only for 
the person or entityto which it is addressed and may contain 
confidential and/orprivileged material. Any use (including 
retransmission or copying)of this information by persons or entities 
other than the intendedrecipient is prohibited. If you are not the
intended recipient of thistransmission, please contact the sender and 
delete the materialfrom any computer. The sender is not responsible for 
the completeness or accuracy of this communication as it has 
beentransmitted over a public network. Any replies to this email may 
bemonitored by the MCPS-PRS Alliance for quality control and other
purposes.The
  information transmitted is intended only for the person or entityto which 
  it is addressed and may contain confidential and/orprivileged material. 
  Any use (including retransmission or copying)of this information by
  persons or entities other than the intendedrecipient is prohibited. If you 
  are not the intended recipient of thistransmission, please contact the 
  sender and delete the materialfrom any computer. The sender is not
  responsible for the completeness or accuracy of this communication as it 
  has beentransmitted over a public network. Any replies to this email may 
  bemonitored by the MCPS-PRS Alliance for quality control and other
  purposes. The information transmitted is intended only for the person or entityto which it is addressed and may contain confidential and/orprivileged material. Any use (including retransmission or copying)of this information by persons or entities other than the intendedrecipient is prohibited.  If you are not the intended recipient of thistransmission, please contact the sender and delete the materialfrom any computer. The sender is not responsible for the completeness or accuracy of this communication as it has beentransmitted over a public network. Any replies to this email may bemonitored by the MCPS-PRS Alliance for quality control and other purposes.

RE: [ActiveDir] ms04-011

here's some more weirdness-
now when i want to join a pc to a domain, i have to enter the fqdn. before i would 
just enter domainname. now i have to enter domainname.parentdomain.rootdomain.
when i just enter the domainname and do a trace, i see in dns that the 
srv_msdc_ldap.domainname cannot be found.

also when i do a trace on the dns/dc i get weird dns requests for legtimate domains as 
srv records as in srv_ldap_yahho.com


strange

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


My immediate reaction is that this is a GC issue.  Missing GC DNS records?

Mike Thommes

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


Yup that's what I meant, we'd want to do that logging on affected
client. And network trace of that client (perhaps from second box on a
simple little hub) of the boot/logon would also be telling if the
userenv doesn't give us the answer (could go either way).


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

I believe Eric meant the client experiencing the slowness. You will note
that the DC seems to be having no issues as that ripped through the
process
in like half a second according to the logs.

  joe

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

this is the output of my userenv.log on my fsmo pdc.





SERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:  Starting computer Group
Policy
processing...
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:359 EnterCriticalPolicySection: Machine
critical
section has been claimed.  Handle = 0x74
USERENV(e4.34c) 10:45:11:359 ProcessGPOs:  Machine role is 3.
USERENV(e4.34c) 10:45:11:359 PingComputer: PingBufferSize set as 2048
USERENV(e4.34c) 10:45:11:359 PingComputer:  First time:  0
USERENV(e4.34c) 10:45:11:375 PingComputer:  Fast link.  Exiting.
USERENV(e4.34c) 10:45:11:375 ProcessGPOs:  User name is:
CN=ADSERVER1,OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET,
Domain
name is:  CHARMERNYDOM
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Domain controller is:
\\adserver1.CHARMERNYDOM.CSG-IT.NET  Domain DN is
CHARMERNYDOM.CSG-IT.NET
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Calling GetGPOInfo for normal
policy mode
USERENV(e4.34c) 10:45:11:375 GetGPOInfo:

USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Entering...
USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Server connection established.
USERENV(e4.34c) 10:45:11:406 GetGPOInfo:  Bound successfully.
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Searching OU=Domain
Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Found GPO(s):
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  Deferring search for
LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Searching
DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Found GPO(s):
[LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://CN={276E7B50-A050-497E-8996-BB4A
2562
2B20},CN=Policies,CN=System,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://C
N={3
1B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHARMERNYD
OM,D
C=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={276E7B50-A050-497E-8996-BB4A25622B20},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:453 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:453 ProcessGPO:  Deferring search for
LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:468 SearchDSObject:  Searching
CN=CHARMER-ASTORIA,CN=Sites,CN=Configuration,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:468 SearchDSObject:  No GPO(s) for this object.
USERENV(e4.34c)

RE: [ActiveDir] ms04-011

2004-05-19 Thread deji

Yeah, that's from a Win2K3 client.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 5/19/2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


tcp/ip settings are correct. lmhosts lookup is disabled.
i never had an issue with win98 clients till this week
 
the query switch for netdom, is that from support tools for win2k3, because
on a win2k machine i get invalid argument
thanks for your help

-Original Message-
From: deji Agba [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 10:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


For the first part of this question, look at the TCP/IP properties of
the new client you are trying to join to the Domain. Make sure that Enable
LMHosts lookup is unchecked, then make sure you are pointing at the correct
INTERNAL DNS server ONLY (no ISP DNS in there), reboot the machine and
re-attempt your join.
 

For the Win98 problem, have you tried DSCLIENT?
http://download.microsoft.com/download/0/0/A/00A7161E-8DA8-4C44-B74E-469D769C
E96E/dsclient9x.msi
 
I know you said that you were sure that you successfully seized all
the FSMO roles, but does your new DC think so? Have you tried netdom /query
FSMO on the DC to see what it thinks?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Kern, Tom
Sent: Wed 5/19/2004 7:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


still doesn't work. when i try to join a win2k worstation to a
domain, i get domain cannot be contacted. check dns error.
dns settings are fine, i can ping my dc's and dns servers from the
pc.
i rebooted my dc, diabled ipsec policy agent, checked the srv records
in my domain, no replication errors on my dc's. 

also, suddenly no win98 clients can logon. wins settings are correct,
i can ping the wins server from my win98 clients, no errors in the wins log.
i restarted the service, recreated the wins db. no errors on the pdc fsmo.
still same issue.
i'm at a loss.
help! ack!!

thanks

-Original Message-
From: John Singler [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] ms04-011


forgot about the 2nd part of yr. question

see this thread:


http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html

Kern, Tom wrote:

 i know this has been sopken of before, but i can't seem to find a
pertinet email in the archives, so i apologize for this retread.
 what are the issuses with ms04-011 hot fix?
 i ask because i have some clients that are preptually stuck at the
applying security settings screen and never log on.
 also, i have on e newly formated client that i can't join to the
domain, because it can't contact the domain. this client(win2k) does not have
the hotfix installed yet, but my dns server does.
 is there a know issue with this fix affecting dns? i know about the
dltape and ipsec issues already, but i don't have these drivers loaded.
 thanks, and sorry for the rehash.
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 

-- 
John Singler
Systems Administrator
School of Veterinary Medicine, University of Pennsylvania
3800 Spruce Street
Philadelphia, PA 19104-6044

life is a killer -- John Giorno
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP filter









I can conceive of a scenario (maybe more,
you tell me) where lDAPDisplayName is not unique.

Anyone want to take a swing at it?



Attached is my first answerno peaking!



~Eric













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 11:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP
filter





6... heck it was like 9 when you posted
that! :oP



WRT to objectcategory... are you testing
me or looking for free research. eg



lDAPDisplayName according to MS must be
unique within the schema container. Please see http://msdn.microsoft.com/library/default.asp?url="">
for details. 



However that being said, to this point,
that is considered propoganda because I have never actually tried it. 



It was interesting when I first read your
question though, my first response in my head was well it *(^* well better
be... Then I was thinking though they could get tricky with the fact that you
have attribs and objects and they are used differently and the ldapdisplayname
isn't the key for the rdn (i.e. cn)... 



I had to go look. Too much thinking for
the day... 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, May 19, 2004 11:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] LDAP
filter

Hey, whaddaya want for 6 in the morning?
:)



WRT objectCategory not being needed, is
there a restriction that a classSchema object cannot have the same
ldapDisplayName as an attributeSchema object?



-g









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 6:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP
filter

Hey Gil is playing today. :o)



Always like hearing from Gil.



One small typo... 



((objectCategory=attributeSchema)(|(ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))



 joe









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Gil Kirkpatrick
Sent: Wednesday, May 19, 2004 9:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] LDAP
filter

The objectClass _expression_ is redundant
and unnecessary. Construct something like
((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))



-gil











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Carlos Magalhaes
Sent: Wednesday, May 19, 2004 6:02 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP filter







Hey all, 











Ok I have a LDAP filter that works but I am sure it can get
faster, the likes of Joe , Roger etc I am sure we can make it really fast.











Now the point of the filter ---











From the schema I need to return a list of attributes that
match a list of ldapdisplay names, So I immediately thinksomething like
(the example below)for a single attribute.











((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName=
  matchldapDisplayName  ))

















But to minimize the calls to the dirI need be able to
dynamically specify a list that can be any amount of different attribute
ldapdisplaynames.











For example one timeI might call the filter with 











cn





instanceType





createTimeStamp











And on a different call i might just call the filter with:











displayName





description





fromEntry











The number and ldapdisplaynames of the attributes are
programmatically built, so i need a filter that will be able to handel this
type of randomized amount of attribute ldapDisplayNames.











What are the methods we can use here? I am trying to return
(the quickest way possible) a list of properties (the list of properties
isnot the problem) for the given attribute ldapDisplayNames.











So boys and girls what do we think (no rude answers :P)











carlos
























eric_foo.ldf
Description: eric_foo.ldf

RE: [ActiveDir] FATAL kerberos error on W2K3 server









Debugging lsass is highly underrated. Thats right, under. Sure
its not for the faint of heart, but man the fun stuff you get in there. I
say just attach and have fun just for the heck of it. Thats what I do on
my weekends (sad yet true).



So the error below, is that from netdiag? Or
another tool?













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 7:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL
kerberos error on W2K3 server





I hate to say it but when I see endpoint
mapper issues one of my first responses is a reboot of the offensive box.
Hopefully ~Eric or otherswill come along and club me for that and say a
good way to troubleshoot it that doesn't include debugging LSASS. 



The fact that you had machines not getting
tickets before but are now is a wee bit scary as well. 



 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova
Sent: Tuesday, May 18, 2004 10:23 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL
kerberos error on W2K3 server



No, actually, we haven't disjointed
namespace in the first place. This kerberos error was on every W2K3 member
server only. I've promoted one of them to DC and thatmade keberos
happy - no more complains...





No erorrs reported in dcpromo logs
either...Although I do have an issue with replication to this new DC -for
some reason NTDS settings in ADSSare empty and the event log on the DC,
from which it suppossed to replicate, mentions there are no more
endpoints available from an endpoints mapper, which I am currently trying
to sort out, but no problems in netdiag and dcdiag anymore...











Lana









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 18 May 2004 14:39
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL
kerberos error on W2K3 server

Oh, so did you have a disjoint on the
namespace? And if so is this intentional? Is it on all machines or just this
one? If not intentional and just on that one you should pop the NV DomainName
attribute and bring it in line with the rest of the environment. If it is on
all machines, you will most likely find you have the same kerberos errors on
them unless this one computer object was set up incorrectly.



 joe









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana Kouznetsova
Sent: Tuesday, May 18, 2004 4:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL
kerberos error on W2K3 server



You right about DC, Joe. Guess what
happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now -
imagine how I feel after wasting so much time trying to fix it!





Wish Microsoft could warn about such
little things...











Lana










Domain controllers don't have the problem because
the localsystem account of
a DC can write whatever the heck it wants to write
in AD. 


joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on
W2K3 server

H...I don't see any disjoint namespace...but
don't know what do you mean
under proper permissions are not set
on the computer object  
But I've actually, took responsibility and done
dcpromo now...so far
everything looks normal...
Maybe it was - a netdiag bug? [I hope it was!]
Thanks for input.

Lana

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: 17 May 2004 21:50
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on
W2K3 server

Do you have a disjoint name space?

I have seen this when there is a disjoint
namespace and the proper
permissions are not set on the computer object so
that it can update its own
information properly.

The UDP/TCP thing Al mentioned is a good thought
too but usually when that
is occurring you will see some hellacious slow
downs. Like logons taking
30-40 minutes when they go fast. I have seen this
occur when a Cisco CSM was
throwing away fragmented kerberos packets because
of too many group
memberships and I have seen it when a NIC had bad
configurations for (I
think) max frame size. 


joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FATAL kerberos error on W2K3
server

Hello ,

I wonder if anyone seen this before: 

W2K active directory, few W2K3 member
servers. All of them display kerberos
error message when running netdiag kerberos test: 

[FATAL] Kerberos does not have a ticket for
host/domain.com 

I am not receiving any errors or warnings in event
logs; replication in AD
is fine and no W2K domain controllers show this
problem. Run Kerbtray
- all tickets seems to be there. DC list test and
all the rest of netdiag
tests - passed.
Also some of W2K3 servers are

RE: [ActiveDir] LDAP filter

2004-05-19 Thread Lee, Wook




6, 9, what's a few timezones among friends

Interesting that lDAPDisplayName is optional in the classSchema class but mandatory in the attributeSchema class. I suppose it's possible for an object and an attribute to have the same name, but why would you other than to sow mayhem and mischief into the AD?

Oddly enough, classDisplayName isoptional in bothclasses.

So what happens if you want tocreate amanager class as a subclass of user or inetOrgPerson? I guess you'd have to call it managmentPerson or maybe PHBoss.

Wook


From: joeSent: Wed 5/19/2004 9:04 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP filter

6... heck it was like 9 when you posted that! :oP

WRT to objectcategory... are you testing me or looking for free research. eg

lDAPDisplayName according to MS must be unique within the schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> for details. 

However that being said, to this point, that is considered propoganda because I have never actually tried it. 

It was interesting when I first read your question though, my first response in my head was well it *(^* well better be... Then I was thinking though they could get tricky with the fact that you have attribs and objects and they are used differently and the ldapdisplayname isn't the key for the rdn (i.e. cn)... 

I had to go look. Too much thinking for the day... 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, May 19, 2004 11:40 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP filter

Hey, whaddaya want for 6 in the morning? :)

WRT objectCategory not being needed, is there a restriction that a classSchema object cannot have the same ldapDisplayName as an attributeSchema object?

-g


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, May 19, 2004 6:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP filter

Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 joe


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP filter


The objectClass _expression_ is redundant and unnecessary. Construct something like ((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Wednesday, May 19, 2004 6:02 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP filter


Hey all, 



Ok I have a LDAP filter that works but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can make it really fast.



Now the point of the filter ---



From the schema I need to return a list of attributes that match a list of ldapdisplay names, So I immediately thinksomething like (the example below)for a single attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= "  matchldapDisplayName  "))





But to minimize the calls to the dirI need be able to dynamically specify a list that can be any amount of different attribute ldapdisplaynames.



For example one timeI might call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of the attributes are programmatically built, so i need a filter that will be able to handel this type of randomized amount of attribute ldapDisplayNames.



What are the methods we can use here? I am trying to return (the quickest way possible) a list of properties (the list of properties isnot the problem) for the given attribute ldapDisplayNames.



So boys and girls what do we think (no rude answers :P)



carlos

[ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on the gpo on 
the domain controller ou,wins is set up, and still when a win98 client attempts to 
logon i get a no domain controller could be contacted error.
i'm running a mixed mode win2k ad. my dc's have sp4 installed.
what else should i do?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FATAL kerberos error on W2K3 server




Eric, you need to buy a jeep or go hang out at the Lodge... 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. Thats what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place. This kerberos error was on every W2K3 member 
server only. I've promoted one of them to DC and thatmade keberos 
happy - no more complains...

No erorrs reported in dcpromo logs 
either...Although I do have an issue with replication to this new DC -for 
some reason NTDS settings in ADSSare empty and the event log on the DC, 
from which it suppossed to replicate, mentions "there are no more endpoints 
available from an endpoints mapper", which I am currently trying to sort out, 
but no problems in netdiag and dcdiag 
anymore...



Lana



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 18 May 2004 14:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server
Oh, so did you have a 
disjoint on the namespace? And if so is this intentional? Is it on all machines 
or just this one? If not intentional and just on that one you should pop the NV 
DomainName attribute and bring it in line with the rest of the environment. If 
it is on all machines, you will most likely find you have the same kerberos 
errors on them unless this one computer object was set up 
incorrectly.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 4:29 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

You right about DC, Joe. Guess what 
happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - 
imagine how I feel after wasting so much time trying to fix 
it!

Wish Microsoft could warn about such 
"little" things...



Lana



Domain controllers don't have the problem because the 
localsystem account ofa DC can 
write whatever the heck it wants to write in AD. 
joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of 
SvetlanaKouznetsovaSent: 
Monday, May 17, 2004 5:12 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 
serverH...I don't see any 
disjoint namespace...but don't know what do you meanunder "proper permissions are not set on the computer 
object " But I've actually, took 
responsibility and done dcpromo now...so fareverything looks normal...Maybe it was - a netdiag bug? [I hope it was!] Thanks for 
input.Lana-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 17 May 2004 
21:50To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 
serverDo you have a disjoint 
name space?I have seen this 
when there is a disjoint namespace and the properpermissions are not set on the computer object so that it can 
update its owninformation 
properly.The UDP/TCP thing Al 
mentioned is a good thought too but usually when thatis occurring you will see some hellacious slow downs. Like 
logons taking30-40 minutes when 
they go fast. I have seen this occur when a Cisco CSM wasthrowing away fragmented kerberos packets because of too many 
groupmemberships and I have seen it 
when a NIC had bad configurations for (Ithink) max frame size. joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of 
SvetlanaKouznetsovaSent: 
Monday, May 17, 2004 11:46 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] FATAL kerberos error on W2K3 
serverHello 
,I wonder if anyone seen this 
before: W2K active directory, 
few W2K3 member servers. All of them display 
kerberoserror message when running 
netdiag kerberos test: "[FATAL] 
Kerberos does not have a ticket for host/domain.com" 
I am not receiving any errors 
or warnings in event

RE: [ActiveDir] win98

2004-05-19 Thread Wilson, Julie

Have you entered a static WINS address in the TCP/IP properties?  If not
try it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP filter




Ugh.

So this means our filter has to get more complicated, we 
need to add a !(isdefunct=TRUE).

So our filter will now look like

((!(isdefunct=TRUE))(|(ldapDisplayName=drink)(ldapdisplayname=member)))

On the positive side, that doesn't change the used filter 
according to STATS and the indices used are still all the same and I am still 
seeing 0ms for execution time.

Eric how is this going to actually be handled 
internally?

Would it grab the subset of everything that matches the OR 
filter and then pull out anything that isn'tisdefunct=TRUE (i.e. empty 
value and FALSE). 

Since isDefunct isn't indexed I would expect that is how it 
would work, focus on the indexed stuff first and come through and check the 
non-indexed things.

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:41 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


I can conceive of a scenario (maybe more, 
you tell me) where lDAPDisplayName is not unique.
Anyone want to take a swing at 
it?

Attached is my first answerno 
peaking!

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 11:05 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

6... heck it was like 9 
when you posted that! :oP

WRT to 
objectcategory... are you testing me or looking for free research. 
eg

lDAPDisplayName 
according to MS must be unique within the schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> 
for details. 

However that being 
said, to this point, that is considered propoganda because I have never actually 
tried it. 

It was interesting when 
I first read your question though, my first response in my head was well it 
*(^* well better be... Then I was thinking though they could get tricky 
with the fact that you have attribs and objects and they are used differently 
and the ldapdisplayname isn't the key for the rdn (i.e. cn)... 


I had to go look. Too 
much thinking for the day... 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
May 19, 
2004 11:40 
AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP 
filter
Hey, whaddaya want for 
6 in the morning? :)

WRT objectCategory not 
being needed, is there a restriction that a classSchema object cannot have the 
same ldapDisplayName as an attributeSchema object?

-g




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 6:51 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter
Hey Gil is playing 
today. :o)

Always like hearing 
from Gil.

One small typo... 


((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
May 19, 
2004 9:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter
The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
May 19, 
2004 6:02 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

2004-05-19 Thread Wilson, Julie

Hmmm...Upgrade the machine to 2K Pro   :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

2004-05-19 Thread Wilson, Julie

Are all updates installed on the Win 98 machine?  I've had instances
where I had to install all updates first and then install the DS client
in that order before it would work.  Unfortunately we have a lot of 98's
on our networkbut...we are able to get them to log in.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


Have you entered a static WINS address in the TCP/IP properties?  If not
try it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98


ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set two?
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


Have you entered a static WINS address in the TCP/IP properties?  If not try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98


ok, i've installed the dsclient, i've disabled the secure connections on the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

2004-05-19 Thread Salandra, Justin A.

Are the TCPIP settings correct on the 98 machines?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error.
i'm running a mixed mode win2k ad. my dc's have sp4 installed.
what else should i do?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

nice...

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Hmmm...Upgrade the machine to 2K Pro   :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

2004-05-19 Thread Salandra, Justin A.

What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to
attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set
two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

2004-05-19 Thread Guy Teverovsky

Eric,

It looks like I was not clear enough. See my comments below.

And as others have already stated, the solution should be in the app's
code. The problem is that it's not always that easy to change the code
even if it's open source.

Guy

On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
 Im going to respectfully disagree with the approach being taken here.
 It is, IMHO, misguided.
 
  
 
 What has been described as a security hole (opening your AD for a
 subset of operations being allowed by ANONYMOUS) has somehow been
 justified in the OpenLDAP world. Make no mistake about it: anonymous
 is anonymous on any platform. Allowing ANONYMOUS to read from one
 directory vs. another is the same threat. Why they are being viewed is
 a mystery to me.
My point was that you are only syncing with OpenLDAP the
uid-sAMAccountName(or upn) and user's Kerberos principal.
ACL-ing OpenLDAP to allow read access by attribute is one-liner.

 
  
 
 That said, from an order of complexity perspective, a sync solution
 will be substantially harder to set up and maintain over the long
 haul.
Indeed. But it gives several advantages, like using the same OpenLDAP
for Linux clients logons, without tweaking AD's schema by installing SFU
(which is rather dumb and not flexible enough to my taste). What I
described might be a good solution for a small heterogeneous network. In
larger scale, I would not be even considering deploying an application
which by default does anonymous binds. 
 
 If this were my project, I would do the following:
 
 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
 have anonymous binds to the DS (part one of the solution)
 
 2)   We need to now ACL things to ANONYMOUS has access to the data
 required. Fundamentally, there are two approaches:
 
 a.   Target the objects that your auth client will be searching
 (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum
 required perms for itmy bet is that just read to a subset of
 attributes is sufficient.
only 2 attributes are needed. The equivalent of uid (sAMAccountName or
upn ?) and userPassword. 
 
 b.   You can try to flip the reg value EveryoneIncludesAnonymous
 to 1 on a single DC and see if that satisfies your needs. 
 NOTE: this approach, if it works, is particularly advantageous as it
 is localized to a single DC, IE only a subset of DCs would have
 increased abilities for ANONYMOUS.
 
  
 
 Many comments Guy made confuse me, especially this one:
 
  You will definitely not want that in production
 
 So you want to have a second directory with ANONYMOUS able to read it,
 but not a single one? How is OpenLDAP with ANONYMOUS somehow different
 than AD with ANONYMOUS reads enabled? I fail to see the difference
 here. If your difference was the localization problem, my
 EveryoneInludesAnonymous solution might do that for you a bit more
 gracefully.
I was not aware of that approach and I stand corrected. Obviously there
is a good reason I am subscribed to this list - I learn something new
every day. Thanks guys !
 
  
 
 I dont recall all of the ACLs that Everyone has in 2k03 out of the
 box, but if there is a problem there send me a trace of a failure and
 I can show you what need change to make it work. I bet it is small
 though.
 
  
 
 ~Eric
 
  
 
  
 

 __
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol
 Naberan Burgaa
 Sent: Wednesday, May 19, 2004 1:47 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Anonymous bind
 
 
  
 
 OK, I will try the second approach. 
 So I have to copy (sync) all the AD data into my local openLDAP???
 creating a local schema with the user info???
 --
 
 Aitzol Naberan Burgaa
 CodeSyntax
 [EMAIL PROTECTED]
 www.codesyntax.com
 Tel: 943  82 17 80
 
 
 
 Guy Teverovsky(e)k dio: 
 
 There are several solutions to that:
  
 1) Grant Everyone read permissions (this object and all child objects)
 to the domain object. The drawbacks are obvious: you are opening a HUGE
 security hole. You will definitely not want that in production.
  
 2) Setup OpenLDAP and sync the needed attributes from AD. From what I
 can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ),
 you will need to use top, account and simpleSecurityObject
 objectClasses. 
 userPassword attribute can be a pointer to the user's Kerberos principal
 in AD Kerberos realm in the following form:
 userPassword: [EMAIL PROTECTED]
 In that way you can allow anonymous searches in OpenLDAP while exposing
 the bare minimum data and yet authenticate the users through LDAP.
 What happens in such a configuration is something like this:
  
 1) OpenGroupware binds anonymously to OpenLDAP and performs the search
 for user object.
 2) After the user object is found, OpenGroupware tries to bind as user
 to OpenLDAP (you should configure SSL/TLS if you do not want the
 passwords to travel in

RE: [ActiveDir] Aelita enterprise manager

2004-05-19 Thread John McGlinchey

My experience with Aelita is that they are an outstanding group of people
that will bend over backwards to fill your needs.  We use EMM now to migrate
servers into our Active Directory from many sources (NT Domains, other AD's
and Workgroups) and have hit a few snags here and there.  Aelita folks
jumped through hoops to make things work right and keep us on schedule. 

We are also using their ERDisk for AD product to back up and restore AD
objects.  Works great. 

And NO, I do NOT work for Aelita.  I just use their products. 

John McGlinchey
AD Enterprise Architect
Bristol-Myers Squibb Company

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Tuesday, May 18, 2004 11:36 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Aelita enterprise manager
 
 Has anyone had any experience with Alelita EMM in migrating a 
 child domain from one forest to a brand new one, including 
 Exchange 2k mailboxes,dg's, and contacts?
 we are running a win2k forest in mixed mode and looking on 
 moving to our own forest.
 is this product as good as it sounds?
 any gothca's? do i need another product to aid in this transition?
 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

Digitally Sign Communications 
(always) - Set to DISABLED

Digitally encrypt or sign secure channel 
data - Set to DISABLED

both are set to disable

nothing in the security logs.

i'm now setting up a second wins server. will let you know.

thanks for all your help

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to
attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set
two?
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


Have you entered a static WINS address in the TCP/IP properties?  If not
try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98


ok, i've installed the dsclient, i've disabled the secure connections on
the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN users and their AD passwords

2004-05-19 Thread Fuller, Stuart

Three more references from our friends at Cisco...  Look at the Netlogon
part of the client ini file.  IIRC, this is the bit you may have to adjust.


Client ini file config:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administratio
n_guide_chapter09186a008015cfdc.html

Rebranding the client: (see the bit about Start before Logon as an option)
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administratio
n_guide_chapter09186a00800eca5d.html

Managing the VPN client: (See the bit about Managing Windows NT Logon
Properties)
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_user_guide_ch
apter09186a00800ecb3e.html 

-Stuart

-Original Message-
From: Jeff Salisbury [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 18, 2004 11:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords

Stuart - Thanks for the info! Do you know if using either or both methods
actually update the cached credentials on the user's notebooks? If not we
would still be stuck with locked user account problems after the change.

Jeff

Jeff Salisbury
Network Infrastructure and Security Manager 

Belkin Corporation
Information Services
310 604-2061
310 604-2022 fax
www.belkin.com 

-Original Message-
From: Fuller, Stuart [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 18, 2004 9:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords


Check out the Cisco documentation on configuring the concentrator to support
the NT/AD password expiration feature.  We are doing this and it works like
a charm and nobody has to hit cancel.  Clients with expired password get
warned at VPN login and given an opportunity to change the password.  

See:  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
_example09186a00800946b9.shtml

or search cisco.com for VPN concentrator password expiration and take the
first result.

MS IAS config for Cisco VPN is documented here -
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
_example09186a0080094700.shtml

-Stuart

-Original Message-
From: Ayers, Diane
To: [EMAIL PROTECTED]
Sent: 5/18/2004 5:56 PM
Subject: RE: [ActiveDir] VPN users and their AD passwords

Gee... you give them remote access to the company via the internet from
anywhere and their complaining about having to hit cancel?I would
tell them to get over it... :-)
 
Actually with my client, I can just type in my password in the ctrl-alt-del
login box and just ignore the VPN client if I am on the
compnay network.   It will authenticate via normal channels.
Externally, I can choose to authenticate via the VPN client.  
 
Only if you don't let the VPN client initialize fully do you get the big
cancel button when you hit ctrl-alt-del.  Either hit cancel or wait for the
VPN client to initialize before they hit the keyboard.
 
Diane

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 18, 2004 4:34 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords


The complaint here from users is that if they ARE on the network, they have
to hit cancel on the Cisco VPN client login so they can get to the
CTRL-ALT-DEL screen.  Is there any workaround for this, or just tell the
users to get over it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ayers, Diane
Sent: Tuesday, May 18, 2004 4:15 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VPN users and their AD passwords


I'm running v 4.0.3(D) of Cisco VPN client and it is configured as Jeff
describes below (logon to VPN before laptop logon).  I had my domain
password expire and IIRC, I was able to change my password at my usual
ctrl-alt-del logon after I had done my VPN login.
 
This was after a few adult beverages so I may have been confused... :-)
 
Diane 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury
Sent: Tuesday, May 18, 2004 1:21 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN users and their AD passwords


Russ - With the newer versions of the Cisco VPN client you can configure the
client to allow logon to the network via VPN before you logon to the
notebook. When you first start up the system and hit Ctrl-Alt-Del to get the
regular logon box, a Cisco VPN connection dialog comes up instead.
You use this dialog to connect by VPN first so that you are actually
authenticating your account with a domain controller, then you get a logon
box again for logging on to the machine. This keeps the cached account
information and the domain account information in synch.
 
If users change their password while connected by VPN, the cached
credentials on the notebook are not updated. If they restart the notebook,
they have to logon using their old password. When they next connect by VPN
they will have to provide their new password. As soon as their machine tries
to

RE: [ActiveDir] Anonymous bind

Inline again.
Sorry Guy, I really disagree with you here, and I'm going to drop the point. ;)

~Eric



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Wednesday, May 19, 2004 1:26 PM
To: [EMAIL PROTECTED]
Cc: ADS Customer Feedback
Subject: RE: [ActiveDir] Anonymous bind

Eric,

It looks like I was not clear enough. See my comments below.

And as others have already stated, the solution should be in the app's
code. The problem is that it's not always that easy to change the code
even if it's open source.

Guy

On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
 I'm going to respectfully disagree with the approach being taken here.
 It is, IMHO, misguided.
 
  
 
 What has been described as a security hole (opening your AD for a
 subset of operations being allowed by ANONYMOUS) has somehow been
 justified in the OpenLDAP world. Make no mistake about it: anonymous
 is anonymous on any platform. Allowing ANONYMOUS to read from one
 directory vs. another is the same threat. Why they are being viewed is
 a mystery to me.
My point was that you are only syncing with OpenLDAP the
uid-sAMAccountName(or upn) and user's Kerberos principal.
ACL-ing OpenLDAP to allow read access by attribute is one-liner.

[EFLEIS] - So you don't like anonymous access on AD because it is hard? It's two 
stepsone to allow the bind, one to give access to the resources. It's like a light 
switch + a dimmer. Turn it on, then tell me how much you want. Click in, then turn the 
knob. I actually like it this waynow you can wholesale turn the whole thing off 
with one flip of a flag in dsHeuristics and not have to touch your ACLs until later 
when you see fit to do so.
Or is there more to what you're trying to say here that I'm missing?

 
  
 
 That said, from an order of complexity perspective, a sync solution
 will be substantially harder to set up and maintain over the long
 haul.
Indeed. But it gives several advantages, like using the same OpenLDAP
for Linux clients logons, without tweaking AD's schema by installing SFU
(which is rather dumb and not flexible enough to my taste). What I
described might be a good solution for a small heterogeneous network. In
larger scale, I would not be even considering deploying an application
which by default does anonymous binds. 

[EFLEIS] - Wow, many corrections to be made here:
1) I don't recall seeing any mention in this thread of a schema extension, only change 
in ACLs to facilitate a client. There's been no discussion here about schema 
extensions, but if I'm missing the point where there was please point it out ot me.
2) What I found interesting is that you said you like this for small enterprises and a 
single directory for large. Many customers would argue that the ideal is the other way 
around, since the small shop has fewer resources to invest in settting up and 
maintaining the sync mechanisms. While I wish everyone had a single directory, if 
forced to pick a group of people to sync, I'd rather it be the big guys than the 
little ones.
3) You said many advantages, but only cited:
a) same OpenLDAP for Linux client logs - same as what? I'm not sure I follow. 
It sounds like the Linux client config would be the same.
Where are the others I missed?

 
 If this were my project, I would do the following:
 
 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
 have anonymous binds to the DS (part one of the solution)
 
 2)   We need to now ACL things to ANONYMOUS has access to the data
 required. Fundamentally, there are two approaches:
 
 a.   Target the objects that your auth client will be searching
 (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum
 required perms for it...my bet is that just read to a subset of
 attributes is sufficient.
only 2 attributes are needed. The equivalent of uid (sAMAccountName or
upn ?) and userPassword. 
 
 b.   You can try to flip the reg value EveryoneIncludesAnonymous
 to 1 on a single DC and see if that satisfies your needs. 
 NOTE: this approach, if it works, is particularly advantageous as it
 is localized to a single DC, IE only a subset of DCs would have
 increased abilities for ANONYMOUS.
 
  
 
 Many comments Guy made confuse me, especially this one:
 
  You will definitely not want that in production
 
 So you want to have a second directory with ANONYMOUS able to read it,
 but not a single one? How is OpenLDAP with ANONYMOUS somehow different
 than AD with ANONYMOUS reads enabled? I fail to see the difference
 here. If your difference was the localization problem, my
 EveryoneInludesAnonymous solution might do that for you a bit more
 gracefully.
I was not aware of that approach and I stand corrected. Obviously there
is a good reason I am subscribed to this list - I learn something new
every day. Thanks guys !
 
  
 
 I don't recall all of the ACLs that Everyone has in 2k03 out of the
 box, but if there is a problem there

RE: [ActiveDir] win98

i added a second wins server and that worked??!!

-Original Message-
From: Kern, Tom 
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Digitally Sign Communications 
(always) - Set to DISABLED

Digitally encrypt or sign secure channel 
data - Set to DISABLED

both are set to disable

nothing in the security logs.

i'm now setting up a second wins server. will let you know.

thanks for all your help

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to
attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set
two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FATAL kerberos error on W2K3 server

2004-05-19 Thread Svetlana Kouznetsova




Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. Thats what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place. This kerberos error was on every W2K3 member 
server only. I've promoted one of them to DC and thatmade keberos 
happy - no more complains...

No erorrs reported in dcpromo logs 
either...Although I do have an issue with replication to this new DC -for 
some reason NTDS settings in ADSSare empty and the event log on the DC, 
from which it suppossed to replicate, mentions "there are no more endpoints 
available from an endpoints mapper", which I am currently trying to sort out, 
but no problems in netdiag and dcdiag 
anymore...



Lana



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 18 May 2004 14:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server
Oh, so did you have a 
disjoint on the namespace? And if so is this intentional? Is it on all machines 
or just this one? If not intentional and just on that one you should pop the NV 
DomainName attribute and bring it in line with the rest of the environment. If 
it is on all machines, you will most likely find you have the same kerberos 
errors on them unless this one computer object was set up 
incorrectly.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 4:29 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

You right about DC, Joe. Guess what 
happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - 
imagine how I feel after wasting so much time trying to fix 
it!

Wish Microsoft could warn about such 
"little" things...



Lana



Domain controllers don't have the problem because the 
localsystem account ofa DC can 
write whatever the heck it wants to write in AD. 
joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of 
SvetlanaKouznetsovaSent: 
Monday, May 17, 2004 5:12 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 
serverH...I don't see any 
disjoint namespace...but don't know what do you meanunder "proper permissions are not set on the computer 
object " But I've actually, took 
responsibility and done dcpromo now...so fareverything looks normal...Maybe it was - a netdiag bug? [I hope it was!] Thanks for 
input.Lana-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On

RE: [ActiveDir] LDAP filter




The more and more I read and think about maybe i should be 
doing the dreaded GUID (of the attributes) search i.e. rather use the GUID than 
the ldapDisplayName ---

Yes/No/YouMad?

CM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, 
WookSent: Wednesday, May 19, 2004 6:54 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


6, 9, what's a few timezones 
among friends

Interesting that lDAPDisplayName is 
optional in the classSchema class but mandatory in the attributeSchema class. I 
suppose it's possible for an object and an attribute to have the same name, but 
why would you other than to sow mayhem and mischief into the AD?

Oddly enough, classDisplayName 
isoptional in bothclasses.

So what happens if you want tocreate amanager class as 
a subclass of user or inetOrgPerson? I guess you'd have to call it 
managmentPerson or maybe PHBoss.

Wook


From: joeSent: Wed 5/19/2004 9:04 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
LDAP filter

6... heck it was like 9 when you posted that! 
:oP

WRT to objectcategory... are you testing me or looking for 
free research. eg

lDAPDisplayName according to MS must be unique within the 
schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> 
for details. 

However that being said, to this point, that is 
considered propoganda because I have never actually tried it. 


It was interesting when I first read your question 
though, my first response in my head was well it *(^* well better be... 
Then I was thinking though they could get tricky with the fact that you have 
attribs and objects and they are used differently and the ldapdisplayname isn't 
the key for the rdn (i.e. cn)... 

I had to go look. Too much thinking for the day... 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 11:40 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP 
filter

Hey, whaddaya want for 6 in the morning? 
:)

WRT objectCategory not being needed, is there a restriction 
that a classSchema object cannot have the same ldapDisplayName as an 
attributeSchema object?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, May 19, 2004 6:51 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] LDAP filter




Cant be - sharedDisplayName cant 
it?

(I did peek :oP)

CM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 6:41 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


I can conceive of a scenario (maybe more, 
you tell me) where lDAPDisplayName is not unique.
Anyone want to take a swing at 
it?

Attached is my first answerno 
peaking!

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 11:05 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

6... heck it was like 9 
when you posted that! :oP

WRT to 
objectcategory... are you testing me or looking for free research. 
eg

lDAPDisplayName 
according to MS must be unique within the schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> 
for details. 

However that being 
said, to this point, that is considered propoganda because I have never actually 
tried it. 

It was interesting when 
I first read your question though, my first response in my head was well it 
*(^* well better be... Then I was thinking though they could get tricky 
with the fact that you have attribs and objects and they are used differently 
and the ldapdisplayname isn't the key for the rdn (i.e. cn)... 


I had to go look. Too 
much thinking for the day... 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
May 19, 
2004 11:40 
AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP 
filter
Hey, whaddaya want for 
6 in the morning? :)

WRT objectCategory not 
being needed, is there a restriction that a classSchema object cannot have the 
same ldapDisplayName as an attributeSchema object?

-g




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 6:51 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter
Hey Gil is playing 
today. :o)

Always like hearing 
from Gil.

One small typo... 


((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
May 19, 
2004 9:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter
The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, 
May 19, 
2004 6:02 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] FATAL kerberos error on W2K3 server




What was it you said was the errors logged in the FRS event 
viewer?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. Thats what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place. This kerberos error was on every W2K3 member 
server only. I've promoted one of them to DC and thatmade keberos 
happy - no more complains...

No erorrs reported in dcpromo logs 
either...Although I do have an issue with replication to this new DC -for 
some reason NTDS settings in ADSSare empty and the event log on the DC, 
from which it suppossed to replicate, mentions "there are no more endpoints 
available from an endpoints mapper", which I am currently trying to sort out, 
but no problems in netdiag and dcdiag 
anymore...



Lana



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 18 May 2004 14:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server
Oh, so did you have a 
disjoint on the namespace? And if so is this intentional? Is it on all machines 
or just this one? If not intentional and just on that one you should pop the NV 
DomainName attribute and bring it in line with the rest of the environment. If 
it is on all machines, you will most likely find you have the same kerberos 
errors on them unless this one computer object was set up 
incorrectly.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 4:29 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

You right about DC, Joe. Guess what 
happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - 
imagine how I feel after wasting so much time trying to fix 
it!

Wish Microsoft could warn about such 
"little" things...



Lana



Domain controllers don't have the problem because the 
localsystem account ofa DC can 
write whatever the heck it wants to write in AD. 
joe-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of 
SvetlanaKouznetsovaSent: 
Monday, May 17, 2004 5:12 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 
serverH...I don't see any 
disjoint namespace...but don't know what do you meanunder "proper permissions are

RE: [ActiveDir] FATAL kerberos error on W2K3 server

2004-05-19 Thread Lee, Wook




Is it just me or does this sounds like a replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but they never get out.)

Wook


From: Svetlana KouznetsovaSent: Wed 5/19/2004 11:58 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server

Well, endpoint mapper error message is actually, in event log for the W2K domain controller, which started to complain only after W2K3 DC appeared in the domain...
Interesting that I've run all tests possible in dcdiag separately, testing connectivity, replications, security discriptors, frsevent, etc, etc on both DC - w2k (old one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has been onlydiscovered after replication to the new DC didn't take place and I went on checking old DCs.
On the new W2K3 DC - sysvol permissions, etc - everything, as it should be, but - all the data hangs in staging and staging area since first time replication (after dcpromo).
Replmon shows that W2K3 server has up to date data replicated from other DCs, but on other DC replmon doesn't show that this new server is a replication partner...Also - no NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 
netdiag on W2K3 server only shows frsevent as FAILED. 
To be honest, I don't know where else to look now...:-/


RE: The fact that you had machines not getting tickets before but are now is a wee bit scary as well. 

no, there were tickets there - I've checked in kerbtray, that's when I've decided to go for dcpromo, regardless...

Lana.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its not for the faint of heart, but man the fun stuff you get in there. I say just attach and have fun just for the heck of it. Thats what I do on my weekends (sad yet true).

So the error below, is that from netdiag? Or another tool?






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, May 19, 2004 7:43 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server

I hate to say it but when I see endpoint mapper issues one of my first responses is a reboot of the offensive box. Hopefully ~Eric or otherswill come along and club me for that and say a good way to troubleshoot it that doesn't include debugging LSASS. 

The fact that you had machines not getting tickets before but are now is a wee bit scary as well. 

 joe





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Tuesday, May 18, 2004 10:23 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server

No, actually, we haven't disjointed namespace in the first place. This kerberos error was on every W2K3 member server only. I've promoted one of them to DC and thatmade keberos happy - no more complains...

No erorrs reported in dcpromo logs either...Although I do have an issue with replication to this new DC -for some reason NTDS settings in ADSSare empty and the event log on the DC, from which it suppossed to replicate, mentions "there are no more endpoints available from an endpoints mapper", which I am currently trying to sort out, but no problems in netdiag and dcdiag anymore...



Lana



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 May 2004 14:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Oh, so did you have a disjoint on the namespace? And if so is this intentional? Is it on all machines or just this one? If not intentional and just on that one you should pop the NV DomainName attribute and bring it in line with the rest of the environment. If it is on all machines, you will most likely find you have the same kerberos errors on them unless this one computer object was set up incorrectly.

 joe




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Svetlana KouznetsovaSent: Tuesday, May 18, 2004 4:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server

You right about DC, Joe. Guess what happenned after dcpromo? - kerberos error in netdiag...dissapeared! Now - imagine how I feel after wasting so much time trying to fix it!

Wish Microsoft could warn about such "little" things...



Lana



Domain controllers don't have the problem because the localsystem account ofa DC can write whatever the heck it wants to write in AD. joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of SvetlanaKouznetsovaSent: Monday, May 17, 2004 5:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 serverH...I don't see any disjoint namespace...but don't know what do you meanunder "proper permissions are not set on the computer object " But I've actually, took responsibility and done

RE: [ActiveDir] win98

2004-05-19 Thread Chris Blair

When I ran across this problem about a year and half ago, I found an
article that suggested a secondary WINS entry. I will keep searching to
find it. It was due to the request not being received in time from the
1st entry, so it tries the second. If there is not a second entry, it
fails. 



-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 19, 2004 3:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Ok, I would be checking that first WINS Server really closely at this
point...

   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 2:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

i added a second wins server and that worked??!!

-Original Message-
From: Kern, Tom
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


Digitally Sign Communications 
(always) - Set to DISABLED

Digitally encrypt or sign secure channel 
data - Set to DISABLED

both are set to disable

nothing in the security logs.

i'm now setting up a second wins server. will let you know.

thanks for all your help

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to
attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set
two?
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98


Have you entered a static WINS address in the TCP/IP properties?  If not
try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98


ok, i've installed the dsclient, i've disabled the secure connections on
the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

Why use LDAP for Linux client authentication instead of Kerberos? I am
seriously asking. I don't know why someone would avoid an authentication
protocol for authentication and instead would use a directory protocol for
authentication. Especially when you have to go through an extra step then to
secure the communication. I don't really even like that people do it for
apps but if you have one application running on one server handling multiple
users, I can see the draw of LDAP Auth. 

I am not a huge fan of multiple directories that you have to keep synced.
The larger the environment more likely the better chance it is something
that would have to be done. The smaller the environment the less things you
want to have to deal with as they are less likely to have the people to
manage the syncing plus more than likely it means yet another piece of
software to do the syncing though I could be completely wrong and there is a
beautiful open source free directory syncer out there somewhere. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Wednesday, May 19, 2004 2:26 PM
To: [EMAIL PROTECTED]
Cc: ADS Customer Feedback
Subject: RE: [ActiveDir] Anonymous bind

Eric,

It looks like I was not clear enough. See my comments below.

And as others have already stated, the solution should be in the app's code.
The problem is that it's not always that easy to change the code even if
it's open source.

Guy

On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
 Im going to respectfully disagree with the approach being taken here.
 It is, IMHO, misguided.
 
  
 
 What has been described as a security hole (opening your AD for a 
 subset of operations being allowed by ANONYMOUS) has somehow been 
 justified in the OpenLDAP world. Make no mistake about it: anonymous 
 is anonymous on any platform. Allowing ANONYMOUS to read from one 
 directory vs. another is the same threat. Why they are being viewed is 
 a mystery to me.
My point was that you are only syncing with OpenLDAP the
uid-sAMAccountName(or upn) and user's Kerberos principal.
ACL-ing OpenLDAP to allow read access by attribute is one-liner.

 
  
 
 That said, from an order of complexity perspective, a sync solution 
 will be substantially harder to set up and maintain over the long 
 haul.
Indeed. But it gives several advantages, like using the same OpenLDAP for
Linux clients logons, without tweaking AD's schema by installing SFU (which
is rather dumb and not flexible enough to my taste). What I described might
be a good solution for a small heterogeneous network. In larger scale, I
would not be even considering deploying an application which by default does
anonymous binds. 
 
 If this were my project, I would do the following:
 
 1)   Flip 7th bit of dsHeuristics to 2, enabling the ability to
 have anonymous binds to the DS (part one of the solution)
 
 2)   We need to now ACL things to ANONYMOUS has access to the data
 required. Fundamentally, there are two approaches:
 
 a.   Target the objects that your auth client will be searching
 (perhaps a single subtree under an OU) and grant ANONYMOUS the minimum 
 required perms for itmy bet is that just read to a subset of 
 attributes is sufficient.
only 2 attributes are needed. The equivalent of uid (sAMAccountName or upn
?) and userPassword. 
 
 b.   You can try to flip the reg value EveryoneIncludesAnonymous
 to 1 on a single DC and see if that satisfies your needs. 
 NOTE: this approach, if it works, is particularly advantageous as it 
 is localized to a single DC, IE only a subset of DCs would have 
 increased abilities for ANONYMOUS.
 
  
 
 Many comments Guy made confuse me, especially this one:
 
  You will definitely not want that in production
 
 So you want to have a second directory with ANONYMOUS able to read it, 
 but not a single one? How is OpenLDAP with ANONYMOUS somehow different 
 than AD with ANONYMOUS reads enabled? I fail to see the difference 
 here. If your difference was the localization problem, my 
 EveryoneInludesAnonymous solution might do that for you a bit more 
 gracefully.
I was not aware of that approach and I stand corrected. Obviously there is a
good reason I am subscribed to this list - I learn something new every day.
Thanks guys !
 
  
 
 I dont recall all of the ACLs that Everyone has in 2k03 out of the 
 box, but if there is a problem there send me a trace of a failure and 
 I can show you what need change to make it work. I bet it is small 
 though.
 
  
 
 ~Eric
 
  
 
  
 

 __
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Aitzol 
 Naberan Burgaña
 Sent: Wednesday, May 19, 2004 1:47 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Anonymous bind
 
 
  
 
 OK, I will try the second approach. 
 So I have to copy (sync) all the AD data into my local openLDAP???

RE: [ActiveDir] Aelita enterprise manager

2004-05-19 Thread Myrick, Todd (NIH/CIT)

I think most people know my position on Aelita/Quest (Man it is funny to say
that in the same sentence).

We are currently using EMM and I believe it has done everything promised
without issue.  I highly recommend getting On-site support if your migration
is large.  

Also ARM (ERD) for AD and Exchange are excellent products as well.  If your
job is to restore mailboxes, then ARM for Exchange is a godsend.  Also I
feel it is the only way to do mailbox restores in Exchange 200x.

Todd 

-Original Message-
From: John McGlinchey [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Aelita enterprise manager

My experience with Aelita is that they are an outstanding group of people
that will bend over backwards to fill your needs.  We use EMM now to migrate
servers into our Active Directory from many sources (NT Domains, other AD's
and Workgroups) and have hit a few snags here and there.  Aelita folks
jumped through hoops to make things work right and keep us on schedule. 

We are also using their ERDisk for AD product to back up and restore AD
objects.  Works great. 

And NO, I do NOT work for Aelita.  I just use their products. 

John McGlinchey
AD Enterprise Architect
Bristol-Myers Squibb Company

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Tuesday, May 18, 2004 11:36 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Aelita enterprise manager
 
 Has anyone had any experience with Alelita EMM in migrating a 
 child domain from one forest to a brand new one, including 
 Exchange 2k mailboxes,dg's, and contacts?
 we are running a win2k forest in mixed mode and looking on 
 moving to our own forest.
 is this product as good as it sounds?
 any gothca's? do i need another product to aid in this transition?
 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ms04-011

2004-05-19 Thread Grillenmeier, Guido

what's the primary suffix of your clients? and how are the search
suffixes configured? or WINS?

also, did you not only check that you're service records in DNS exist,
but that they're also registered by the right machines?  It's
potentially possible, that other non-DC clients could have registered
DC/GC records (could also happen via some mean script) that are causing
you issues.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Mittwoch, 19. Mai 2004 18:16
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

here's some more weirdness-
now when i want to join a pc to a domain, i have to enter the fqdn.
before i would just enter domainname. now i have to enter
domainname.parentdomain.rootdomain.
when i just enter the domainname and do a trace, i see in dns that the
srv_msdc_ldap.domainname cannot be found.

also when i do a trace on the dns/dc i get weird dns requests for
legtimate domains as srv records as in srv_ldap_yahho.com


strange

-Original Message-
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 12:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


My immediate reaction is that this is a GC issue.  Missing GC DNS
records?

Mike Thommes

-Original Message-
From: Eric Fleischman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011


Yup that's what I meant, we'd want to do that logging on affected
client. And network trace of that client (perhaps from second box on a
simple little hub) of the boot/logon would also be telling if the
userenv doesn't give us the answer (could go either way).


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

I believe Eric meant the client experiencing the slowness. You will note
that the DC seems to be having no issues as that ripped through the
process
in like half a second according to the logs.

  joe

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011

this is the output of my userenv.log on my fsmo pdc.





SERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:  Starting computer Group
Policy
processing...
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:343 ProcessGPOs:
USERENV(e4.34c) 10:45:11:359 EnterCriticalPolicySection: Machine
critical
section has been claimed.  Handle = 0x74
USERENV(e4.34c) 10:45:11:359 ProcessGPOs:  Machine role is 3.
USERENV(e4.34c) 10:45:11:359 PingComputer: PingBufferSize set as 2048
USERENV(e4.34c) 10:45:11:359 PingComputer:  First time:  0
USERENV(e4.34c) 10:45:11:375 PingComputer:  Fast link.  Exiting.
USERENV(e4.34c) 10:45:11:375 ProcessGPOs:  User name is:
CN=ADSERVER1,OU=Domain Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET,
Domain
name is:  CHARMERNYDOM
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Domain controller is:
\\adserver1.CHARMERNYDOM.CSG-IT.NET  Domain DN is
CHARMERNYDOM.CSG-IT.NET
USERENV(e4.34c) 10:45:11:375 ProcessGPOs: Calling GetGPOInfo for normal
policy mode
USERENV(e4.34c) 10:45:11:375 GetGPOInfo:

USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Entering...
USERENV(e4.34c) 10:45:11:390 GetGPOInfo:  Server connection established.
USERENV(e4.34c) 10:45:11:406 GetGPOInfo:  Bound successfully.
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Searching OU=Domain
Controllers,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:406 SearchDSObject:  Found GPO(s):
[LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:421 ProcessGPO:  Deferring search for
LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Searching
DC=CHARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:421 SearchDSObject:  Found GPO(s):
[LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System
,DC=
CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://CN={276E7B50-A050-497E-8996-BB4A
2562
2B20},CN=Policies,CN=System,DC=CHARMERNYDOM,DC=CSG-IT,DC=NET;0][LDAP://C
N={3
1B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=CHARMERNYD
OM,D
C=CSG-IT,DC=NET;0]
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  Deferring search for
LDAP://CN={776B44AB-9D12-4BE6-84D3-EB26EA1DD649},CN=Policies,CN=System,
DC=C
HARMERNYDOM,DC=CSG-IT,DC=NET
USERENV(e4.34c) 10:45:11:437 ProcessGPO:  ==
USERENV(e4.34c) 10:45:11:437

RE: [ActiveDir] FATAL kerberos error on W2K3 server




This whole thing just sounds weird.

At this point I would do two things. Please note I don't 
have great reasons for suggesting them, just gut feeling.

1. I would check the SMB signing policies to see if they 
are aligned. Most likely if you don't have that set at the domain controller 
policy level you have signing on on the K3 machine and undefined on the 2K. Yes, 
this shouldn't be an issue with 2K machines but I have seen it be an issue with 
2K and XP machines touching K3. 

2. I would verify that the SPNs for the DCs are identical 
on all of the DCs I.E. DC1 has the same SPNs registered on every DC. Ditto 
DC2, DC3, DCn. I have seen these out of sync before and causing interesting 
replication issues. It took manual editing of the SPNs to 
correct.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. Thats what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place. This kerberos error was on every W2K3 member 
server only. I've promoted one of them to DC and thatmade keberos 
happy - no more complains...

No erorrs reported in dcpromo logs 
either...Although I do have an issue with replication to this new DC -for 
some reason NTDS settings in ADSSare empty and the event log on the DC, 
from which it suppossed to replicate, mentions "there are no more endpoints 
available from an endpoints mapper", which I am currently trying to sort out, 
but no problems in netdiag and dcdiag 
anymore...



Lana



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 18 May 2004 14:39To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server
Oh, so did you have a 
disjoint on the namespace? And if so is this intentional? Is it on all machines 
or just this one? If not intentional and just on that one you should pop the NV 
DomainName attribute and bring it in line with the rest of the environment. If 
it is on all machines, you will most likely find you have the same kerberos 
errors on them unless this one computer object was set up 
incorrectly.

 
joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 4:29 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

You right

RE: [ActiveDir] LDAP filter

2004-05-19 Thread Gil Kirkpatrick




Can you say more about how you intend to use the schema 
lookup? Someone earlier mentioned that you could just read the schema into 
memory and deal with it that way... offhand that sounds like a good 
idea.You can even hang a persistent search on the Schema container to get 
notified of any changes.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 19, 2004 12:14 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

The more and more I read and think about maybe i should be 
doing the dreaded GUID (of the attributes) search i.e. rather use the GUID than 
the ldapDisplayName ---

Yes/No/YouMad?

CM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, 
WookSent: Wednesday, May 19, 2004 6:54 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


6, 9, what's a few timezones 
among friends

Interesting that lDAPDisplayName is 
optional in the classSchema class but mandatory in the attributeSchema class. I 
suppose it's possible for an object and an attribute to have the same name, but 
why would you other than to sow mayhem and mischief into the AD?

Oddly enough, classDisplayName 
isoptional in bothclasses.

So what happens if you want tocreate amanager class as 
a subclass of user or inetOrgPerson? I guess you'd have to call it 
managmentPerson or maybe PHBoss.

Wook


From: joeSent: Wed 5/19/2004 9:04 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
LDAP filter

6... heck it was like 9 when you posted that! 
:oP

WRT to objectcategory... are you testing me or looking for 
free research. eg

lDAPDisplayName according to MS must be unique within the 
schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> 
for details. 

However that being said, to this point, that is 
considered propoganda because I have never actually tried it. 


It was interesting when I first read your question 
though, my first response in my head was well it *(^* well better be... 
Then I was thinking though they could get tricky with the fact that you have 
attribs and objects and they are used differently and the ldapdisplayname isn't 
the key for the rdn (i.e. cn)... 

I had to go look. Too much thinking for the day... 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 11:40 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP 
filter

Hey, whaddaya want for 6 in the morning? 
:)

WRT objectCategory not being needed, is there a restriction 
that a classSchema object cannot have the same ldapDisplayName as an 
attributeSchema object?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, May 19, 2004 6:51 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] LDAP filter




If you have it available, sure. Any attribute is as good as 
any other though with objectGUID you can't possibly have mistaken identity due 
to fun tricks with defuncting. Do you mean objectGUID or some other 
guid?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 19, 2004 3:14 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

The more and more I read and think about maybe i should be 
doing the dreaded GUID (of the attributes) search i.e. rather use the GUID than 
the ldapDisplayName ---

Yes/No/YouMad?

CM


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, 
WookSent: Wednesday, May 19, 2004 6:54 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


6, 9, what's a few timezones 
among friends

Interesting that lDAPDisplayName is 
optional in the classSchema class but mandatory in the attributeSchema class. I 
suppose it's possible for an object and an attribute to have the same name, but 
why would you other than to sow mayhem and mischief into the AD?

Oddly enough, classDisplayName 
isoptional in bothclasses.

So what happens if you want tocreate amanager class as 
a subclass of user or inetOrgPerson? I guess you'd have to call it 
managmentPerson or maybe PHBoss.

Wook


From: joeSent: Wed 5/19/2004 9:04 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
LDAP filter

6... heck it was like 9 when you posted that! 
:oP

WRT to objectcategory... are you testing me or looking for 
free research. eg

lDAPDisplayName according to MS must be unique within the 
schema container. Please see http://msdn.microsoft.com/library/default.asp?url=""> 
for details. 

However that being said, to this point, that is 
considered propoganda because I have never actually tried it. 


It was interesting when I first read your question 
though, my first response in my head was well it *(^* well better be... 
Then I was thinking though they could get tricky with the fact that you have 
attribs and objects and they are used differently and the ldapdisplayname isn't 
the key for the rdn (i.e. cn)... 

I had to go look. Too much thinking for the day... 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 11:40 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP 
filter

Hey, whaddaya want for 6 in the morning? 
:)

WRT objectCategory not being needed, is there a restriction 
that a classSchema object cannot have the same ldapDisplayName as an 
attributeSchema object?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, May 19, 2004 6:51 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter

Hey Gil is playing today. :o)

Always like hearing from Gil.

One small typo... 

((objectCategory=attributeSchema)(|(ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, May 19, 2004 9:23 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP 
filter


The objectClass 
_expression_ is redundant and unnecessary. Construct something like 
((objectCategory=attributeSchema)((ldapDisplayName="foo")(ldapDisplayName="bar")(ldapDisplayName="baz")(ldapDisplayName="quux")))

-gil





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Carlos 
MagalhaesSent: Wednesday, May 
19, 2004 6:02 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] LDAP 
filter


Hey all, 




Ok I have a LDAP filter that works 
but I am sure it can get faster, the likes of Joe , Roger etc I am sure we can 
make it really fast.



Now the point of the filter 
---



From the schema I need to return a 
list of attributes that match a list of ldapdisplay names, So I immediately 
thinksomething like (the example below)for a single 
attribute.



((objectCategory=attributeSchema)(objectClass=attributeSchema)(ldapDisplayName= 
"  matchldapDisplayName  "))





But to minimize the calls to the 
dirI need be able to dynamically specify a list that can be any amount of 
different attribute ldapdisplaynames.



For example one timeI might 
call the filter with 



cn

instanceType

createTimeStamp



And on a different call i might just 
call the filter with:



displayName

description

fromEntry



The number and ldapdisplaynames of 
the attributes are programmatically built, so i need a filter that will be able 
to handel this type of randomized amount of attribute 
ldapDisplayNames.



What are the methods we can use 
here? I am trying to return (the quickest way possible) a list of properties 
(the list of properties isnot the problem) for the given attribute 
ldapDisplayNames.



So boys and girls what do we think 
(no rude answers :P)



carlos

RE: [ActiveDir] win98

Ok, I would be checking that first WINS Server really closely at this
point...

   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 2:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

i added a second wins server and that worked??!!

-Original Message-
From: Kern, Tom
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Digitally Sign Communications 
(always) - Set to DISABLED

Digitally encrypt or sign secure channel 
data - Set to DISABLED

both are set to disable

nothing in the security logs.

i'm now setting up a second wins server. will let you know.

thanks for all your help

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to
attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set
two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not
try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] win98

2004-05-19 Thread Grillenmeier, Guido

what's the DNS config of this client?

don't remember if Win98 has nslookup, but from a different client that
has, you should run
nslookup %DNSname_of_domain% = should get back a list of your DCs for
that domain - do you?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Mittwoch, 19. Mai 2004 19:25
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on
the gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error.
i'm running a mixed mode win2k ad. my dc's have sp4 installed.
what else should i do?
thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Aelita enterprise manager

2004-05-19 Thread James_Day





We are using both the Aelita ARM for AD and the migration products.  There
have been a few minor unintuitive things with the migration software but
other then that it has reduced our workload and performed with very few
hiccups.  On the whole we are pretty happy with the product.  The ARM for
AD has been our single best AD tool purchase to date - just because we had
to use it once to recover an OU that contained all of the management people
in one of our offices (I am skeptical that this could have been done in the
time frame we had without alerting people that it had happened with any
other recovery method).

All in all I would say the products - especially ARM - have been worth it.

For the record I also am not an Aelita employee - just a customer.

James R. Day
National Parks Service - AD Core Team
(202) 354-1464
Fax (202) 371-1549
[EMAIL PROTECTED]


|-+--
| |   Myrick, Todd  |
| |   (NIH/CIT) |
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   05/19/2004 04:13 PM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  |
  |
  |   To:   [EMAIL PROTECTED]  
   |
  |   cc:   (bcc: James Day/Contractor/NPS)
  |
  |   Subject:  RE: [ActiveDir] Aelita enterprise manager  
  |
  
--|




I think most people know my position on Aelita/Quest (Man it is funny to
say
that in the same sentence).

We are currently using EMM and I believe it has done everything promised
without issue.  I highly recommend getting On-site support if your
migration
is large.

Also ARM (ERD) for AD and Exchange are excellent products as well.  If your
job is to restore mailboxes, then ARM for Exchange is a godsend.  Also I
feel it is the only way to do mailbox restores in Exchange 200x.

Todd

-Original Message-
From: John McGlinchey [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Aelita enterprise manager

My experience with Aelita is that they are an outstanding group of people
that will bend over backwards to fill your needs.  We use EMM now to
migrate
servers into our Active Directory from many sources (NT Domains, other AD's
and Workgroups) and have hit a few snags here and there.  Aelita folks
jumped through hoops to make things work right and keep us on schedule.

We are also using their ERDisk for AD product to back up and restore AD
objects.  Works great.

And NO, I do NOT work for Aelita.  I just use their products.

John McGlinchey
AD Enterprise Architect
Bristol-Myers Squibb Company

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
 Sent: Tuesday, May 18, 2004 11:36 AM
 To: ActiveDir (E-mail)
 Subject: [ActiveDir] Aelita enterprise manager

 Has anyone had any experience with Alelita EMM in migrating a
 child domain from one forest to a brand new one, including
 Exchange 2k mailboxes,dg's, and contacts?
 we are running a win2k forest in mixed mode and looking on
 moving to our own forest.
 is this product as good as it sounds?
 any gothca's? do i need another product to aid in this transition?
 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FATAL kerberos error on W2K3 server

2004-05-19 Thread Svetlana Kouznetsova




on W2K3 (new 
DC):
in FRS 
event viewer there are onlywarnings 13508 ("having troubles to 
replicate/sysvol...etc"); dcdiag shows [FAILED] on test 
frsevent;
netdiag - PASSED 
all tests

on W2K (old DC in 
the same domain) : 
No errors in FRS; 

in Directory 
Service: warning NTDS KCC 1265 :
"The attempt to 
establish a replication link with parametersPartition: 
CN=Schema,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource DSA DN: 
CN=NTDS 
Settings,CN=SERS016,CN=Servers,CN=Oxford,CN=Sites,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource 
DSA Address: 
a2bdda54-6d14-40ae-842f-eb32df2dfb75._msdcs.ulib.ox.ac.ukInter-site 
Transport (if any):failed with the following 
status:There are no more endpoints available from the endpoint 
mapper.The record data is the status code. This operation 
will be retried. "
(SERS016 = new 
W2K3 DC in ULIB domain.)
dcdiag 
shows [FAILED] on kccevent test; 
netdiag - PASSED all 
tests



{Is it just me or does this sounds like a 
replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but 
they never get out.)

Yes, 
Wook, when I look at NTDS settings in ADSS 
on W2K3 server - I can see all links there automatically 
generated;
when I look at the same 
on other W2K DC - for this particular server there are no links in NTDS settings 
shown...
same with replmon - 
when looking into it on W2K3 server - it sees itself and the rest of DCs fine, 
but replmon on W2K DC can't see W2K3 at all
..for some reason your 
notice reminded me good old "Hotel California" song...("you can check out any 
time you like, but you can never leave")

Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: 19 May 2004 20:26To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

What was it you said was the errors logged in the FRS event 
viewer?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. Thats right, under. Sure its 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. Thats what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place. This kerberos error was on every W2K3 member 
server only. I've promoted one of them to DC and thatmade keberos 
happy - no more complains...

No erorrs reported in dcpromo logs 
either...Although I do have an issue with replication to this new DC -for 
some reason NTDS settings

RE: [ActiveDir] win98

When you say you added a second wins server, do you mean a physical wins
server or a second one was defined (possibly the same one) on the client? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 4:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Ok, I would be checking that first WINS Server really closely at this
point...

   joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 2:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

i added a second wins server and that worked??!!

-Original Message-
From: Kern, Tom
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Digitally Sign Communications
(always) - Set to DISABLED

Digitally encrypt or sign secure channel data - Set to DISABLED

both are set to disable

nothing in the security logs.

i'm now setting up a second wins server. will let you know.

thanks for all your help

-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

What are the two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98

What shows up in the DC security logs when the 98 client attempts to attach?
Anything?  I'm wondering if that's a valid error message or not.

IIRC, there's two settings to disable for win9x clients.  Did you set two?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

yup

-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98

Have you entered a static WINS address in the TCP/IP properties?  If not try
it.

Julie

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98

ok, i've installed the dsclient, i've disabled the secure connections on the
gpo on the domain controller ou,wins is set up, and still when a
win98 client attempts to logon i get a no domain controller could be
contacted error. i'm running a mixed mode win2k ad. my dc's have sp4
installed. what else should i do? thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FATAL kerberos error on W2K3 server




This may be helpful then
http://support.microsoft.com/?kbid=839880


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 4:28 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

on W2K3 (new 
DC):
in FRS 
event viewer there are onlywarnings 13508 ("having troubles to 
replicate/sysvol...etc"); dcdiag shows [FAILED] on test 
frsevent;
netdiag - PASSED 
all tests

on W2K (old DC in 
the same domain) : 
No errors in FRS; 

in Directory 
Service: warning NTDS KCC 1265 :
"The attempt to 
establish a replication link with parametersPartition: 
CN=Schema,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource DSA DN: 
CN=NTDS 
Settings,CN=SERS016,CN=Servers,CN=Oxford,CN=Sites,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource 
DSA Address: 
a2bdda54-6d14-40ae-842f-eb32df2dfb75._msdcs.ulib.ox.ac.ukInter-site 
Transport (if any):failed with the following 
status:There are no more endpoints available from the endpoint 
mapper.The record data is the status code. This operation 
will be retried. "
(SERS016 = new 
W2K3 DC in ULIB domain.)
dcdiag 
shows [FAILED] on kccevent test; 
netdiag - PASSED all 
tests



{Is it just me or does this sounds like a 
replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but 
they never get out.)

Yes, 
Wook, when I look at NTDS settings in ADSS 
on W2K3 server - I can see all links there automatically 
generated;
when I look at the same 
on other W2K DC - for this particular server there are no links in NTDS settings 
shown...
same with replmon - 
when looking into it on W2K3 server - it sees itself and the rest of DCs fine, 
but replmon on W2K DC can't see W2K3 at all
..for some reason your 
notice reminded me good old "Hotel California" song...("you can check out any 
time you like, but you can never leave")

Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: 19 May 2004 20:26To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

What was it you said was the errors logged in the FRS event 
viewer?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. That's right, under. Sure it's 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. That's what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, May 19, 
2004 7:43 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

I hate to say it but 
when I see endpoint mapper issues one of my first responses is a reboot of the 
offensive box. Hopefully ~Eric or otherswill come along and club me for 
that and say a good way to troubleshoot it that doesn't include debugging LSASS. 


The fact that you had 
machines not getting tickets before but are now is a wee bit scary as well. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Svetlana 
KouznetsovaSent: Tuesday, 
May 18, 
2004 10:23 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

No, actually, we haven't disjointed 
namespace in the first place.

RE: [ActiveDir] win98

2004-05-19 Thread Justin_Leney


Return Receipt
   
Your  RE: [ActiveDir] win98
document   
:  
   
was   Justin Leney/US/DCI  
received   
by:
   
at:   05/19/2004 05:29:28 PM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User modifiable attributes

2004-05-19 Thread Grillenmeier, Guido

Title: RE: [ActiveDir] Exchange 2003 Question



another option is to adjust the default property sets, 
which can be done in 2003 (but not in 2000) - this will even allow to change the 
effective permissions instantaniously on all objects ACLed with this property 
set without any re-acling on the objects themselves. This can be quite 
nice to avoid setting explicit deny ACEs at the object 
level.

but you may still want to add the removedattributes 
to a new property set and then add the correct ACEs via inheritance (e.g. just 
READ instead of WRITE permissions). 

I agree with Joe on that it would be nice to have more 
documentation on which permissions are really required - the AD Delegation 
Whitepaper is a good start - but we're talking about the minimal permissions and 
adjusting defaults. I could come up with some good suggestions myself on 
removing specific attributes from the def. property sets (specifically the 
personal information PS, which grants every user write permissions on a ton of 
attributes for his own object)... 

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Montag, 17. Mai 2004 23:52To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes


Inherited perms from 
top of subtree are better for everyone.easier to manage and such. And of course 
if youre going to do serious ACLing, 2k03 is a great upgrade path because of 
single instance store (SIS) of SDs.
I dont like making 
changes to default SD personally. Only when absolutely required with no other 
choices..

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, May 17, 2004 4:03 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes

Douglas you appear to be in 
luck...

The two attributes 
mentioned aren't in any property sets which means whatever permissions set for 
the user object itself are what counts. I have never seen either of those 
specifically outlined with permissions on a user object which would seem to 
indicate that the normal users would not have the ability to modify the values 
by default.

The positive proof 
would be to log on as a normal user, fire up adsiedit and try to modify the 
attributes or write a script to do so. If you get access denied, you know you 
are cool. 

I agree with Eric 
though for the choice of tool and how to do the determination. On the updating 
perms, if you can do it with inherited perms that rocks. If not it is kind of a 
pain. 

Actually I would like 
to see some serious docs from MS concerning locking down an AD deployment very 
seriously. I.E. Cleaning up all the default SDs in the schema so that by 
default, you get the permissions the container/OU the object is created in has. 
When I say serious, I mean what permissions would need to be given back and why 
so you don't break MS software or knowingly break it. They don't have to outline 
what you have to do to make anyone else's software work, just theirs. 


 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Monday, May 
17, 2004 10:10 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] User modifiable 
attributes
You can look at the 
acls on the user object itself to see what the effective perms are.I like 
dsacls, others might have other tools of choice.
To modify it wholesale 
for a lot of users, my method of choice is ensuring there are no explicit acls 
on the users granting them write to the attributes in question (you can look at 
the default SD for the user object, or just create one, uncheck inherit for 
test, and see whats there, or just look at what is explicit.tons of choices 
;)) then put the desired ACL on the top of a subtree that gives what you 
want.in this case it would be DENY WRITE on the attribute(s) in question for at 
least SELF, probably a larger group of users defined 
somehow.
Or perhaps just dont 
allow write to SELF, and that will implicitly mean they cant write to 
it.

~Eric






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Monday, May 17, 2004 
8:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] User modifiable 
attributes


Is there an easy way to 
find out what attributes a user to edit? The two I am most concerned about are 
employeeID, and employeeNumber. If they do appear to be editable by the user, 
how do i change that (a link would be great)? 
Thanks

RE: [ActiveDir] FATAL kerberos error on W2K3 server

2004-05-19 Thread Svetlana Kouznetsova




Thanks, 
Al
I've actually, 
seen this and tried some of it already, but was confused by the fact, that this 
is, actually - for W2K3 and I'm having mapperwarnings on W2K servers...oh, 
and another thing, I should mention, perhaps: in Ntfrs.log on W2K3 server there 
are lots of "ACCESS DENIED" errors, which could be a clue to why nothing from 
staging folders gets transferred into sysvol. (?) I wish there would be an easy 
way to read them, logs (and understand them as well :-(...Certainly - not for 
late night readingto me. 
I will revise KB article tomorrow again and test things 
from it, as well as what Joe suggested. 

Thanks to 
everybody...
Lana

From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: 19 May 2004 22:18To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

This may be helpful then
http://support.microsoft.com/?kbid=839880


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 4:28 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

on W2K3 (new 
DC):
in FRS 
event viewer there are onlywarnings 13508 ("having troubles to 
replicate/sysvol...etc"); dcdiag shows [FAILED] on test 
frsevent;
netdiag - PASSED 
all tests

on W2K (old DC in 
the same domain) : 
No errors in FRS; 

in Directory 
Service: warning NTDS KCC 1265 :
"The attempt to 
establish a replication link with parametersPartition: 
CN=Schema,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource DSA DN: 
CN=NTDS 
Settings,CN=SERS016,CN=Servers,CN=Oxford,CN=Sites,CN=Configuration,DC=ulib,DC=ox,DC=ac,DC=ukSource 
DSA Address: 
a2bdda54-6d14-40ae-842f-eb32df2dfb75._msdcs.ulib.ox.ac.ukInter-site 
Transport (if any):failed with the following 
status:There are no more endpoints available from the endpoint 
mapper.The record data is the status code. This operation 
will be retried. "
(SERS016 = new 
W2K3 DC in ULIB domain.)
dcdiag 
shows [FAILED] on kccevent test; 
netdiag - PASSED all 
tests



{Is it just me or does this sounds like a 
replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but 
they never get out.)

Yes, 
Wook, when I look at NTDS settings in ADSS 
on W2K3 server - I can see all links there automatically 
generated;
when I look at the same 
on other W2K DC - for this particular server there are no links in NTDS settings 
shown...
same with replmon - 
when looking into it on W2K3 server - it sees itself and the rest of DCs fine, 
but replmon on W2K DC can't see W2K3 at all
..for some reason your 
notice reminded me good old "Hotel California" song...("you can check out any 
time you like, but you can never leave")

Lana


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: 19 May 2004 20:26To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

What was it you said was the errors logged in the FRS event 
viewer?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana 
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server

Well, endpoint 
mapper error message is actually, in event log for the W2K domain controller, 
which started to complain only after W2K3 DC appeared in the 
domain...
Interesting that 
I've run all tests possible in dcdiag separately, testing connectivity, 
replications, security discriptors, frsevent, etc, etc on both DC - w2k (old 
one) and W2K3 (new one) - all tests - ...passed! Error of endpoint mappers has 
been onlydiscovered after replication to the new DC didn't take place and 
I went on checking old DCs.
On the new W2K3 
DC - sysvol permissions, etc - everything, as it should be, but - all the data 
hangs in staging and staging area since first time replication (after 
dcpromo).
Replmon shows 
that W2K3 server has up to date data replicated from other DCs, but on other DC 
replmon doesn't show that this new server is a replication partner...Also - no 
NTDS links shown for W2K3 in ADSS... (hmmm..looks a bit a mess, huh?) 

netdiag on W2K3 
server only shows frsevent as FAILED. 
To be honest, I 
don't know where else to look now...:-/


RE: The fact that you had machines not getting 
tickets before but are now is a wee bit scary as well. 

no, there were tickets there 
- I've checked in kerbtray, that's when I've decided to go for dcpromo, 
regardless...

Lana.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos 
error on W2K3 server


Debugging lsass is highly underrated. That's right, under. Sure it's 
not for the faint of heart, but man the fun stuff you get in there. I say just 
attach and have fun just for the heck of it. That's what I do on my weekends 
(sad yet true).

So the error below, is that from netdiag? 
Or another tool?

RE: [ActiveDir] win98