date:20040526

Title: Message

Guyz
still the SYSVOL is not shared?? how do i troubleshoot this critical
problem
Regards, Mohammed Athif Khaleel
Asst.Network Engineer
AlFaisaliah Group
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
Web: http://alfaisaliah.com

-Original Message-From: Mohammed Athif
Khaleel Sent: Monday, 24 May 2004 5:05 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol
Damaged
Also, I get these erros in NETDIAG...Oops I shuld have posted
that in previous mail...
LDAP test. . . . . . . . . . . . . : Passed [WARNING] Failed to query SPN registration on DC
'RIY04-DC01.riyadh.afg.com'.
[WARNING] Failed to query SPN registration on DC
'mega-dc1.riyadh.afg.com'.
[WARNING] Failed to query SPN registration on DC
'safisulaidc1.riyadh.afg.com'.
Regards, Athif
-Original Message- From:
Mohammed Athif Khaleel Sent: Monday, 24 May 2004 4:49
PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sysvol Damaged
Roger, Yes, the box is pointing to a correct dc which is
actually the PDC running very well and healthy SYSVOL structure. I have been
waiting for more than a week for replication to happen but still the same,
even the sysvol folder is not shared. I am attaching dcdiag log, I really dont
know if i can attach dcdiag.txt. Appologies if thatz not allowed..
TIA, Athif -Original Message- From: Rutherford,
Robert [mailto:[EMAIL PROTECTED]]
Sent: Monday, 24 May 2004 3:54 PM To: [EMAIL PROTECTED] Subject: RE:
[ActiveDir] Sysvol Damaged
Can you also run a dcdiag and see if it runs clean? If it
doesn't then paste the results here. Rob
-Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]]
Sent: 24 May 2004 13:39 To:
[EMAIL PROTECTED] Subject: RE: [ActiveDir]
Sysvol Damaged
Is the box pointing to a known good DNS server (preferably to
DC's in a known good site)? How long are you waiting
for replication to happen? I generally like to let them spin overnight if at
all possible before worrying about whether its working correctly.
--
Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 24, 2004 4:45 AM To: [EMAIL PROTECTED] Subject:
[ActiveDir] Sysvol Damaged
Hi Folks, I am having a problem with
one of my Additonal Domain Controller, which is recently promoted.
Actually,this is a newly promoted ADC via a wan link. I had to demote it first
using dcpromo/forceremoval as it had problem and it was screwed.( http://support.microsoft.com/default.aspx?kbid=332199 )
Also, i had to delete netlogon.chg file in system root as it was corrupted and
then after the reboot the system created the file succesfully..
I later used ADSIEDIT to clear the metabase succesfully. Now
in this DC is fresly promoted as a new Additonal Domain controller againt thru
the WAN Link, Now, I cant see anything id domain.com in sysvol and itz not
shared too. Also, i had to delete netlogon.chg file in system root as it was
corrupted and then after the reboot the system created the file
succesfully..
How do rebuild the sysvol strucuture, Do I need to use "D2"
"D4" Burflags.. I am afraid because I have more that 5 ADC in this site and
2-3 are connected via WAN Link. Or shuld I manually copy the sysvol structure
from the GOOD SYSVOL STRUCUTE on another DC and try to restart NTFRS, like, I
am really running out of ideas.
Can any one help me on this issue.
Regards, Mohammed Athif Khaleel
Asst.Network Engineer AlFaisaliah Group Information Technology Tel.:
+966-1-461-0077 x.209 Moble.: +966-509774015
Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any

RE: [ActiveDir] Sysvol Damaged

Title: Message



restartthe File Replication Service and run your dcdiag again. Any 
change?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 
  2004 09:20To: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Sysvol Damaged
  Guyz still the SYSVOL is not shared?? how do i troubleshoot this 
  critical problem
  Regards, Mohammed Athif Khaleel 
  Asst.Network 
  Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
  Moble.: +966-509774015 
  Email:
  [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
  Web: 
  http://alfaisaliah.com 

  

-Original Message-From: Mohammed Athif 
Khaleel Sent: Monday, 24 May 2004 5:05 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol
Damaged
Also, I get these erros in NETDIAG...Oops I shuld have 
posted that in previous mail... 
LDAP test. . . . . . . . . . . . . : Passed  [WARNING] Failed to query SPN registration on DC 
'RIY04-DC01.riyadh.afg.com'.  
[WARNING] Failed to query SPN registration on DC 
'mega-dc1.riyadh.afg.com'.  
[WARNING] Failed to query SPN registration on DC 
'safisulaidc1.riyadh.afg.com'. 
Regards, Athif 
-Original Message- From: 
Mohammed Athif Khaleel Sent: Monday, 24 May 2004 
4:49 PM To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Sysvol Damaged 
Roger, Yes, the box is pointing to a correct dc which is 
actually the PDC running very well and healthy SYSVOL structure. I have been 
waiting for more than a week for replication to happen but still the same, 
even the sysvol folder is not shared. I am attaching dcdiag log, I really 
dont know if i can attach dcdiag.txt. Appologies if thatz not 
allowed..
TIA, Athif -Original Message- From: Rutherford, 
Robert [mailto:[EMAIL PROTECTED]] 
Sent: Monday, 24 May 2004 3:54 PM To: [EMAIL PROTECTED] Subject: RE: 
[ActiveDir] Sysvol Damaged 
Can you also run a dcdiag and see if it runs clean? If it 
doesn't then paste the results here. Rob 
-Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] 
Sent: 24 May 2004 13:39 To: 
[EMAIL PROTECTED] Subject: RE: 
[ActiveDir] Sysvol Damaged 
Is the box pointing to a known good DNS server (preferably 
to DC's in a known good site)? How long are you 
waiting for replication to happen? I generally like to let them spin
overnight if at all possible before worrying about whether its working
correctly.
-- 
Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator Inovis Inc. 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Monday, May 24, 2004 4:45 AM To: [EMAIL PROTECTED] Subject: 
[ActiveDir] Sysvol Damaged 
Hi Folks, I am having a problem with 
one of my Additonal Domain Controller, which is recently promoted. 
Actually,this is a newly promoted ADC via a wan link. I had to demote it 
first using dcpromo/forceremoval as it had problem and it was screwed.( http://support.microsoft.com/default.aspx?kbid=332199 
) Also, i had to delete netlogon.chg file in system root as it was corrupted 
and then after the reboot the system created the file 
succesfully..
I later used ADSIEDIT to clear the metabase succesfully. Now 
in this DC is fresly promoted as a new Additonal Domain controller againt 
thru the WAN Link, Now, I cant see anything id domain.com in sysvol and itz 
not shared too. Also, i had to delete netlogon.chg file in system root as it 
was corrupted and then after the reboot the system created the file 
succesfully..
How do rebuild the sysvol strucuture, Do I need to use "D2" 
"D4" Burflags.. I am afraid because I have more that 5 ADC in this site and 
2-3 are connected via WAN Link. Or shuld I manually copy the sysvol 
structure from the GOOD SYSVOL STRUCUTE on another DC and try to restart 
NTFRS, like, I am really running out of ideas.
Can any one help me on this issue. 
Regards, Mohammed Athif Khaleel 
Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.:
+966-509774015 Email: [EMAIL PROTECTED]
"Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 
  
  - 
  This email and any files transmitted with it are 
  confidential and intended solely for the use of the individual or entity to 
  whom/which they are addressed. If you have received this email in error please 
  notify the system manager at the following email address: 
  [EMAIL PROTECTED] . Please note that any 
  views or opinions presented in this email are solely those of the author and 
  do not necessarily represent those of Al Faisaliah Group. Internet 
  communications cannot be

[ActiveDir] Conflicting NTDS Conenction objects

Title: Message



HelloAdmins,
I 
have added NTDS Conenction objects in Sites and Services becoz they were not 
automatically created. Now when i add that manually, i see event id 13562 Source 
NTFRS, Description,
Following is the summary of warnings and errors 
encountered by File Replication Service while polling the Domain Controller 
SONYDC.riyadh.afg.com for FRS replica set configuration 
information.
How 
do i avoid these errors, shuld I delete those which ihave created manually?? if 
they are not generatedautomatically then when i add that manually, why is 
that confilcting??The nTDSConnection object cn=afgdc02,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=66dbe7ca-284e-4ccd-8fe7-d273ced34d1e,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=afgdc02,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=afgdc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=5d5bb30b-9ff5-4c61-b003-1bf2b4a14957,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=afgdc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=mega-dc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=09bcc2f0-8984-4e8a-9915-f1e3d801fffc,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=mega-dc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=riy04-dc01,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=ryd_dc3,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=safisulaidc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
Regards, Mohammed Athif Khaleel 
Asst.Network Engineer 
AlFaisaliah Group 
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 




  - 

 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission.  Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus !
transmitted by this email. 

  -

RE: [ActiveDir] Sysvol Damaged

Title: Message



I 
will try to run DCDAIG now,. Actually, i thought ther might be problem with the 
missing NTDS CONNECTION OBJECTS and so I have manually added those. Now when i 
restart NTFRS, i see i see event id 13562 Source NTFRS, Description,
Following is the summary of warnings and errors 
encountered by File Replication Service while polling the Domain Controller 
SONYDC.riyadh.afg.com for FRS replica set configuration 
information.
How 
do i avoid these errors, shuld I delete those which ihave created manually?? if 
they are not generatedautomatically then when i add that manually, why is 
that confilcting??The nTDSConnection object cn=afgdc02,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=66dbe7ca-284e-4ccd-8fe7-d273ced34d1e,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=afgdc02,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=afgdc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=5d5bb30b-9ff5-4c61-b003-1bf2b4a14957,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=afgdc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=mega-dc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=09bcc2f0-8984-4e8a-9915-f1e3d801fffc,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=mega-dc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=riy04-dc01,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=ryd_dc3,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com

The 
nTDSConnection object cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
is conflicting with cn=safisulaidc1,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
Using cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com


Regards, Mohammed Athif Khaleel 
Asst.Network Engineer 
AlFaisaliah Group 
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Rutherford, 
  Robert [mailto:[EMAIL PROTECTED] Sent: 
  Wednesday, 26 May 2004 11:30 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  restartthe File Replication Service and run your dcdiag again. 
  Any change?
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
May 2004 09:20To: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Sysvol Damaged
Guyz still the SYSVOL is not shared?? how do i troubleshoot this 
critical problem
Regards, Mohammed Athif Khaleel 
Asst.Network 
Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Mohammed 
  Athif Khaleel Sent: Monday, 24 May 2004 5:05 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Also, I get these erros in NETDIAG...Oops I shuld have 
  posted that in previous mail... 
  LDAP test. . . . . . . . . . . . . : Passed 
   [WARNING] Failed to query SPN 
  registration on DC 'RIY04-DC01.riyadh.afg.com'.  [WARNING] Failed to query SPN registration on DC 
  'mega-dc1.riyadh.afg.com'.  
  [WARNING] Failed to query SPN registration on DC 
  'safisulaidc1.riyadh.afg.com'. 
  Regards, Athif 
  -Original Message- From: 
  Mohammed Athif Khaleel Sent: Monday, 24 May 2004 
  4:49 PM To: [EMAIL PROTECTED] 
  Subject: RE: [ActiveDir] Sysvol

RE: [ActiveDir] Sysvol Damaged

Title: Message



I 
assume you have not disabled the KCC..

Delete 
the manual objects and then kick off the KCC and it should work out the best 
paths. This can be done via replmon or sites and services. Unless you have a 
large complex site structurethen I would just use the KCC as it does a 
pretty good job and you shouldn't really have a need to or be creating manual 
links.

The 
other thing is to be patient. AD is a slow moving monster and left will 
typically sort out a majority of issues if left over time, i.e. a good few
hours.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 
  2004 09:48To: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Sysvol Damaged
  I 
  will try to run DCDAIG now,. Actually, i thought ther might be problem with 
  the missing NTDS CONNECTION OBJECTS and so I have manually added those. Now 
  when i restart NTFRS, i see i see event id 13562 Source NTFRS, Description, 
  Following is the summary of warnings and errors 
  encountered by File Replication Service while polling the Domain Controller 
  SONYDC.riyadh.afg.com for FRS replica set configuration 
  information.
  How do i avoid these errors, shuld I delete those 
  which ihave created manually?? if they are not generatedautomatically 
  then when i add that manually, why is that confilcting??The 
  nTDSConnection object cn=afgdc02,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=66dbe7ca-284e-4ccd-8fe7-d273ced34d1e,cn=ntds
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=afgdc02,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  The nTDSConnection object cn=afgdc1,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=5d5bb30b-9ff5-4c61-b003-1bf2b4a14957,cn=ntds
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=afgdc1,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  The nTDSConnection object cn=mega-dc1,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=09bcc2f0-8984-4e8a-9915-f1e3d801fffc,cn=ntds
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=mega-dc1,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  The nTDSConnection object 
  cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=riy04-dc01,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=553ba716-0067-44d1-ac81-b72e28ad19ed,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  The nTDSConnection object 
  cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=ryd_dc3,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=dfbc1a17-09a5-4ad6-b0c1-f7eeac21f802,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  The nTDSConnection object 
  cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com 
  is conflicting with cn=safisulaidc1,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com. 
  Using cn=98059d2e-3e14-481b-a421-f27b5badbbe6,cn=ntds 
  settings,cn=sonydc,cn=servers,cn=riyadhsite,cn=sites,cn=configuration,dc=afg,dc=com
  
  
  Regards, Mohammed Athif Khaleel 
  Asst.Network 
  Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
  Moble.: +966-509774015 
  Email:
  [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
  Web: 
  http://alfaisaliah.com 

  

-Original Message-From: Rutherford, 
Robert [mailto:[EMAIL PROTECTED] Sent: 
Wednesday, 26 May 2004 11:30 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol
Damaged
restartthe File Replication Service and run your dcdiag again. 
Any change?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
  May 2004 09:20To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Guyz still the SYSVOL is not shared?? how do i troubleshoot this 
  critical problem
  Regards, 
  Mohammed Athif 
  Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology 
  Tel.: 
  +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save

RE: [ActiveDir] Sysvol Damaged

Title: Message



Domain membership test . . . . . . : FailedSONYDC 
failed test kccevent Starting test: 
frssysvol Error: No record 
of File Replication System, SYSVOL 
started. The Active 
Directory may be prevented from 
starting. There are errors 
after the SYSVOL has been 
shared. The SYSVOL can 
prevent the AD from 
starting. 
. SONYDC passed test 
frssysvol Starting test: 
kccevent An Warning Event 
occured. EventID: 
0x84F1 
Time Generated: 05/26/2004 
11:55:32 
(Event String could not be 
retrieved) An Warning Event 
occured. EventID: 
0x84F1 
Time Generated: 05/26/2004 
11:55:56 
(Event String could not be retrieved)
Regards, Mohammed Athif Khaleel 
Asst.Network Engineer 
AlFaisaliah Group 
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Rutherford, 
  Robert [mailto:[EMAIL PROTECTED] Sent: 
  Wednesday, 26 May 2004 11:30 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  restartthe File Replication Service and run your dcdiag again. 
  Any change?
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
May 2004 09:20To: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Sysvol Damaged
Guyz still the SYSVOL is not shared?? how do i troubleshoot this 
critical problem
Regards, Mohammed Athif Khaleel 
Asst.Network 
Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Mohammed 
  Athif Khaleel Sent: Monday, 24 May 2004 5:05 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Also, I get these erros in NETDIAG...Oops I shuld have 
  posted that in previous mail... 
  LDAP test. . . . . . . . . . . . . : Passed 
   [WARNING] Failed to query SPN 
  registration on DC 'RIY04-DC01.riyadh.afg.com'.  [WARNING] Failed to query SPN registration on DC 
  'mega-dc1.riyadh.afg.com'.  
  [WARNING] Failed to query SPN registration on DC 
  'safisulaidc1.riyadh.afg.com'. 
  Regards, Athif 
  -Original Message- From: 
  Mohammed Athif Khaleel Sent: Monday, 24 May 2004 
  4:49 PM To: [EMAIL PROTECTED] 
  Subject: RE: [ActiveDir] Sysvol Damaged 
  Roger, Yes, the box is pointing to a correct dc which is 
  actually the PDC running very well and healthy SYSVOL structure. I have 
  been waiting for more than a week for replication to happen but still the 
  same, even the sysvol folder is not shared. I am attaching dcdiag log, I 
  really dont know if i can attach dcdiag.txt. Appologies if thatz not 
  allowed..
  TIA, Athif -Original Message- From: 
  Rutherford, Robert [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, 24 May 2004 3:54 PM To: [EMAIL PROTECTED] Subject: 
  RE: [ActiveDir] Sysvol Damaged 
  Can you also run a dcdiag and see if it runs clean? If it 
  doesn't then paste the results here. Rob 
  -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] 
  Sent: 24 May 2004 13:39 To: [EMAIL PROTECTED] Subject: 
  RE: [ActiveDir] Sysvol Damaged 
  Is the box pointing to a known good DNS server (preferably 
  to DC's in a known good site)? How long are you 
  waiting for replication to happen? I generally like to let them spin 
  overnight if at all possible before worrying about whether its working 
  correctly.
  -- 
  Roger D. Seielstad - MTS MCSE MS-MVP 
  Sr. Systems Administrator Inovis Inc. 
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, May 24, 2004 4:45 AM 
  To: [EMAIL PROTECTED] Subject: [ActiveDir] Sysvol Damaged 
  Hi Folks, I am having a problem 
  with one of my Additonal Domain Controller, which is recently promoted. 
  Actually,this is a newly promoted ADC via a wan link. I had to demote it 
  first using dcpromo/forceremoval as it had problem and it was screwed.( http://support.microsoft.com/default.aspx?kbid=332199 ) 
  Also, i had to delete netlogon.chg file in system root as it was corrupted 
  and then after the reboot the system created the file 
  succesfully..
  I later used ADSIEDIT to clear the metabase succesfully. 
  Now in this DC is fresly promoted as a new Additonal Domain controller 
  againt thru the WAN Link, Now, I cant see anything id domain.com in sysvol 
  and itz not shared too. Also, i had to delete netlogon.chg file in system 
  root as it was corrupted and then after the reboot the system created the 
  file succesfully..

RE: [ActiveDir] Sysvol Damaged

Title: Message



Did 
you restart the FRS service before running the below dcdiag?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 
  2004 10:13To: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Sysvol Damaged
  Domain membership test . . . . . . : FailedSONYDC 
  failed test kccevent Starting test: 
  frssysvol Error: No record 
  of File Replication System, SYSVOL 
  started. The Active
  Directory may be prevented from 
  starting. There are errors 
  after the SYSVOL has been 
  shared. The SYSVOL can 
  prevent the AD from 
  starting. 
  . SONYDC passed test 
  frssysvol Starting test: 
  kccevent An Warning Event 
  occured. EventID: 
  0x84F1 
  Time Generated: 05/26/2004 
  11:55:32 
  (Event String could not be 
  retrieved) An Warning 
  Event occured. EventID: 
  0x84F1 
  Time Generated: 05/26/2004 
  11:55:56 
  (Event String could not be retrieved)
  Regards, Mohammed Athif Khaleel 
  Asst.Network 
  Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
  Moble.: +966-509774015 
  Email:
  [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
  Web: 
  http://alfaisaliah.com 

  

-Original Message-From: Rutherford, 
Robert [mailto:[EMAIL PROTECTED] Sent: 
Wednesday, 26 May 2004 11:30 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol
Damaged
restartthe File Replication Service and run your dcdiag again. 
Any change?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
  May 2004 09:20To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Guyz still the SYSVOL is not shared?? how do i troubleshoot this 
  critical problem
  Regards, 
  Mohammed Athif 
  Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology 
  Tel.: 
  +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all 
  the systems patched" Web: http://alfaisaliah.com 
  
  

-Original Message-From: Mohammed 
Athif Khaleel Sent: Monday, 24 May 2004 5:05 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
Damaged
Also, I get these erros in NETDIAG...Oops I shuld have 
posted that in previous mail... 
LDAP test. . . . . . . . . . . . . : Passed 
 [WARNING] Failed to query SPN 
registration on DC 'RIY04-DC01.riyadh.afg.com'.  [WARNING] Failed to query SPN registration on 
DC 'mega-dc1.riyadh.afg.com'.  
[WARNING] Failed to query SPN registration on DC 
'safisulaidc1.riyadh.afg.com'. 
Regards, Athif 
-Original Message- From: 
Mohammed Athif Khaleel Sent: Monday, 24 May 2004 
4:49 PM To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Sysvol Damaged 
Roger, Yes, the box is pointing to a correct dc which is 
actually the PDC running very well and healthy SYSVOL structure. I have 
been waiting for more than a week for replication to happen but still 
the same, even the sysvol folder is not shared. I am attaching dcdiag 
log, I really dont know if i can attach dcdiag.txt. Appologies if thatz 
not allowed..
TIA, Athif -Original Message- From: 
Rutherford, Robert [mailto:[EMAIL PROTECTED]] 
Sent: Monday, 24 May 2004 3:54 PM 
To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Sysvol Damaged

Can you also run a dcdiag and see if it runs clean? If 
it doesn't then paste the results here. Rob 
-Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] 
Sent: 24 May 2004 13:39 To: [EMAIL PROTECTED] Subject: 
RE: [ActiveDir] Sysvol Damaged 
Is the box pointing to a known good DNS server
(preferably to DC's in a known good site)? How 
long are you waiting for replication to happen? I generally like to let 
them spin overnight if at all possible before worrying about whether its 
working correctly.
-- 
Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator Inovis Inc. 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Monday, May 24, 2004 4:45 AM 
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] Sysvol Damaged 

Hi Folks, I am having a problem 
with one of my Additonal Domain Controller, which is recently promoted. 
Actually,this is a newly promoted ADC via a wan link. I had to demote it 
first using dcpromo/forceremoval as it had problem and it was screwed.( 
http://support.microsoft.com/default.aspx?kbid=332199 
) Also, i had to delete netlogon.chg file in system root as it was

RE: [ActiveDir] Sysvol Damaged

Title: Message



Are 
all your other DC's still running clean? If so then I'd suggest a DCpromo down 
and then up again.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 
  2004 11:27To: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Sysvol Damaged
  Yes i did restart FRS before DCDIAG
  Regards, Mohammed Athif Khaleel 
  Asst.Network 
  Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
  Moble.: +966-509774015 
  Email:
  [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
  Web: 
  http://alfaisaliah.com 

  

-Original Message-From: Rutherford, 
Robert [mailto:[EMAIL PROTECTED] Sent: 
Wednesday, 26 May 2004 12:50 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol
Damaged
Did you restart the FRS service before running the below 
dcdiag?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
  May 2004 10:13To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Domain membership test . . . . . . : 
  FailedSONYDC failed test kccevent 
  Starting test: 
  frssysvol Error: No 
  record of File Replication System, SYSVOL 
  started. The Active 
  Directory may be prevented from 
  starting. There are 
  errors after the SYSVOL has been 
  shared. The SYSVOL can 
  prevent the AD from 
  starting. 
  . SONYDC passed test 
  frssysvol Starting test: 
  kccevent An Warning 
  Event occured. EventID: 
  0x84F1 
  Time Generated: 05/26/2004 
  11:55:32 
  (Event String could not be 
  retrieved) An Warning 
  Event occured. EventID: 
  0x84F1 
  Time Generated: 05/26/2004 
  11:55:56 
  (Event String could not be retrieved)
  Regards, 
  Mohammed Athif 
  Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology 
  Tel.: 
  +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all 
  the systems patched" Web: http://alfaisaliah.com 
  
  

-Original Message-From:
Rutherford, Robert [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 26 May 2004 11:30 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
Damaged
restartthe File Replication Service and run your dcdiag 
again. Any change?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: 26 May 2004 09:20To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Guyz still the SYSVOL is not shared?? how do i troubleshoot 
  this critical problem
  Regards, 
  Mohammed 
  Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology
  Tel.: 
  +966-1-461-0077 x.209 Moble.: +966-509774015 Email: 
  [EMAIL PROTECTED] "Save Internet, Keep all the systems 
  patched" Web: http://alfaisaliah.com 
  
  

-Original Message-From: 
Mohammed Athif Khaleel Sent: Monday, 24 May 2004 5:05 
PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Sysvol Damaged
Also, I get these erros in NETDIAG...Oops I shuld 
have posted that in previous mail... 
LDAP test. . . . . . . . . . . . . : Passed 
 [WARNING] Failed to query SPN 
registration on DC 'RIY04-DC01.riyadh.afg.com'.  [WARNING] Failed to query SPN registration 
on DC 'mega-dc1.riyadh.afg.com'.  [WARNING] Failed to query SPN registration 
on DC 'safisulaidc1.riyadh.afg.com'. 
Regards, Athif 
-Original Message- From: Mohammed Athif Khaleel Sent: 
Monday, 24 May 2004 4:49 PM To: 
[EMAIL PROTECTED] Subject: RE: 
[ActiveDir] Sysvol Damaged 
Roger, Yes, the box is pointing to a correct dc 
which is actually the PDC running very well and healthy SYSVOL
structure. I have been waiting for more than a week for replication 
to happen but still the same, even the sysvol folder is not shared. 
I am attaching dcdiag log, I really dont know if i can attach
dcdiag.txt. Appologies if thatz not allowed..
TIA, Athif -Original Message- From: 
Rutherford, Robert [mailto:[EMAIL PROTECTED]] 
Sent: Monday, 24 May 2004 3:54 PM 
To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Sysvol Damaged 

Can you also run a dcdiag and see if it runs clean? 
If it doesn't then paste the results here. Rob -Original Message- 
From: Roger Seielstad [mailto:[EMAIL

RE: [ActiveDir] Sysvol Damaged

Title: Message



Yes, 
but still many issues with FRS, DCPRMO, will it solve all the issues bcoz that 
will be thru a WAN Link.

Regards, Mohammed Athif Khaleel 
Asst.Network Engineer 
AlFaisaliah Group 
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Rutherford, 
  Robert [mailto:[EMAIL PROTECTED] Sent: 
  Wednesday, 26 May 2004 1:35 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Are 
  all your other DC's still running clean? If so then I'd suggest a DCpromo down 
  and then up again.
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 
May 2004 11:27To: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Sysvol Damaged
Yes i did restart FRS before DCDIAG
Regards, Mohammed Athif Khaleel 
Asst.Network 
Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: http://alfaisaliah.com 

  
  -Original Message-From: Rutherford, 
  Robert [mailto:[EMAIL PROTECTED] Sent: 
  Wednesday, 26 May 2004 12:50 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  Did you restart the FRS service before running the below 
  dcdiag?
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 
26 May 2004 10:13To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
Damaged
Domain membership test . . . . . . : 
FailedSONYDC failed test kccevent 
Starting test: 
frssysvol Error: No 
record of File Replication System, SYSVOL 
started. The Active 
Directory may be prevented from 
starting. There are 
errors after the SYSVOL has been 
shared. The SYSVOL 
can prevent the AD from 
starting. 
. SONYDC passed test 
frssysvol Starting test: 
kccevent An Warning 
Event occured. EventID: 
0x84F1 
Time Generated: 05/26/2004 
11:55:32 
(Event String could not be 
retrieved) An 
Warning Event occured. EventID: 
0x84F1 
Time Generated: 05/26/2004 
11:55:56 
(Event String could not be retrieved)
Regards, 
Mohammed 
Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology 
Tel.: 
+966-1-461-0077 x.209 Moble.: +966-509774015 Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems 
patched" Web: http://alfaisaliah.com 


  
  -Original Message-From: 
  Rutherford, Robert [mailto:[EMAIL PROTECTED] 
  Sent: Wednesday, 26 May 2004 11:30 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol 
  Damaged
  restartthe File Replication Service and run your dcdiag 
  again. Any change?
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 26 May 2004 09:20To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Sysvol Damaged
Guyz still the SYSVOL is not shared?? how do i troubleshoot 
this critical problem
Regards, 
Mohammed 
Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information 
Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems 
patched" Web: http://alfaisaliah.com 


  
  -Original 
  Message-From: Mohammed Athif Khaleel 
  Sent: Monday, 24 May 2004 5:05 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
  Sysvol Damaged
  Also, I get these erros in NETDIAG...Oops I shuld 
  have posted that in previous mail... 
  LDAP test. . . . . . . . . . . . . : Passed 
   [WARNING] Failed to query SPN 
  registration on DC 'RIY04-DC01.riyadh.afg.com'.  [WARNING] Failed to query SPN 
  registration on DC 'mega-dc1.riyadh.afg.com'.  [WARNING] Failed to query SPN 
  registration on DC 'safisulaidc1.riyadh.afg.com'. 
  Regards, Athif 
  -Original Message- From: Mohammed Athif Khaleel Sent: 
  Monday, 24 May 2004 4:49 PM To: 
  [EMAIL PROTECTED] Subject: RE: 
  [ActiveDir] Sysvol Damaged 
  Roger, Yes, the box is pointing to a correct dc 
  which is actually the

[ActiveDir] Test Lab Creation

Title: Message



Hi 
Guys,

Thinking. any experiences out there on the
below?

I'd 
like to have a testlab to directly match my production AD in terms of OUs, GPOs, 
Objects, etc, etc. The thing is that I'd like the test domain to be phyically 
separate from my production environement.

Any 
ideas on how or tools that would enable me This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.

RE: [ActiveDir] Test Lab Creation

2004-05-26 Thread Adams, Kenneth W \(Ken\)

Title: Message



I've 
seen some neat things being done with one or a very few machines using 
Microsoft's Virtual PC or VMWare to simulate many machines. You could take 
a few, well configured PCs to emulate your domain while keeping those PCs on an 
isolated network.

Check 
out Microsoft's Virtual PC or VMWare to see if they could meet your 
requirements.

FYI, a 
well configured PC is one with at least a 1GHz processor and a minimum of 1 GB 
of RAM. You don't need a network card if you only want the machines to 
communicate within one PC host.
Kenneth W. (Ken) Adams, MCSA, MCSE 

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rutherford, RobertSent: Wednesday, May 26, 2004 
7:30 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Test Lab Creation
Hi 
Guys,

Thinking. any experiences out there on the 
below?

I'd 
like to have a testlab to directly match my production AD in terms of OUs, GPOs, 
Objects, etc, etc. The thing is that I'd like the test domain to be phyically 
separate from my production environement.

Any 
ideas on how or tools that would enable me This e-mail 
and the information it contains are confidential and may be privileged. If you 
have received this e-mail in error please notify the sender immediately and 
delete the material from any computer. Unless you are the intended recipient, 
you should not copy this e-mail for any purpose, or disclose its contents to any 
other person. The MCPS-PRS Alliance is not responsible for the completeness 
or accuracy of this communication as it has been transmitted over a public 
network. Whilst the MCPS-PRS Alliance monitors all communications for potential 
viruses, we accept no responsibility for any loss or damage caused by this 
e-mail and the information it contains.It is the recipient's responsibility 
to scan this e-mail and any attachments for viruses. Any e-mails sent to and 
from the MCPS-PRS Alliance servers may be monitored for quality control and 
other purposes.The MCPS-PRS Alliance Limited is a limited company 
registered in England under company number 03444246 whose registered office is 
at c/o 29-33 Berners Street, London, W1T 3AB.

RE: [ActiveDir] Test Lab Creation

Title: Message

Thanks
for that info Ken... I'm actually using Vmware for part of the
lab.

Sorry
but I forgot to mention the most important part of that Q.

I want
a way to regularly synch / update the test lab, in terms of OUs, GPOs, objects
etc. I think it's going to have to be a manual porcess but was just curious to
see if there were any gems out there.

-Original Message-From: Adams, Kenneth W
(Ken) [mailto:[EMAIL PROTECTED] Sent: 26 May 2004
12:36To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Test Lab Creation
I've
seen some neat things being done with one or a very few machines using
Microsoft's Virtual PC or VMWare to simulate many machines. You could
take a few, well configured PCs to emulate your domain while keeping those PCs
on an isolated network.

Check out Microsoft's Virtual PC or VMWare to see if they could meet
your requirements.

FYI,
a well configured PC is one with at least a 1GHz processor and a minimum of 1
GB of RAM. You don't need a network card if you only want the machines
to communicate within one PC host.
Kenneth W. (Ken) Adams, MCSA, MCSE

-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rutherford, RobertSent: Wednesday, May 26, 2004
7:30 AMTo: [EMAIL PROTECTED]Subject:
[ActiveDir] Test Lab Creation
Hi
Guys,

Thinking. any experiences out there on the
below?

I'd
like to have a testlab to directly match my production AD in terms of OUs,
GPOs, Objects, etc, etc. The thing is that I'd like the test domain to be
phyically separate from my production environement.

Any
ideas on how or tools that would enable me This e-mail
and the information it contains are confidential and may be privileged. If you
have received this e-mail in error please notify the sender immediately and
delete the material from any computer. Unless you are the intended recipient,
you should not copy this e-mail for any purpose, or disclose its contents to
any other person. The MCPS-PRS Alliance is not responsible for the
completeness or accuracy of this communication as it has been transmitted over
a public network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage caused
by this e-mail and the information it contains.It is the recipient's
responsibility to scan this e-mail and any attachments for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.The MCPS-PRS Alliance Limited
is a limited company registered in England under company number 03444246 whose
registered office is at c/o 29-33 Berners Street, London, W1T
3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.

[ActiveDir] DCPROMO and Services

2004-05-26 Thread Elton Gouvêa Pimentel

After running DCPROMO I am experiencing few problems with some services. The account 
used to start the services does no longer exists after the DCPROMO procedure has 
completed. When I restart the DC I receive the following error (this is just an 
example of one of the services) :

Date : 5/26/2004Source: DCOM
Time : 8:38:08 AM   Category : None
Type: Error Event ID : 1
User : NT AUTHORITY\NetworkService

Description : 

Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}. The error:
Access is denied. 
Happened while starting this command:
C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.

Looking at the log on settings for these services I found out that the account used is 
NT AUTHORITY\NetworkService. As it is a local account, why the DCPROMO process did not 
changed the log on settings to an appropriated account ? A further question is which 
user should be used to start the services that were starting using the NT 
AUTHORITY\NetworkService user ?
I have already tried the Local System Account with no success.

Thanks,
Elton Pimentel.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DCPROMO and Services

2004-05-26 Thread Justin_Leney


Return Receipt
   
Your  [ActiveDir] DCPROMO and Services 
document   
:  
   
was   Justin Leney/US/DCI  
received   
by:
   
at:   05/26/2004 08:40:41 AM   
   




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Test Lab Creation

Title: Message









Theres
actually a pretty good article related to this topic in the new Windows 
.NET Mag Patch Testing. The author talks about setting up a lab
that mimics your prod environment so you can test patches faster and more
accurately before deployment. Might be some stuff in there you can use.





mc

RE: [ActiveDir] Test Lab Creation

Title: Message

You
can just promote an Additional Domain Controller and later onyou can
seperate that from production, Just a thougt!
Regards, Mohammed Athif Khaleel
Asst.Network Engineer
AlFaisaliah Group
Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched"
Web: http://alfaisaliah.com

-Original Message-From: Rutherford,
Robert [mailto:[EMAIL PROTECTED] Sent:
Wednesday, 26 May 2004 2:30 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Test Lab
Creation
Hi
Guys,

Thinking. any experiences out there on the
below?

Any
ideas on how or tools that would enable me

RE: [ActiveDir] Password set and enable account

Title: Sysvol Damaged









Run from
the command line using cscript [script_name]





mc



-Original Message-
From: Douglas M. Long
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004
10:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password
set and enable account





Stupid question. How do I
specify wscript.echo to not require a response (hit the OK button)? 





-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, Al
Sent: Monday, May 24, 2004 11:29
AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password
set and enable account

Here's an example of one
way to do that. I would suggest that if you're wanting to put in a random
password that meets your complexity requirements, that you concatenate a
variable with the RAND function and then write it back out to a log
file.This example file is one that was used in the test lab and
could be more efficient. I had about 2500 users that I used and it took
abouta minute to execute. Nonetheless, with minor mods, it should
do what you want.



Let me know if I can be
of any help (I'm bored ;)



Al



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Douglas M. Long
Sent: Monday, May 24, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password
set and enable account



Oh yeah, I guess I have
to read the username from a file and pass it into the dsmod command also. Do I
just want a list of users in a .txt file, .cvs??? And how do I read from that?





-Original
Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. Long
Sent: Monday, May 24, 2004 9:41 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password set
and enable account



Ok, so my task is to generate random
passwords and enable the accounts for 3200 users. The user accounts and all
attributes were first created with ldife, and I am now thinking about using the
dsmod utility to do accomplish the password set and account enablement. I wish
I knew vbs like you guys do, but I dont yet (this years resolution). So here is
what I have for the password generation part:

















Function Password_GenPass(
nNoChars, sValidChars )
' nNoChars = length of generated password
' sValidChars = valid characters. If zerolength-string (  )then
' default is used: A-Z AND a-z AND 0-9











Const szDefault = abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789
Dim nCount
Dim sRet
Dim nNumber
Dim nLength











Randomize 'init random











If sValidChars =
 Then
sValidChars = szDefault
End If
nLength = Len( sValidChars )











For nCount = 1 To nNoChars
nNumber = Int((nLength * Rnd) + 1)
sRet = sRet  Mid( sValidChars, nNumber, 1 )
Next
Password_GenPass = sRet
End Function











WScript.Echo Your
password:   Password_GenPass( 10,  )











What is my next move? I am guessing
I have to pass this password to a variable, instead of echo, and then somehow
pass that into the dsmod command, but as I already said, I dont know vb script.
Any help is highly appreciated.

[ActiveDir] adding a group to the RDP permissions









Anybody
know a good way to add a group programmatically (or GPO, etc.) to the RDP
properties visible when you go to Terminal Services
Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote
administration mode servers that I want to add a group of night operators to.
Thanks



Mark Creamer

Systems Engineer

Cintas Corporation

Honesty and
Integrity in Everything We Do

RE: [ActiveDir] Password set and enable account

2004-05-26 Thread Roger Seielstad

Title: Sysvol Damaged



run it using cscript rather than wscipt - cscript is the 
command line version..

-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  
  From: Douglas M. Long 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 10:08 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Password set and enable account
  
  Stupid question. How do I specify wscript.echo to not require a 
  response (hit the OK button)? 
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, 
AlSent: Monday, May 24, 2004 11:29 AMTo: 
[EMAIL PROTECTED]Cc: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and enable 
account
Here's an example of one way to do that. I would 
suggest that if you're wanting to put in a random password that meets your 
complexity requirements, that you concatenate a variable with the RAND 
function and then write it back out to a log file.This example 
file is one that was used in the test lab and could be more efficient. 
I had about 2500 users that I used and it took abouta minute to 
execute. Nonetheless, with minor mods, it should do what you 
want.

Let me know if I can be of any help (I'm bored 
;)

Al

 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Monday, May 24, 2004 9:49 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set 
and enable account

Oh 
yeah, I guess I have to read the username from a file and pass it into the 
dsmod command also. Do I just want a list of users in a .txt file, .cvs??? 
And how do I read from that?

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. 
  LongSent: Monday, May 24, 2004 9:41 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Password set 
  and enable account
  Ok, so my task 
  is to generate random passwords and enable the accounts for 3200 users. 
  The user accounts and all attributes were first created with ldife, and I 
  am now thinking about using the dsmod utility to do accomplish the 
  password set and account enablement. I wish I knew vbs like you guys do, 
  but I dont yet (this years resolution). So here is what I have for the 
  password generation part:
  
  
  Function Password_GenPass( nNoChars, sValidChars )' nNoChars = 
  length of generated password' sValidChars = valid characters. If 
  zerolength-string ( "" )then' default is used: A-Z AND a-z AND 
  0-9
  
  Const szDefault = 
  "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789"Dim 
  nCountDim sRetDim nNumberDim nLength
  
  Randomize 'init random
  
  If sValidChars = "" ThensValidChars = szDefaultEnd 
  IfnLength = Len( sValidChars )
  
  For nCount = 1 To nNoCharsnNumber = Int((nLength * Rnd) + 
  1)sRet = sRet  Mid( sValidChars, nNumber, 1 
  )NextPassword_GenPass = sRetEnd Function
  
  WScript.Echo "Your password: "  Password_GenPass( 10, "" 
  )
  
  What is my 
  next move? I am guessing I have to pass this password to a variable, 
  instead of echo, and then somehow pass that into the dsmod command, but as 
  I already said, I dont know vb script. Any help is highly 
  appreciated.

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

2004-05-26 Thread Kern, Tom

i use this-


'Global variables
Dim Container
Dim OutPutFile
Dim FileSystem

'Initialize global variables
Set FileSystem = WScript.CreateObject(Scripting.FileSystemObject)
Set OutPutFile = FileSystem.CreateTextFile(virtual.txt, True)
Set  Container=GetObject(LDAP://ou=ExchUsers,DC=childdomain,DC=parentdomain,DC=root;)

'Enumerate Container
EnumerateUsers Container

'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set Container = Nothing

'Say Finished when your done
WScript.Echo Finished
WScript.Quit(0)

'List all Users
Sub EnumerateUsers(Cont)
Dim User

'Go through all Users and select them
For Each User In Cont
Select Case LCase(User.Class)

'If you find Users
Case user
  'Select all proxyAddresses
  Dim Alias
  If Not IsEmpty(User.proxyAddresses) Then
For Each Alias in User.proxyAddresses
OutPutFile.WriteLine alias:   Alias
'WScript.Echo Alias
  Next
  End If

Case organizationalunit , container
  EnumerateUsers User

End Select
Next
End Sub


-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?



I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

2004-05-26 Thread Passo, Larry

If your users have more than one email address, you will also need to
get the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?

I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC not replicating out

Would be relatively easy to check DNS.  DCDIAG and NETDIAG would be two
tools to use to check to see that all is well from the bad dc and good dc
perspectives. I'd say go the easy part first.

Invalid Checksum?  Hmmm...  Anything in the security logs that gives an
indication?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Tuesday, May 25, 2004 6:02 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DC not replicating out


I am banging my head against the wall the whole day.

In pilot environment we applied a GPO to replace the Default DC GPO.
Apparently one of the DCs had some issues when the GPO was applied.
The result was: the inbound replication on the DC works, but no other DC can
pull from the sick one.
Closer examination showed total WMI repository corruption. I have rebuilt it
and it looks that WMI is back (not sure it's related, but worth mentioning)

Since than, the new GPO has been unlinked and replaced with default (and as
the inbound replication on the DC in question is working, it has replicated
to it). But that has not resolved the issue.

From faulty DC issued:
repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force

Traced the session with network monitor from the good DC...
What I see is:
- LDAP bind
- some searches performed and answered correctly
- MSRPC session initiated
- RPC request from good DC, RPC response from bad DC
- RPC bind request from good DC and RCP Bind Ack from bad DC
- again RPC request from good DC, RPC response from bad DC
- again RPC bind request from good DC and RPC Bind Nack from bad DC with
Provider Reject Reason: Invalid checksum

I was about to blame the DNS till I got this Invalid checksum in the
trace...

Now the question is: am I complicating the whole thing and should look
closer into DNS or this is something else ?

Thanks,
Guy


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

2004-05-26 Thread Grantham, Caron

They only have one address, I'm trying to figure out the correct syntax
for a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
users in AD?

If your users have more than one email address, you will also need to
get the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Anonymous bind

Wish I had a better solution off-hand.  Doesn't sound like you'll get one
that works for you however.  

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Tuesday, May 25, 2004 7:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Anonymous bind

LDAP with SSL/TLS is way better than NIS.

As for environment, it's two W2K3 forests with Kerberos forest trust.
Forest A has several child domains and holds user accounts.
Forest B is where my hosts are (We are relatively small organization in the
enterprise, but we are RD and want to have control at least over the
hosts).

So users can come from any child domain of forest A and logon to hosts in
forest B. Now Linux does not play well, when the host is in one realm, and
users are from several other realms... The only workaround is to map uid to
Kerb principal in the LDAP. Modifying the A forest schema (user accounts) is
not an option, and it's quite reasonable considering the small size of our
division.

So here I am, stuck with LDAP authentication ...
If you have any better idea, I am all ears ;)

Guy

On Mon, 2004-05-24 at 16:25, Mulnick, Al wrote:
 Just for curiousity...

 You don't want to use NIS because it's less secure, yet you are going 
 to use LDAP for authentication?  Isn't that a counter?

 Can you give an overview of your topology and what you're wanting to 
 accomplish in the end?  I think we tried to help with the original 
 post without all of the topology information.

 Sounds like an interesting problem though...

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy 
 Teverovsky
 Sent: Friday, May 21, 2004 7:01 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] Anonymous bind

 If you excuse me, I will break the inline pattern ;). It got too
unreadable.

 I have seen the interoperability doc. I have also read the whole doc 
 mentioned in the post. It's a very good reference, but is lacking any 
 description of Kerberos deployments in multi-realm environments.
 Personally I had to choose LDAP authentication instead of Kerberos 
 because my hosts are in one forest, while user accounts are from a 
 child domain of another forest. If someone is aware of a workaround 
 for that, monthly beer supply is on me ;)

 SFU is nice, but it tries to emulate NIS and with all do respect to 
 NIS, it's time is gone. There are just too many security issues with NIS.

 As for having more than one directory, see my reply to joe. I wish I 
 could put it all in one place, but it's not always possible.

 Guy

 On Thu, 2004-05-20 at 03:15, Eric Fleischman wrote:
  A few bits more.

  [Guy] I know that I am speculating here but all I wanted to do is to 
  point the finger to the interoperability issue. Setting up a 
  heterogeneous environment is a pain. Putting *nix clients (or
  services) into the AD mix is not easy. One would blame the marketing 
  attitude, the other would blame the maturity level of the other OSes.
  The truth, I believe, is somewhere in between. So here we go:

  [EFLEIS] - Have you seen the whole paper we wrote on Kerb interop? 
  And just about anything around SFU (which might I point out again 
  won best
 app at Linux world)? 
  I think we've done a great job of interop. Can we do better? Always! 
  And
 we continue to work on it. 
  But we're doing a *lot* in this space.
  We have doc's out there that go down to even walk you through how to 
  set
 up the pam modules! 
  We have a lot out there. Here's one of my fav docs, but there are
 others
  this is from a post to this very DL: 
  http://www.mail-archive.com/[EMAIL PROTECTED]/msg13880.ht
  ml

  1) You are right. Nobody mentioned schema extensions, but the truth 
  is that if you are considering the integration of open source 
  services, you probably do have some Linux boxes around. NIS sucks 
  big time. NIS+ is a pain to configure and both do not give you SSO. 
  AD is great, but does not have out-of-the-box capabilities to absorb 
  non-MS clients. So what is left for those that can not afford VAS ? 
  Either tweak the schema (Linux client will have hard time without 
  posixAccount and posixGroup
  objectClasses) or have a cut down functionality (sendmail LDAP mail 
  routing is great, but I would not extend the AD's schema just to 
  make sendmail happy). And if you are still short on the $$$, you are 
  starting to improvise (talking about OpenLDAP...). SMBs are somewhat 
  neglected in this area.

  2) Small *heterogeneous* environments. If all you have is Windows, 
  there is no reason to bring in more overhead. Long live and prosper AD !

  3) 
  a) Linux clients logons require uid, uidNumber, gidNumber and etc...
  (SFU sounds nice at first, till you hit the non-RFC compliance 
  barrier of uid attribute in SFU and realize that NIS is by no means 
  not a secure
  environment)
  [EFLEIS] - Yup, SFU can do this. Schema extension

[ActiveDir] Imaged Computers

2004-05-26 Thread Chris Blair

Title: Imaged Computers






Our testing group is imaging computers for testing. The problem is with the computer object and the SID. The PC was imaged as a member of our Domain. So when it is re-imaged the computer password are not synced. The only way I have found to fix this is Delete the computer object, remove the computer from the domain, and add it back again. 

 So I am trying to figure out a better way to do this. If I use SYSPREP before the image is created, will I still need to add the PC to the domain or can the image then be created with the computer as a domain member? 

 My other thought is creating an OU and giving them rights to add/remove computers from there only. Is that a good idea? 

 I have not had much luck with NETDOM on the computer in question. But I believe that is due to the mixed up SIDs and computer passwords. If I use the SYSPREP, should I be able to use NETDOM to add the computer to the domain with out physically being there?

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

If you need to cross OU's, you may want to iterate through OU's and for each
OU follow that path.  Might be helpful to spit out some information linking
the addresses to the user's samaccountname or UPN as well, just for linking
the user to the address.

Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 26, 2004 10:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

i use this-


'Global variables
Dim Container
Dim OutPutFile
Dim FileSystem

'Initialize global variables
Set FileSystem = WScript.CreateObject(Scripting.FileSystemObject)
Set OutPutFile = FileSystem.CreateTextFile(virtual.txt, True) Set
Container=GetObject(LDAP://ou=ExchUsers,DC=childdomain,DC=parentdomain,DC=r
oot)

'Enumerate Container
EnumerateUsers Container

'Clean up
OutPutFile.Close
Set FileSystem = Nothing
Set Container = Nothing

'Say Finished when your done
WScript.Echo Finished
WScript.Quit(0)

'List all Users
Sub EnumerateUsers(Cont)
Dim User

'Go through all Users and select them
For Each User In Cont
Select Case LCase(User.Class)

'If you find Users
Case user
  'Select all proxyAddresses
  Dim Alias
  If Not IsEmpty(User.proxyAddresses) Then
For Each Alias in User.proxyAddresses
OutPutFile.WriteLine alias:   Alias
'WScript.Echo Alias
  Next
  End If

Case organizationalunit , container
  EnumerateUsers User

End Select
Next
End Sub


-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 10:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?



I'm looking for a way to get an email address report for all user objects in
Active Directory. Any idea on how to do this? I see the mail attribute in
LDP but how can I get just this one field filtered out into a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password set and enable account

2004-05-26 Thread joe

Title: Sysvol Damaged



Alternatively, firstset your default interpreter to 
be cscript with

cscript //h:cscript

This would be the recommended setting in my 
opinion.

 joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Wednesday, May 26, 2004 10:16 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and 
enable account


Run from 
the command line using cscript [script_name]


mc
-Original 
Message-From: Douglas M. 
Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 10:08 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and 
enable account


Stupid 
question. How do I specify wscript.echo to not require a response (hit the OK 
button)? 

  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, AlSent: Monday, May 24, 2004 11:29 
  AMTo: 
  [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and 
  enable account
  Here's 
  an example of one way to do that. I would suggest that if you're wanting 
  to put in a random password that meets your complexity requirements, that you 
  concatenate a variable with the RAND function and then write it back out to a 
  log file.This example file is one that was used in the test lab 
  and could be more efficient. I had about 2500 users that I used and it 
  took abouta minute to execute. Nonetheless, with minor mods, it 
  should do what you want.
  
  Let me 
  know if I can be of any help (I'm bored ;)
  
  Al
  
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Douglas M. 
  LongSent: Monday, May 24, 
  2004 9:49 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Password set and 
  enable account
  
  Oh yeah, 
  I guess I have to read the username from a file and pass it into the dsmod 
  command also. Do I just want a list of users in a .txt file, .cvs??? And how 
  do I read from that?
  
-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Douglas M. 
LongSent: Monday, May 24, 
2004 9:41 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Password set and 
enable account

Ok, so my task is to generate 
random passwords and enable the accounts for 3200 users. The user accounts 
and all attributes were first created with ldife, and I am now thinking 
about using the dsmod utility to do accomplish the password set and account 
enablement. I wish I knew vbs like you guys do, but I dont yet (this years 
resolution). So here is what I have for the password generation 
part:





Function 
Password_GenPass( nNoChars, sValidChars )' nNoChars = length of 
generated password' sValidChars = valid characters. If zerolength-string 
( "" )then' default is used: A-Z AND a-z AND 0-9



Const 
szDefault = 
"abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVXYZ0123456789"Dim 
nCountDim sRetDim nNumberDim nLength



Randomize 'init 
random



If 
sValidChars = "" ThensValidChars = szDefaultEnd IfnLength = Len( 
sValidChars )



For 
nCount = 1 To nNoCharsnNumber = Int((nLength * Rnd) + 1)sRet = sRet 
 Mid( sValidChars, nNumber, 1 )NextPassword_GenPass = 
sRetEnd Function



WScript.Echo "Your 
password: "  Password_GenPass( 10, "" )



What is my next move? I am 
guessing I have to pass this password to a variable, instead of echo, and 
then somehow pass that into the dsmod command, but as I already said, I dont 
know vb script. Any help is highly appreciated.

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

LDP is great for a quick look-see but isn't really a reporting tool - I don't know of 
any way to write the output from the search into a file.  That said, it certainly is 
possible to have it return specific attributes instead of all attributes.  In the 
Search dialog, click the Options button and put the attributes you want into the 
Attributes field (the default is *).

To get your report, I'd use a script, as Tom suggested.  If you'd rather use a 
command-line tool, you could use LDIFDE as follows:
ldifde -d dc=yourdomain,dc=com -r ((objectclass=user)(objectcategory=person)) -l 
mail,proxyaddresses -f file.txt

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?



I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Airhart, Cliff

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active Directory that is 
running a high and low CPU pattern. The CPU flatlines at 100% for about 60 seconds 
then drops to 5% for about 30 seconds. This high and low cycle continues to repeat. 
When the CPU is high the lsass.exe process is the cause of the high CPU. From what I 
understand that is the Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

Something like 
Example: Export of specific domain with credentials
csvde -m -f OUTPUT.CSV
  -b USERNAME DOMAINNAME *
  -s SERVERNAME
  -d cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com
  -r (objectClass=user)


Csvde -m -f OUTPUT.CSV -d dc=domainname,dc=com -r
((objectCategory=User)(mail=*)) should give you the right users.  You
could sub proxyAddresses for mail. 

The command would look like

C:\csvde -m -f c:\output.csv -s servername(if wanted) -d dc=domain,dc=com
-r ((objectcategory=user)(proxyaddresses=*))

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 10:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r 
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses

Replace the cn=users,dc=yourdomain,dc=com with the place you want to start the 
search, or leave out the -r altogether if you want to do the whole domain naming 
context of the current domain.  You indicated they have only one address, so you could 
leave off the proxyaddresses part as well.

HTH
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
users in AD?


They only have one address, I'm trying to figure out the correct syntax
for a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
users in AD?

If your users have more than one email address, you will also need to
get the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all users in AD?

2004-05-26 Thread Passo, Larry

csvde -s dcname -f c:\mail.csv -d dc=xx,dc=com -p subtree -r
objectClass=user -l cn,mail

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 7:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
users in AD?

They only have one address, I'm trying to figure out the correct syntax
for a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
users in AD?

If your users have more than one email address, you will also need to
get the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users
in AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

Searches, logging on, etc could cause this.  Have you checked to see that
there aren't any other issues going on?  What about a network trace to see
what the heck is going on at the wire after checking the logs?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Airhart, Cliff
Sent: Wednesday, May 26, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines at
100% for about 60 seconds then drops to 5% for about 30 seconds. This high
and low cycle continues to repeat. When the CPU is high the lsass.exe
process is the cause of the high CPU. From what I understand that is the
Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC not replicating out

2004-05-26 Thread Guy Teverovsky

Both come up clean, despite the fact that the A record for the DC
initially didn't have the BAD_DC$ account in the ACL and the owner was
SYSTEM instead of BAD_DC$. I adjusted that manually and the change
replicated to all DCs. Still the netdiag and dcdiag do not show any DNS
related problems - only FRS and AD outbound replication is failing. All
other tests are fine.

Other DCs that participate in the replication with bad DC come up with
KCC errors (eventid 1311: there is insufficient site connectivity,
blabla...) - it's the only DC at site.  

It looks almost like island DNS, but it's W2K3 and that should not
happen.

Guy

On Wed, 2004-05-26 at 17:50, Mulnick, Al wrote:
 Would be relatively easy to check DNS.  DCDIAG and NETDIAG would be two
 tools to use to check to see that all is well from the bad dc and good dc
 perspectives. I'd say go the easy part first.
 
 Invalid Checksum?  Hmmm...  Anything in the security logs that gives an
 indication?
 
 Al 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
 Sent: Tuesday, May 25, 2004 6:02 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] DC not replicating out
 
 
 I am banging my head against the wall the whole day.
 
 In pilot environment we applied a GPO to replace the Default DC GPO.
 Apparently one of the DCs had some issues when the GPO was applied.
 The result was: the inbound replication on the DC works, but no other DC can
 pull from the sick one.
 Closer examination showed total WMI repository corruption. I have rebuilt it
 and it looks that WMI is back (not sure it's related, but worth mentioning)
 
 Since than, the new GPO has been unlinked and replaced with default (and as
 the inbound replication on the DC in question is working, it has replicated
 to it). But that has not resolved the issue.
 
 From faulty DC issued:
 repadmin /replicate good_dc bad_dc cn=configuration,dc=compay,dc=com /force
 
 Traced the session with network monitor from the good DC...
 What I see is:
 - LDAP bind
 - some searches performed and answered correctly
 - MSRPC session initiated
 - RPC request from good DC, RPC response from bad DC
 - RPC bind request from good DC and RCP Bind Ack from bad DC
 - again RPC request from good DC, RPC response from bad DC
 - again RPC bind request from good DC and RPC Bind Nack from bad DC with
 Provider Reject Reason: Invalid checksum
 
 I was about to blame the DNS till I got this Invalid checksum in the
 trace...
 
 Now the question is: am I complicating the whole thing and should look
 closer into DNS or this is something else ?
 
 Thanks,
 Guy
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Kern, Tom

replication,kcc?

-Original Message-
From: Airhart, Cliff [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active Directory that is 
running a high and low CPU pattern. The CPU flatlines at 100% for about 60 seconds 
then drops to 5% for about 30 seconds. This high and low cycle continues to repeat. 
When the CPU is high the lsass.exe process is the cause of the high CPU. From what I 
understand that is the Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

Or better yet, combine what Al said and what I said, like this:

Csvde -m -f OUTPUT.CSV -d dc=domainname,dc=com -r
((objectclass=User)(objectcategory=person)(mail=*)) -l mail,proxyaddresses

That way you get only the attributes you want, and then only for people who actually 
have mail addresses.  The original note I sent would return a line for every user 
whether they have mail or not, and Al's original would return all attributes for 
anyone with mail.  The combination above should give you what I 'think' you want.

Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Wednesday, May 26, 2004 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
use rs in AD?


Something like 
Example: Export of specific domain with credentials
csvde -m -f OUTPUT.CSV
  -b USERNAME DOMAINNAME *
  -s SERVERNAME
  -d cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com
  -r (objectClass=user)


Csvde -m -f OUTPUT.CSV -d dc=domainname,dc=com -r
((objectCategory=User)(mail=*)) should give you the right users.  You
could sub proxyAddresses for mail. 

The command would look like

C:\csvde -m -f c:\output.csv -s servername(if wanted) -d dc=domain,dc=com
-r ((objectcategory=user)(proxyaddresses=*))

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 10:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

The -l params is a nice touch but curious why you want to find objectClass
objects.  That's an inefficient query IIRC.  Plus, if you return each person
in the directory (you should start at a higher node to supply an answer to
his request which is to find ALL users in the domain;  if he had them in one
OU or container, he could use that script that as posted quite easily
wihtout much mod.)you're potentially bringing back way more than he wanted,
which again is inefficient right?  
It's a best practice to narrow the search as much as possible prior to
execution to prevent overloading the dc with query traffic.  ObjectClass is
not usually recommended nor is both user and person (they're redundant
mostly)in the same query.   Correct me if I'm wrong though.  I hate to be
wrong thinking I'm right ;)

Narrow it down to just users in the domain that have mail attributes and
return the mail and proxyaddresses attributes (forgot about the list of
attributes to post before in my haste to rush off to other things).

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses

Replace the cn=users,dc=yourdomain,dc=com with the place you want to start
the search, or leave out the -r altogether if you want to do the whole
domain naming context of the current domain.  You indicated they have only
one address, so you could leave off the proxyaddresses part as well.

HTH
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?


They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Cass Gowins

Had this problem as well. Was caused by a virus; sasser I beleive.

Cass M. Gowins / Network Manager
Stark/Portage Area Computer Consortium
2100 38th St. N.W.
Canton, Ohio  44709
[EMAIL PROTECTED]
- Original Message - 
From: Kern, Tom [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 11:42 AM
Subject: RE: [ActiveDir] lsass.exe process causing high CPU on DCs

replication,kcc?

-Original Message-
From: Airhart, Cliff [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines at
100% for about 60 seconds then drops to 5% for about 30 seconds. This high
and low cycle continues to repeat. When the CPU is high the lsass.exe
process is the cause of the high CPU. From what I understand that is the
Active Directory process.

What Active Directory activity would cause this type of behavior?

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

Objectcategory is indexed (objectclass is not), so objectcategory=person is more 
efficient.  Contacts have an objectcategory of person as well, though, so if you use 
only objectcategory=person you get both users and contacts.  By using both in an AND, 
you get only users.

The part about where to root the search obviously depends on where people put stuff in 
their directory, which is why I advised them to change it to whatever suits them...the 
cn=users part was just an example.

There's a discussion of the objectcategory and objectclass thing at 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/deciding_what_to_find.asp
 in case you're interested.  I always used just objectclass=user until someone pointed 
this out...

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Wednesday, May 26, 2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all
use rs in AD?


The -l params is a nice touch but curious why you want to find objectClass
objects.  That's an inefficient query IIRC.  Plus, if you return each person
in the directory (you should start at a higher node to supply an answer to
his request which is to find ALL users in the domain;  if he had them in one
OU or container, he could use that script that as posted quite easily
wihtout much mod.)you're potentially bringing back way more than he wanted,
which again is inefficient right?  
It's a best practice to narrow the search as much as possible prior to
execution to prevent overloading the dc with query traffic.  ObjectClass is
not usually recommended nor is both user and person (they're redundant
mostly)in the same query.   Correct me if I'm wrong though.  I hate to be
wrong thinking I'm right ;)

Narrow it down to just users in the domain that have mail attributes and
return the mail and proxyaddresses attributes (forgot about the list of
attributes to post before in my haste to rush off to other things).

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses

Replace the cn=users,dc=yourdomain,dc=com with the place you want to start
the search, or leave out the -r altogether if you want to do the whole
domain naming context of the current domain.  You indicated they have only
one address, so you could leave off the proxyaddresses part as well.

HTH
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?


They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?


I'm looking for a way to get an email address report for all user
objects in Active Directory. Any idea on how to do this? I see the mail
attribute in LDP but how can I get just this one field filtered out into
a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Fuller, Stuart

There is a reason to attend TechEd... Win303 - AD performance
troubleshooting.

From that talk, the two typical causes are non-indexed searches against AD
or a rapid retry of authentication from an application that is using an bad
or expired account.  As Joe says all the time... crank up NetMon and Perfmon
and look for odd LDAP search calls to the DC (e.g. .  PerfMon will also tell
you if you are having perfomance issues due to hardware limitations... look
at Network utilization, Disk I/O, Disk Queue, and Memory.

Also did you add/change/delete anything recently?? and do you have any
baseline to compare the current behavior with what is expected??

-Stuart


-Original Message-
From: Mulnick, Al
To: [EMAIL PROTECTED]
Sent: 5/26/2004 9:38 AM
Subject: RE: [ActiveDir] lsass.exe process causing high CPU on DCs

Searches, logging on, etc could cause this.  Have you checked to see
that
there aren't any other issues going on?  What about a network trace to
see
what the heck is going on at the wire after checking the logs?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Airhart, Cliff
Sent: Wednesday, May 26, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines
at
100% for about 60 seconds then drops to 5% for about 30 seconds. This
high
and low cycle continues to repeat. When the CPU is high the lsass.exe
process is the cause of the high CPU. From what I understand that is the
Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Eric Fleischman

Pardon me for starting a new thread from the original post, I'm taking a
different approach..

This is TOTALLY one of my FAVORITE types of issues to work. I work at
least half a dozen of these a week. Here's my standard action plan that
I use when an engineer here comes to me with one:

1) First, yank the NIC, does CPU drop. I want to understand if it is a
localized operation or something coming over the wire.
2) Take note: does CPU go up on many DCs at once or just one? Just a
good observation.
3) Collect the following data:
a) Start perfmon, all counters, say 10 second intervals (run
this for half an hour or so)
b) Get at least 5 mins of adperf spew (or spa if you're on 2k03,
we just released that to the web yesterday)
c) Collect at least 5 usermode dumps of lsass in 15-30 second
intervals (I use userdump.exe, but there are other choices)
d) If CPU dropped in step 1 above, take at least 2 mins of wide
open trace during problem state; be sure to make buffer large (50MB+) so
it doesn't wrap.

This is a great starting point to understand what the DC is chewing on.
If you want help looking at the data just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Airhart, Cliff
Sent: Wednesday, May 26, 2004 10:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines
at 100% for about 60 seconds then drops to 5% for about 30 seconds. This
high and low cycle continues to repeat. When the CPU is high the
lsass.exe process is the cause of the high CPU. From what I understand
that is the Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

Thanks for the clarification.  That helps tremendously!

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 12:18 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all use
rs in AD?

Objectcategory is indexed (objectclass is not), so objectcategory=person is
more efficient.  Contacts have an objectcategory of person as well, though,
so if you use only objectcategory=person you get both users and contacts.
By using both in an AND, you get only users.

The part about where to root the search obviously depends on where people
put stuff in their directory, which is why I advised them to change it to
whatever suits them...the cn=users part was just an example.

There's a discussion of the objectcategory and objectclass thing at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/decid
ing_what_to_find.asp in case you're interested.  I always used just
objectclass=user until someone pointed this out...

Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Wednesday, May 26, 2004 10:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all use
rs in AD?

The -l params is a nice touch but curious why you want to find objectClass
objects.  That's an inefficient query IIRC.  Plus, if you return each person
in the directory (you should start at a higher node to supply an answer to
his request which is to find ALL users in the domain;  if he had them in one
OU or container, he could use that script that as posted quite easily
wihtout much mod.)you're potentially bringing back way more than he wanted,
which again is inefficient right?  
It's a best practice to narrow the search as much as possible prior to
execution to prevent overloading the dc with query traffic.  ObjectClass is
not usually recommended nor is both user and person (they're redundant
mostly)in the same query.   Correct me if I'm wrong though.  I hate to be
wrong thinking I'm right ;)

Narrow it down to just users in the domain that have mail attributes and
return the mail and proxyaddresses attributes (forgot about the list of
attributes to post before in my haste to rush off to other things).

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses

Replace the cn=users,dc=yourdomain,dc=com with the place you want to start
the search, or leave out the -r altogether if you want to do the whole
domain naming context of the current domain.  You indicated they have only
one address, so you could leave off the proxyaddresses part as well.

HTH
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can LDP be used to create email report of all users in
AD?

I'm looking for a way to get an email address report for all user objects in
Active Directory. Any idea on how to do this? I see the mail attribute in
LDP but how can I get just this one field filtered out into a report 

Thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ:

RE: [ActiveDir] adding a group to the RDP permissions

2004-05-26 Thread Ken Cornetet

Title: Message



Here's 
some Perl WMI code for adding a local group to the RDP security. However, if 
memory serves, W2K doesn't support WMI TS stuff - only 2k3

Anyway, maybe it will work...

sub 
TerminalServerSecurity {

my $host = shift;
my $RemoteGroup = shift;

my $wmi = 
Win32::OLE-GetObject("winmgmts:{impersonationLevel=impersonate}!$host\\root\\cimv2")or 
die "WMI error: $^E";

my $accounts = $wmi-ExecQuery("Select * from 
Win32_TSPermissionsSetting" )or die "WMI GetObject: " . 
WmiError("Win32_TSPermissionsSetting");

# Add 
local group giving full control

foreach my $a (in $accounts ) {print "Adding access 
to ", $a-TerminalName, 
"\n";$a-AddAccount("$host\\$RemoteGroup", 
2);}



  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Creamer, MarkSent: Wednesday, May 26, 2004 9:20 
  AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
  adding a group to the RDP permissions
  
  Anybody 
  know a good way to add a group programmatically (or GPO, etc.) to the RDP 
  properties visible when you go to Terminal Services 
  Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote 
  administration mode servers that I want to add a group of night operators to. 
  Thanks
  
  Mark 
  Creamer
  Systems 
  Engineer
  Cintas 
  Corporation
  Honesty and 
  Integrity in Everything We Do

RE: [ActiveDir] adding a group to the RDP permissions

Title: Message









Thanks Ken!
Even if I cant use this on the 2K machines, itll help a bunch in
a couple of months. Many of our TS machines are about to be upgraded and/or
installed. I appreciate it





mc



-Original Message-
From: Ken Cornetet
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 26, 2004
12:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] adding a
group to the RDP permissions





Here's some Perl WMI code
for adding a local group to the RDP security. However, if memory serves, W2K
doesn't support WMI TS stuff - only 2k3











Anyway, maybe it will
work...











sub
TerminalServerSecurity {











my $host = shift;





my $RemoteGroup =
shift;











my $wmi =
Win32::OLE-GetObject(winmgmts:{impersonationLevel=impersonate}!$host\\root\\cimv2)
or die WMI error: $^E;











my $accounts =
$wmi-ExecQuery(Select * from Win32_TSPermissionsSetting )
or die WMI GetObject:  . WmiError(Win32_TSPermissionsSetting);











# Add local group giving
full control











foreach my $a (in
$accounts ) {
print Adding access to , $a-TerminalName,
\n;
$a-AddAccount($host\\$RemoteGroup, 2);
}

















-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Creamer, Mark
Sent: Wednesday, May 26, 2004 9:20
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] adding a
group to the RDP permissions

Anybody know a good way to add a group programmatically (or GPO,
etc.) to the RDP properties visible when you go to Terminal Services
Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote
administration mode servers that I want to add a group of night operators to.
Thanks



Mark Creamer

Systems
Engineer

Cintas
Corporation

Honesty
and Integrity in Everything We Do

[ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe

2004-05-26 Thread Noah Eiger

First, thanks to Charles Soto and Nicholas Froome. 

In general, my question was about the best way to implement directory
services (including single sign-on, authentication, and directory security)
for a mixed network of PCs and Macs (30 Macs, 40 PCs). Would one run Open
Directory or Active Directory (I did not consider third-way options like
Novell's eDirectory or *nix NIS)? I also wanted to know about performance
issues for Macs accessing Windows volumes or vice-versa. I also posted this
question to an Active Directory list.

The short answer is that this is quite complicated and that neither AD nor
OD services the other clients with 100% functionality. While I am still
researching this topic, here is some info that I gleaned from responses to
both lists:

FINDINGS:
- OD is more complex to administer. This is, of course, opinion. I am not
sure if this is due to the greater distribution of Windows and AD or of
something inherent about OD.
- AD's real strengths are in spreading directory services across multiple
sites and with integrating AD-aware applications such as Exchange or
SQLServer or RIS.
- OD offers better basic services to Windows clients than AD does to Mac
clients (though this might be changing, see next).
- OS X 10.3.3's Active Directory Plug-in goes a very long way toward
allowing Macs to function within AD just as PCs do. 
- Don't waist energy on getting Mac OS 9x clients to talk to AD. Go 10.3.3.
- This is a quote: Now, lets talk about AFP. Dump it... Get rid of it... it
is as 80's as Ferris Bueller and while it may work in movies, technology
needs upgrades. (chicka chicka... chicka chicka... omp omp O
Yeahhh! Sorry little bit of 'yellow fever') No wonder Microsoft is
getting rid of it, Apple should too. Macs do great with smb:// cifs://
ftp://, etc. , I haven't noticed any difference in file services to smb
shares between a pc and a mac connected to the same share over the same
network.
- Unless absolutely necessary, avoid running both services. Getting the
directories to share info is possible (since they both speak LDAP) but
complex.
- If you want to run Exchange, you need AD.
- Some folks pointed to Apple's lower cost since the server software is
included and there are essentially no client access licenses (CAL) as with
Windows. However, I found Apple's hardware to be pricy compared to similar
servers from Dell. Apple also uses IDE drives in their RAID enclosures.


REMAINING QUESTIONS:
- What is the performance of cross platform file service? Specifically, can
Mac clients running high-demand applications like Quark and Photoshop get
acceptable performance from Windows servers? Is something like ExtremeZ-IP
needed?
- Can XServe volumes be managed by Active Directory? That is, can you add
and XServe as a member server of an AD domain?
- Would love to hear real-world experiences with the new AD Plug-in for
10.3.3.
- I consider some services like RIS to be pretty essential to speeding
deployment and recovery in a Windows environment. Are there similar
applications or services that require OD for Macs?


RESOURCES:
You all might know about these already but here are some links:

Apple Server resources:
http://docs.info.apple.com/article.html?artnum=107912

Microsoft Active Directory and SFM:
http://www.microsoft.com/windowsserver2003/technologies/directory/activedire
ctory/default.mspx
http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows200
0sfm

Windows-Mac integration
http://www.macwindows.com
http://www.macosxlabs.org
http://www.4am-media.com

Active Directory Integration 
http://www.macosxlabs.org/webcasts/2004-03-16_ActiveDirectory/index.html
http://www.macdevcenter.com/lpt/a/4075
http://www.bombich.com/mactips/activedir.html


File Sharing  Performance
http://www.grouplogic.com/products/extreme/overview.cfm
http://www.apple.com/xserve/performance.html



Thanks again to all. Any further comments welcome.

nme

--
Noah M. Eiger
EIS Consulting for
PRBO Conservation Science
510-717-5742
[EMAIL PROTECTED]


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Exchange SMTP Relay Precedence

2004-05-26 Thread Burkes, Jeremy [Contractor]

Title: OT: Exchange SMTP Relay Precedence






Here is the scenario:


I have two Exchange servers in different routing groups called ServerA and ServerB. ServerA has an SMTP Connector to an external domain (externaldomainA.com) using a smart host with a Connector Scope of Entire Organization and Allow messages to be relayed to these domains checked. ServerB's SMTP virtual server does not allow relay (Only the list below is checked). We want to allow another external domain (externaldomainB.com) the ability to relay through ServerB to ServerA instead of using the internet to send mail to externaldomainA.com. We figured that an SMTP connector scoped to the Entire Organization with Allow messages to be relayed to these domains checked would let externaldomainB to relay through ServerB to ServerA to externaldomainA but that does not seem to be true as we get the 550 error (5.7.1 Cannot Relay). Does the settings in the SMTP Virtual Server take precedence over an SMTP connector in another routing group? Do we have to open up ServerB's virtual server to externaldomainB.com to allow it to relay? TIA.

Jeremy

RE: [ActiveDir] OT: Exchange SMTP Relay Precedence

Title: OT: Exchange SMTP Relay Precedence



IIRC, the connector trumps the VS, but in your case it's in 
another RG. I would guess (and I'm reaching a bit here) that it would work 
if you had a connector specified that utilized that VS. Since you don't, 
you'll need to find a way to allow the traffic.

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy 
[Contractor]Sent: Wednesday, May 26, 2004 1:53 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: Exchange SMTP 
Relay Precedence

Here is the scenario: 
I have two Exchange servers in different routing 
groups called ServerA and ServerB. ServerA has an SMTP Connector to an 
external domain (externaldomainA.com) using a smart host with a Connector Scope 
of Entire Organization and Allow messages to be relayed to these domains 
checked. ServerB's SMTP virtual server does not allow relay (Only the list 
below is checked). We want to allow another external domain 
(externaldomainB.com) the ability to relay through ServerB to ServerA instead of 
using the internet to send mail to externaldomainA.com. We figured that an 
SMTP connector scoped to the Entire Organization with Allow messages to be 
relayed to these domains checked would let externaldomainB to relay through 
ServerB to ServerA to externaldomainA but that does not seem to be true as we 
get the 550 error (5.7.1 Cannot Relay). Does the settings in the SMTP 
Virtual Server take precedence over an SMTP connector in another routing 
group? Do we have to open up ServerB's virtual server to 
externaldomainB.com to allow it to relay? TIA.
Jeremy

RE: [ActiveDir] lsass.exe process causing high CPU on DCs

2004-05-26 Thread Eric Fleischman

Critical mass has been reachedmultiple people asked me (offline)
where to get SPA. Here's a link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-4
7b9-901b-cf85da075a73displaylang=en

I shall learn to post links with tools..

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, May 26, 2004 11:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] lsass.exe process causing high CPU on DCs

Pardon me for starting a new thread from the original post, I'm taking a
different approach..

This is TOTALLY one of my FAVORITE types of issues to work. I work at
least half a dozen of these a week. Here's my standard action plan that
I use when an engineer here comes to me with one:

1) First, yank the NIC, does CPU drop. I want to understand if it is a
localized operation or something coming over the wire.
2) Take note: does CPU go up on many DCs at once or just one? Just a
good observation.
3) Collect the following data:
a) Start perfmon, all counters, say 10 second intervals (run
this for half an hour or so)
b) Get at least 5 mins of adperf spew (or spa if you're on 2k03,
we just released that to the web yesterday)
c) Collect at least 5 usermode dumps of lsass in 15-30 second
intervals (I use userdump.exe, but there are other choices)
d) If CPU dropped in step 1 above, take at least 2 mins of wide
open trace during problem state; be sure to make buffer large (50MB+) so
it doesn't wrap.

This is a great starting point to understand what the DC is chewing on.
If you want help looking at the data just holler.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Airhart, Cliff
Sent: Wednesday, May 26, 2004 10:21 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] lsass.exe process causing high CPU on DCs

Hello Everyone,

We have 2 Domain controllers running Windows2000 server with Active
Directory that is running a high and low CPU pattern. The CPU flatlines
at 100% for about 60 seconds then drops to 5% for about 30 seconds. This
high and low cycle continues to repeat. When the CPU is high the
lsass.exe process is the cause of the high CPU. From what I understand
that is the Active Directory process. 

What Active Directory activity would cause this type of behavior? 

Thanks in advance for your help!

Cliff Airhart
Network Engineer
Spectrolab
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?

2004-05-26 Thread joe

Hi Al. :o)



(objectcategory=person)(objectclass=user) is a good filter though it
wouldn't catch inetorgpersons. Slightly better may be
(objectcategory=person)(samaccountname=*) if you have contact objects or
you have inetorgpersons you want to catch as well as user objects. If you
have no contacts and no inetorgpersons, either of those filters should
perform the same. 

Just doing objectcategory=person will get you objectclasses:

dn:CN=Organizational-Person,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=Contact,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com


So let's put it this way, say you have 100k users and 200k contacts in your
directory. If you just do 

Objectcategory=person

You will get back 300k objects.

If you do

((objectcategory=person)(objectclass=user))

You will get back 100k objects though it would have to chase through 300k
objects (assuming objectclass has not been indexed in that forest).


If you do 

((objectcategory=person)(objectclass=samaccountname=*))

You will get back 100k objects and will only chase through 100k objects.


If you add inetorgperson into the mix, you will catch them on the first
filter and the third, but not the second. So if your mix was 100k users,
200k contacts, 50k inetorgpersons you would see


First filter
350k objects returned

Second filter
100k objects returned, 350k objects checked


Third filter 

150k objects returned, 150k objects checked.



Now to just get the ones with an email address you add in email=* but note
that that may not necessarily be people with Exchange mailboxes... That you
would need to go after something like home MDB. Note that mail is indexed so
that is a nice attribute to use. Home MDB I don't believe is. 

On the script that was posted (I think by Tom), it would be just as
efficient as you say if there was only a single container BUT ALSO if it
only contained user objects. If there were for instance many computer or
group objects in the same container it would bog down chasing through those.





  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 26, 2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all use
rs in AD?

The -l params is a nice touch but curious why you want to find objectClass
objects.  That's an inefficient query IIRC.  Plus, if you return each person
in the directory (you should start at a higher node to supply an answer to
his request which is to find ALL users in the domain;  if he had them in one
OU or container, he could use that script that as posted quite easily
wihtout much mod.)you're potentially bringing back way more than he wanted,
which again is inefficient right?  
It's a best practice to narrow the search as much as possible prior to
execution to prevent overloading the dc with query traffic.  ObjectClass is
not usually recommended nor is both user and person (they're redundant
mostly)in the same query.   Correct me if I'm wrong though.  I hate to be
wrong thinking I'm right ;)

Narrow it down to just users in the domain that have mail attributes and
return the mail and proxyaddresses attributes (forgot about the list of
attributes to post before in my haste to rush off to other things).

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses

Replace the cn=users,dc=yourdomain,dc=com with the place you want to start
the search, or leave out the -r altogether if you want to do the whole
domain naming context of the current domain.  You indicated they have only
one address, so you could leave off the proxyaddresses part as well.

HTH
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Grantham, Caron
Sent: Wednesday, May 26, 2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?


They only have one address, I'm trying to figure out the correct syntax for
a CSVDE export, do you know?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry
Sent: Wednesday, May 26, 2004 9:45 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?

If your users have more than one email address, you will also need to get
the proxyAddresses attribute.

-Original Message-
From: Grantham, Caron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 26, 2004 7:35 AM
To: [EMAIL PROTECTED]
Subject:

Re: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe

2004-05-26 Thread Brent Westmoreland

Answers in line to additional questions

 From: Noah Eiger [EMAIL PROTECTED]
 Organization: PRBO Conservation Science
 Reply-To: [EMAIL PROTECTED]
 Date: Wed, 26 May 2004 10:36:54 -0700
 To: Active Directory List [EMAIL PROTECTED]
 Subject: [ActiveDir] SUMMARY: Mixed network PC and Mac - AD or XServe

 First, thanks to Charles Soto and Nicholas Froome.

 In general, my question was about the best way to implement directory
 services (including single sign-on, authentication, and directory security)
 for a mixed network of PCs and Macs (30 Macs, 40 PCs). Would one run Open
 Directory or Active Directory (I did not consider third-way options like
 Novell's eDirectory or *nix NIS)? I also wanted to know about performance
 issues for Macs accessing Windows volumes or vice-versa. I also posted this
 question to an Active Directory list.

 The short answer is that this is quite complicated and that neither AD nor
 OD services the other clients with 100% functionality. While I am still
 researching this topic, here is some info that I gleaned from responses to
 both lists:

 FINDINGS:
 - OD is more complex to administer. This is, of course, opinion. I am not
 sure if this is due to the greater distribution of Windows and AD or of
 something inherent about OD.

I disagree, it may be more a pain in the ass because of the workgroup
manager interface, but certainly not more complex.

 - AD's real strengths are in spreading directory services across multiple
 sites and with integrating AD-aware applications such as Exchange or
 SQLServer or RIS.
 - OD offers better basic services to Windows clients than AD does to Mac
 clients (though this might be changing, see next).
 - OS X 10.3.3's Active Directory Plug-in goes a very long way toward
 allowing Macs to function within AD just as PCs do.
 - Don't waist energy on getting Mac OS 9x clients to talk to AD. Go 10.3.3.
 - This is a quote: Now, lets talk about AFP. Dump it... Get rid of it... it
 is as 80's as Ferris Bueller and while it may work in movies, technology
 needs upgrades. (chicka chicka... chicka chicka... omp omp O
 Yeahhh! Sorry little bit of 'yellow fever') No wonder Microsoft is
 getting rid of it, Apple should too. Macs do great with smb:// cifs://
 ftp://, etc. , I haven't noticed any difference in file services to smb
 shares between a pc and a mac connected to the same share over the same
 network.
 - Unless absolutely necessary, avoid running both services. Getting the
 directories to share info is possible (since they both speak LDAP) but
 complex.
 - If you want to run Exchange, you need AD.
 - Some folks pointed to Apple's lower cost since the server software is
 included and there are essentially no client access licenses (CAL) as with
 Windows. However, I found Apple's hardware to be pricy compared to similar
 servers from Dell. Apple also uses IDE drives in their RAID enclosures.

 REMAINING QUESTIONS:
 - What is the performance of cross platform file service? Specifically, can
 Mac clients running high-demand applications like Quark and Photoshop get
 acceptable performance from Windows servers? Is something like ExtremeZ-IP
 needed?

I think that the cifs:// or smb:// file performance is fine.  I am not a
designer so I haven't attempted modifying huge uncompressed PhotoShop
documents, but as long as you are on a 100mb Full Duplex network it should
be fine.

 - Can XServe volumes be managed by Active Directory? That is, can you add
 and XServe as a member server of an AD domain?

Yes, you can use the active directory plugin in 10.3.3 to add xserves to an
active directory domain, and some creative vi'ing on the /etc/smb.conf file
to manage authentication via kerberos.

 - Would love to hear real-world experiences with the new AD Plug-in for
 10.3.3.

The 10.3.3 plugin is not bad, but the 10.3.4(due to be released the end of
this week) goes a little bit farther.  There is still an issue gaining a
kerberos ticket if you have a particular set of circumstances, but apple has
been notified of the issue and is currently working on the problem.

 - I consider some services like RIS to be pretty essential to speeding
 deployment and recovery in a Windows environment. Are there similar
 applications or services that require OD for Macs?

Check out netboot for this purpose, it doesn't have any direct hooks into OD
and isn't required to do your imaging.

http://docs.info.apple.com/article.html?artnum=107912

And download System Imaging Administration

 RESOURCES:
 You all might know about these already but here are some links:

 Apple Server resources:
 http://docs.info.apple.com/article.html?artnum=107912

 Microsoft Active Directory and SFM:
 http://www.microsoft.com/windowsserver2003/technologies/directory/activedire
 ctory/default.mspx
 http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows200
 0sfm

 Windows-Mac integration
 http://www.macwindows.com
 http://www.macosxlabs.org
 http://www.4am-media.com

RE: [ActiveDir] Can LDP be used to create email report of all use rs in AD?