RE: [ActiveDir] Moving Roaming profiles
Ok, I was under the impression from reading that DFS could be arranged to always point to a root1, and clients would only failover to root2 if root1 could not be found - sounds to me like that isn't going on after all Mal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] PTR records - why?
If you ever need to connect to a Unix machine then it will try to do a reverse look up which needs the Ptr records. Steve -Original Message- From: Rutherford, Robert [EMAIL PROTECTED] Sent: 01/06/04 09:50:48 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] PTR records - why? You don't specifically need pointers...as far as I can remember it is just good practice. I do find it useful from an admin persepctive at times, i.e. resolving an IP back to an IP in a troubleshooting scenario (at times). You aren't going to lose anything by creating them. Rob -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: 30 May 2004 02:22 To: [EMAIL PROTECTED] Subject: [ActiveDir] PTR records - why? We have a Windows 2000 forest with multiple child domains. No web servers. No remote hosted mail servers. No external access. (That I know about at least!) Our DNS is integrated to active directory. Fellow administrators are adamant we should create reverse lookup zones for all our subnets. This would assist name resolution for our NT4 workstations they claim. Stuff and nonsense I claim. Is there any reason to use PTR records on an AD domain? Thanks! winmail.dat
RE: [ActiveDir] MACS
Thanks Guys. -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: 02 June 2004 17:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS I just checked with the PM to see if it aligns with my understanding. At this point no decision has been made. It's still TBD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trusts between NT4 and AD
I know the lingo is different between NT4 and AD, what are the words in NT and AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, June 02, 2004 5:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD You have trusting and trusted reversed. The dropdown box in the logon screen lists trusted domains. In your case, you want: NT4 as trusted AD as trusting A one-way trust would work -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trusts between NT4 and AD I have a questions for everyone, if I have a computer in AD and I want to have a NT 4 domain listed in the drop down box on the login screen so that someone can use that machine to login to the NT 4 domain, would I need to setup a trust in the following fashion: One way from NT 4 to AD NT 4 is the trusting and AD is trusted domain? Basically I want people to be able to login and access resources in the NT 4 domain from a computer that is a member of the AD domain. Thanks in advance Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trusts between NT4 and AD
The terminoligy hasn't changed. Think of it this way - thINGS trust ED. So, the trustING domain is the resource side of the equation, while the trustED side is the person[1] side of the equation. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Really, the security principle side of things. But Ed is easier to envision as a person than as a security principle. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD I know the lingo is different between NT4 and AD, what are the words in NT and AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, June 02, 2004 5:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD You have trusting and trusted reversed. The dropdown box in the logon screen lists trusted domains. In your case, you want: NT4 as trusted AD as trusting A one-way trust would work -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trusts between NT4 and AD I have a questions for everyone, if I have a computer in AD and I want to have a NT 4 domain listed in the drop down box on the login screen so that someone can use that machine to login to the NT 4 domain, would I need to setup a trust in the following fashion: One way from NT 4 to AD NT 4 is the trusting and AD is trusted domain? Basically I want people to be able to login and access resources in the NT 4 domain from a computer that is a member of the AD domain. Thanks in advance Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Roaming profiles
It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trusts between NT4 and AD
Actually, it's spelled security principal. Just remember that the princiPAL is your pal. grin -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 7:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD The terminoligy hasn't changed. Think of it this way - thINGS trust ED. So, the trustING domain is the resource side of the equation, while the trustED side is the person[1] side of the equation. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Really, the security principle side of things. But Ed is easier to envision as a person than as a security principle. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD I know the lingo is different between NT4 and AD, what are the words in NT and AD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Wednesday, June 02, 2004 5:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Trusts between NT4 and AD You have trusting and trusted reversed. The dropdown box in the logon screen lists trusted domains. In your case, you want: NT4 as trusted AD as trusting A one-way trust would work -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Trusts between NT4 and AD I have a questions for everyone, if I have a computer in AD and I want to have a NT 4 domain listed in the drop down box on the login screen so that someone can use that machine to login to the NT 4 domain, would I need to setup a trust in the following fashion: One way from NT 4 to AD NT 4 is the trusting and AD is trusted domain? Basically I want people to be able to login and access resources in the NT 4 domain from a computer that is a member of the AD domain. Thanks in advance Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] In search for duplícate accounts
Greetings gurus, Does anyone know of a tool or script that will search the FOREST for duplicate W2k ACCOUNTS ? We have a forest with about 45 W2K domains... And duplicates are becoming a problem. Has anyone ever try to search for duplicates at the forest Level rather than domain level? Any tricks to what I want to accomplish. Thanks in advance, JCS
RE: [ActiveDir] Moving Roaming profiles
I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Roaming profiles
I thought about using DFS for my apps installed by GPO, also. But I have almost a Gig of applications and I was under the impression that DFS did not replicate large amounts of data very well, even if it doesn't change often? jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, June 03, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Roaming profiles
I heard that you can copy the bulk over, i.e. CD or something and the replication will work it out. Anyone know if this is true? -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: 03 June 2004 16:22 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Roaming profiles I thought about using DFS for my apps installed by GPO, also. But I have almost a Gig of applications and I was under the impression that DFS did not replicate large amounts of data very well, even if it doesn't change often? jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, June 03, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance
Re: [ActiveDir] In search for duplícate accounts
Title: Re: [ActiveDir] In search for duplcate accounts You will need to know what values you are trying to find. For example, people with duplicate surnames and givenNames or duplicate sAMAccountNames in a forest can be determined by using ldifde. The syntax can be a little tricky to the uninitiated but it is similar to ldapsearch in the unix world. For example, if you know the name of the user Foo Bar with givenName Foo and surname Bar and you wanted to search the forest for all users with that surname and givenName combination and have the output directed to your console window, then you would issue the command: Ldifde f con r ((objectCategory=person)(surname=Bar)(givenName=Foo)) -t 3268 d dc=forest,dc=corp -l surname, givenName Lets step through the syntax Ldifde = c:\windows\system32\ldifde.exe if this executable isnt on your workstation, you should be able to get it off of your win2k DC. -f con = the f switch specifies the output file of the command and con is console. So in essence you will be issuing the ldifde command and directing the output back to your cmd window. You could also specify a filename if you wanted to dump it into a text file. -r = The r switch indicates the search filter, here you specify the key=value pairs to search for in the directory. You can the values; meaning that you can search for (key=value) and (differentkey=differentvalue). You can | the values meaning you can search for (key=value) or (differentkey=differentValue). You can also ! The values meaning that you search for (key=value) but not (differentKey=differentValue). Search filtering is an art as much as a science and several on this list can provide a great deal of input on using efficient filters if you are looking to retrieve specific entries. -t = 3268 specifies the port number to contact, because you want to specify all users in the forest it is best to contact your global catalog. -d = The searchbase, again if you want to search for all users in the forest you will need to specify the root DC entry of the forest. -l = the l switch limits the output returned, without limiting the output of each entry you might return a lot of information that would be useless. For example if you are looking for duplicate surname and givenName combinations, then you probably wouldnt want to return the exchangeMTA. You can get more help by typing ldifde /? I use it quite often to track down duplicates with great success... Hope it works for you. Brent From: Sanz de Len, Juan Carlos [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 3 Jun 2004 16:50:17 +0200 To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] In search for duplcate accounts Greetings gurus, Does anyone know of a tool or script that will search the FOREST for duplicate W2k ACCOUNTS ? We have a forest with about 45 W2K domains... And duplicates are becoming a problem. Has anyone ever try to search for duplicates at the forest Level rather than domain level? Any tricks to what I want to accomplish. Thanks in advance, JCS Sent using the Microsoft Entourage 2004 for Mac Test Drive.
Re: [ActiveDir] Moving Roaming profiles
I am not 100% sure, but I think what you are talking about is what MS calls Pre-staging, see this KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;266679Product=win2000 Robert Toole Systems Engineer KN Logistics / Calgary robert(dot)toole(at)kuehne-nagel(dot)com Rutherford, Robert wrote: I heard that you can copy the bulk over, i.e. CD or something and the replication will work it out. Anyone know if this is true? -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: 03 June 2004 16:22 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Roaming profiles I thought about using DFS for my apps installed by GPO, also. But I have almost a Gig of applications and I was under the impression that DFS did not replicate large amounts of data very well, even if it doesn't change often? jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, June 03, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person.
RE: [ActiveDir] Moving Roaming profiles
I think there's a continuum between data size and the rate of change of that data. The lower the rate of change, the more data it can handle. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 11:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Roaming profiles I thought about using DFS for my apps installed by GPO, also. But I have almost a Gig of applications and I was under the impression that DFS did not replicate large amounts of data very well, even if it doesn't change often? jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, June 03, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] adding PCs
Folks, have you removed the default ability that allows users on your domains to add up to 10 PCs to your domains? If so, did you remove the ability completely or just limit to a lower number? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] adding PCs
Yes, (removed the ability completely) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, June 03, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] adding PCs Folks, have you removed the default ability that allows users on your domains to add up to 10 PCs to your domains? If so, did you remove the ability completely or just limit to a lower number? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Replication Monitor error
I am getting an error when trying to add a "monitored Server" to Active Directory Replication Monitor.AD config:Empty ROOT with 2 Dc'sProduction domain with 3 DC'scurrently all DCs are in same site.I installed a new DC in a new site in the production domain. I can monitorthe new server fromreplication monitor on any other DC in the productiondomain. When I try to monitor the server in replication monitor from a DC inthe root domain I get the following error:"The Server could not be contacted or you had insufficient permissions toread the status of the server."I can monitor any other production domain DC with replication monitor fromthe root DC'sfrom the root DC's I can ping by name the new DCnslookup resolves the new DC name All replication appears to function correctly. Any insight would be appreciated.
RE: [ActiveDir] adding PCs
We removed it completely also.. |-+-- | | Free, Bob| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/03/2004 01:51 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] adding PCs | --| Yes, (removed the ability completely) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, June 03, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] adding PCs Folks, have you removed the default ability that allows users on your domains to add up to 10 PCs to your domains? If so, did you remove the ability completely or just limit to a lower number? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] PTR records - why?
Reverse lookups are sometimes performed in an attempt to minimize spoofing also. Reverse lookup can be very useful and/or necessary. -Original Message- From: Steve Rochford [mailto:[EMAIL PROTECTED] Behalf Of Steve Rochford Sent: Thursday, June 03, 2004 3:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] PTR records - why? If you ever need to connect to a Unix machine then it will try to do a reverse look up which needs the Ptr records. Steve -Original Message- From: Rutherford, Robert [EMAIL PROTECTED] Sent: 01/06/04 09:50:48 To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: RE: [ActiveDir] PTR records - why? You don't specifically need pointers...as far as I can remember it is just good practice. I do find it useful from an admin persepctive at times, i.e. resolving an IP back to an IP in a troubleshooting scenario (at times). You aren't going to lose anything by creating them. Rob -Original Message- From: Jan Wilson [mailto:[EMAIL PROTECTED] Sent: 30 May 2004 02:22 To: [EMAIL PROTECTED] Subject: [ActiveDir] PTR records - why? We have a Windows 2000 forest with multiple child domains. No web servers. No remote hosted mail servers. No external access. (That I know about at least!) Our DNS is integrated to active directory. Fellow administrators are adamant we should create reverse lookup zones for all our subnets. This would assist name resolution for our NT4 workstations they claim. Stuff and nonsense I claim. Is there any reason to use PTR records on an AD domain? Thanks! attachment: winmail.dat
RE: [ActiveDir] In search for duplícate accounts
Title: Re: [ActiveDir] In search for duplícate accounts Wow!! Thanks very much for your help Brent. After your response, some coments that come to mind... maybe you or other LDIFDE experts out there could give me some experiences.. How could I have LDFDE OUTPUT the (for example, sAMAccountName,givenName) and then use it as INPUT into the search you comented below in another LDIFDE command. In the form of a LOOP. such that the process would be as follows: a) Output the sAMAccountName, Surname, givenName to console or text file.. -- b) and next have LDIFDE input that information and search the GC(3268) for a duplicate in a loop until all users in the forest have been processed. This would run in a "for loop" until all users in the forest have been completed( the results would then go to a text file). I know how to export attribute information from Active Directory using LDIFDE (part a)... what I don't know is how to make it read it in a LOOP until EOF and have it as INPUT into another LDIFDE search. Or something like that... Any ideas from anyone out there would be greatly appreciated. Juan Carlos -Mensaje original-De: Brent Westmoreland [mailto:[EMAIL PROTECTED]Enviado el: jueves, 03 de junio de 2004 17:31Para: [EMAIL PROTECTED]Asunto: Re: [ActiveDir] In search for duplícate accountsYou will need to know what values you are trying to find. For example, people with duplicate surnames and givenNames or duplicate sAMAccountNames in a forest can be determined by using ldifde. The syntax can be a little tricky to the uninitiated but it is similar to ldapsearch in the unix world. For example, if you know the name of the user Foo Bar with givenName Foo and surname Bar and you wanted to search the forest for all users with that surname and givenName combination and have the output directed to your console window, then you would issue the command:Ldifde -f con -r "((objectCategory=person)(surname=Bar)(givenName=Foo))" -t 3268 -d "dc=forest,dc=corp" -l "surname, givenName"Lets step through the syntax Ldifde = c:\windows\system32\ldifde.exe if this executable isn't on your workstation, you should be able to get it off of your win2k DC.-f con = the -f switch specifies the output file of the command and con is console. So in essence you will be issuing the ldifde command and directing the output back to your cmd window. You could also specify a filename if you wanted to dump it into a text file.-r = The -r switch indicates the search filter, here you specify the key=value pairs to search for in the directory. You can the values; meaning that you can search for (key=value) and (differentkey=differentvalue). You can | the values meaning you can search for (key=value) or (differentkey=differentValue). You can also ! The values meaning that you search for (key=value) but not (differentKey=differentValue). Search filtering is an art as much as a science and several on this list can provide a great deal of input on using efficient filters if you are looking to retrieve specific entries.-t = 3268 specifies the port number to contact, because you want to specify all users in the forest it is best to contact your global catalog.-d = The searchbase, again if you want to search for all users in the forest you will need to specify the root DC entry of the forest.-l = the -l switch limits the output returned, without limiting the output of each entry you might return a lot of information that would be useless. For example if you are looking for duplicate surname and givenName combinations, then you probably wouldn't want to return the exchangeMTA.You can get more help by typing ldifde /?I use it quite often to track down duplicates with great success... Hope it works for you.Brent From: "Sanz de León, Juan Carlos" [EMAIL PROTECTED]Reply-To: [EMAIL PROTECTED]Date: Thu, 3 Jun 2004 16:50:17 +0200 To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED]Subject: [ActiveDir] In search for duplícate accountsGreetings gurus,Does anyone know of a tool or script that will search the FOREST for duplicate W2k ACCOUNTS ? We have a forest with about 45 W2K domains... And duplicates are becoming a problem.Has anyone ever try to search for duplicates at the forest Level rather than domain level?Any tricks to what I want to accomplish.Thanks in advance,JCSSent using the Microsoft Entourage 2004 for Mac Test Drive.
RE: [ActiveDir] adding PCs
Here too -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] adding PCs We removed it completely also.. |-+-- | | Free, Bob| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/03/2004 01:51 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] adding PCs | --- ---| Yes, (removed the ability completely) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, June 03, 2004 11:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] adding PCs Folks, have you removed the default ability that allows users on your domains to add up to 10 PCs to your domains? If so, did you remove the ability completely or just limit to a lower number? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] adding PCs
We removed it completely as well and created a role based on a group that could do it. The right to add computers is by default granted to authenticated users, not just Domain users. The surprise we got that lead to usto this was a user from a Trusted NT4 domain used their NT4 account to inadvertently add a MAC OsX machine to our empty forest root. It reported itself to AD as a Win2K sp2 machine as well, causing a bit more fun and excitement. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, June 3, 2004 2:13 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] adding PCs Folks, have you removed the default ability that allows users on your domains to add up to 10 PCs to your domains? If so, did you remove the ability completely or just limit to a lower number? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] AD Account question
Open ADUC, open the user properties, click account, click log on to, and select the workstation you want the user to log onto. ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Account question I wanted to create a account where it will only let you log into 1 computer only and no others. Is there a way to do this? I know in Netware you could do it off of a MAC address. Thanks again Ryan McDonald Systems Administrator List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Factory monitoring pcs - preventing Account lockout
I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
RE: [ActiveDir] AD Account question
Yep. In ADUC go to your User Account/Properties...Account tab..."Log On To" button...add computer name. Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Thursday, June 03, 2004 3:11 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD Account questionI wanted to create a account where it will only let you log into 1 computer only and no others. Is there a way to do this? I know in Netware you could do it off of a MAC address. Thanks againRyan McDonaldSystems Administrator
RE: [ActiveDir] In search for duplícate accounts
Title: Re: [ActiveDir] In search for duplícate accounts My initial thoughts on this are this: 1) you could do that with a script pretty easily, but that method would be terribly inefficient and cause a lot of traffic (if I understand what you want to do correctly.) 2) a db would be a better suited tool for this task. Something like access or SQL would be able to find dups based on whatever field you choose. You would just need to populate the db appropriately. Access even has the query built in. The advantage here is that you iterate all objects in the forest only once, vs. finding the objects one at a time. In your psuedo, you have it as "output all samaccountname, sn, and givenname(s) to a file. Iterate through the file searching on each one for all occurrences and return those to a file". With that, you'd have a LOT of little files all over the place. With a DB, you could have the data local and hack and splice until you find the dups pretty easily. I think changing to csvde vs. ldifde would be easier to import into a db. It is for me. My $0.02 (USD) anyway. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of "Sanz de León, Juan Carlos"Sent: Thursday, June 03, 2004 3:22 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] In search for duplícate accounts Wow!! Thanks very much for your help Brent. After your response, some coments that come to mind... maybe you or other LDIFDE experts out there could give me some experiences.. How could I have LDFDE OUTPUT the (for example, sAMAccountName,givenName) and then use it as INPUT into the search you comented below in another LDIFDE command. In the form of a LOOP. such that the process would be as follows: a) Output the sAMAccountName, Surname, givenName to console or text file.. -- b) and next have LDIFDE input that information and search the GC(3268) for a duplicate in a loop until all users in the forest have been processed. This would run in a "for loop" until all users in the forest have been completed( the results would then go to a text file). I know how to export attribute information from Active Directory using LDIFDE (part a)... what I don't know is how to make it read it in a LOOP until EOF and have it as INPUT into another LDIFDE search. Or something like that... Any ideas from anyone out there would be greatly appreciated. Juan Carlos -Mensaje original-De: Brent Westmoreland [mailto:[EMAIL PROTECTED]Enviado el: jueves, 03 de junio de 2004 17:31Para: [EMAIL PROTECTED]Asunto: Re: [ActiveDir] In search for duplícate accountsYou will need to know what values you are trying to find. For example, people with duplicate surnames and givenNames or duplicate sAMAccountNames in a forest can be determined by using ldifde. The syntax can be a little tricky to the uninitiated but it is similar to ldapsearch in the unix world. For example, if you know the name of the user Foo Bar with givenName Foo and surname Bar and you wanted to search the forest for all users with that surname and givenName combination and have the output directed to your console window, then you would issue the command:Ldifde -f con -r "((objectCategory=person)(surname=Bar)(givenName=Foo))" -t 3268 -d "dc=forest,dc=corp" -l "surname, givenName"Lets step through the syntax Ldifde = c:\windows\system32\ldifde.exe if this executable isn't on your workstation, you should be able to get it off of your win2k DC.-f con = the -f switch specifies the output file of the command and con is console. So in essence you will be issuing the ldifde command and directing the output back to your cmd window. You could also specify a filename if you wanted to dump it into a text file.-r = The -r switch indicates the search filter, here you specify the key=value pairs to search for in the directory. You can the values; meaning that you can search for (key=value) and (differentkey=differentvalue). You can | the values meaning you can search for (key=value) or (differentkey=differentValue). You can also ! The values meaning that you search for (key=value) but not (differentKey=differentValue). Search filtering is an art as much as a science and several on this list can provide a great deal of input on using efficient filters if you are looking to retrieve specific entries.-t = 3268 specifies the port number to contact, because you want to specify all users in the forest it is best to contact your global catalog.-d = The searchbase, again if you want to search for all users in the forest you will need to specify the root DC entry of the forest.-l = the -l switch limits the output returned, without limiting the output of each entry you might return a lot of information that would be useless. For example if you are looking for duplicate surname and givenName combinations, then you probably wouldn't want to return the
RE: [ActiveDir] Factory monitoring pcs - preventing Account locko ut
Account lockout is a security measure intended to protect against brute force attacks. The fewer attempts allowed before lockout, the harder it is to actually brute force an account over the network. Too low, and you risk business interruption. Too high, and you increase your attack surface (marketecturephrases being used today :) Can you do it? Of course. Would it help? Probably. No guarantee but it increases your buffer. My thoughts are that if it's important enough to warrant special attention and changing the domain policies, then it's important enough to warrant it's own domain for the factory floor. That would allow you to keep anyone from being able to muck with the accounts in any way (obviously admins from all domains could), and offers more protection for you. Also allows more flexibility for the account policies and insulation from the regular user domain outages and maintenance. al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob PrestonSent: Thursday, June 03, 2004 4:18 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Factory monitoring pcs - preventing Account lockout I have a problem that I'm sure the brainpower on this list can help.We're about to refresh the hardware and upgrade from win2k to XP using an automated build process. Vendor will swap out hardware, RIS a new image down, and SMS will take over to install all the applications needed. These pcsauto login with a useridandlaunch a factory-floor monitoring application. We have several factories to deal with, and currently we maintain hundreds of ids to provide this functionality.By having all these accounts we limit the risk of an account being locked out (has happened before) and preventing crucial monitoring stations to work. The applicationsare read-only to networkresources and are in a very locked down environment. The PCS resideon a Win2ksp4 domain, and the current domain policy locks after x attempts, and resets after xxx minutes. What we would like to do is use two accounts at each factory, but to prevent locking all the PCs at each location, we would need to relax the domain policy of lockouts after xx attempts. Having a smaller number of accounts to manage makes the deployment system much simpler to accomplish. Is this in the realm of possibility without needing to purchase new hardware, for example to create a child domain)? I'm sure these questions may spark some concerns - and I'm interested in this feedback as well. Thanks all! Rob Presson
[ActiveDir] SRV Record registration by Non-DC's
We have seen a number of SRV record registrations for hosts for LDAP that arent DCs. Has anyone experienced this before? Thanks, Todd
RE: [ActiveDir] SRV Record registration by Non-DC's
Yes... very occasionally... in the _msdcs\dc\_tcp zone. Have not been able to trace them down to a common issue/application/problem. One possible culprit was the Citrix Management Console on a couple of Citrix admin workstations. We end up looking at the DNS records every week and deleting the ones that shouldn't be there. We have even thought about scripting something to check for appropriate records. The idea of scripting some type of autocheck for proper SRV records was kicked around on the list recently. -Stuart From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SRV Record registration by Non-DC's We have seen a number of SRV record registrations for hosts for LDAP that aren't DC's. Has anyone experienced this before? Thanks, Todd
RE: [ActiveDir] SRV Record registration by Non-DC's
There was recent XP bug in this area. See http://support.microsoft.com/?id=825675 -steve ---BeginMessage--- Yes... very occasionally... in the _msdcs\dc\_tcp zone. Have not been able to trace them down to a common issue/application/problem. One possible culprit was the Citrix Management Console on a couple of Citrix admin workstations. We end up looking at the DNS records every week and deleting the ones that shouldn't be there. We have even thought about scripting something to check for appropriate records. The idea of scripting some type of autocheck for proper SRV records was kicked around on the list recently. -Stuart From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SRV Record registration by Non-DC's We have seen a number of SRV record registrations for hosts for LDAP that aren't DC's. Has anyone experienced this before? Thanks, Todd ---End Message---
RE: [ActiveDir] SRV Record registration by Non-DC's
yep, this is related to the installation of MS04-011 on XP clients - you shouldn't see this bug on other machines. I had mentioned it before when I reported of a related issue, where MS04-011 causes Win2000 DCs to FAIL registration of certain SRV records. have a look at http://support.microsoft.com/?id=841395 and http://support.microsoft.com/?id=825675 \Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Donnerstag, 3. Juni 2004 23:46To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] SRV Record registration by Non-DC's Yes... very occasionally... in the _msdcs\dc\_tcp zone. Have not been able to trace them down to a common issue/application/problem. One possible culprit was the Citrix Management Console on a couple of Citrix admin workstations. We end up looking at the DNS records every week and deleting the ones that shouldn't be there. We have even thought about scripting something to check for appropriate records. The idea of scripting some type of autocheck for proper SRV records was kicked around on the list recently. -Stuart From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] SRV Record registration by Non-DC's We have seen a number of SRV record registrations for hosts for LDAP that aren't DC's. Has anyone experienced this before? Thanks, Todd
RE: [ActiveDir] Moving Roaming profiles
It works on a fast link no problemo. Just jack the size of your staging directory up. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:22 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Roaming profiles I thought about using DFS for my apps installed by GPO, also. But I have almost a Gig of applications and I was under the impression that DFS did not replicate large amounts of data very well, even if it doesn't change often? jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, June 03, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles I'm in the process of drawing a DFS tree for just that reason - eliminate the server name dependencies for shares. The only thing I see myself replicating is a small set of apps that are installed via GPO. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 10:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Roaming profiles It seems that outside of the FRS / replication issues, using DFS would be a good way of virtualizing the storage location of the profiles. If you used a DFS root to designate your storage location and you needed to migrate/replace this location, you could update the DFS root without having to modify any user attributes. Basically make the management of the profile data a backroom thing. Using FRS would make the whole setup somewhat ugly. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Wednesday, June 02, 2004 9:15 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Moving Roaming profiles It is indeed NOT a good thing. I would not do this. FRS is not meant to replicate this type of dynamic data (profiles) you may experience data loss or perhaps FRS breakdowns (depending on size, number of files, and amount of change per file). Clarification on the data loss - this would not be due to FRS or 'corrupt' files, but rather the natural way FRS works - which is on a last writer wins basis. my .02 -steve - Original Message - From: Malachi Burke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 8:16 PM Subject: [ActiveDir] Moving Roaming profiles I want to move roaming profiles from our regular share into a DFS folder. The setup is straightforward. Two DC's, DFS replicate to each other, highly available roaming profiles. A sanity check that this is indeed a good thing would be nice. I am also a bit concerned about DFS because the documentation is so verbose (i.e. makes my brain hurt figuring it all out). Scenario: DC1 and DC2 both are hosting DFS root \\testroot\root. They are hosting their own corresponding file shares (say \\DC1\root and \\DC2\root). Am I right in expecting that EITHER DC1 or DC2 can go offline, and \\testroot\root will still be available? Lastly, moving the profiles looks like you have to muck with ownership and permissions. I was able to brute-force move one this way (by forcefully claiming ownership and subsequent permission of the entire profile tree), but a more graceful method would be appreciated. Malachi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] event logs
Hi, i'm one admin in charge of about 30 servers(ad,exchange,sql,etc), does anyone know of a good cheap(free) way to monitor eventlogs without having to term or connect to each server? i was thinking of a perl script maybe via ms sql or mysql to send event errors or warnings to a centralized db or file. i find i spend about an hour or more of my morning monitoring and checking logs and i thought i'd use a pc to actually help me and do what it was meant to do- boring tedious tasks. how do you guys do it on this list? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] event logs
http://www.microsoft.com/downloads/details.aspx?FamilyID=8cde4028-e247-45be-bab9-ac851fc166a4DisplayLang=en or http://support.microsoft.com/default.aspx?scid=kb;en-us;824209Product=winsvr2003 you may want to look at these.. -steve - Original Message - From: Kern, Tom [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 03, 2004 7:00 PM Subject: [ActiveDir] event logs Hi, i'm one admin in charge of about 30 servers(ad,exchange,sql,etc), does anyone know of a good cheap(free) way to monitor eventlogs without having to term or connect to each server? i was thinking of a perl script maybe via ms sql or mysql to send event errors or warnings to a centralized db or file. i find i spend about an hour or more of my morning monitoring and checking logs and i thought i'd use a pc to actually help me and do what it was meant to do- boring tedious tasks. how do you guys do it on this list? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Anybody have experience putting an Apple XServe in a Win2K3 domain?
We have an issue with getting one of these puppies to live in a Win2k3 domain. We can see the Xserve from a win2k3 box, but it's just coming up in it's own workgroup, and I can't set ACLs for domain accts on directories I create on it. I only can set ACLs for the local accts on the XServe. The UI for managing the XServe isnot exactly obvious when it comes to directory integration. We've tried configuring the Active Directory section in the Server Admin tool, and put in the forest and domain DNS names and all that, but it wouldn't attach to the domain. Can anybody give me a quick hand with this? I'd appreciate it! Thanks! Kirk -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Kirk MarpleCTO/VP of EngineeringAgnostic Media, Inc.w: www.agnostic-media.com You can get my Digital ID here: https://digitalid.verisign.com/services/client/index.html
RE: [ActiveDir] event logs
I struggled with this dilemma for a long time. I tried numerous event log monitoring tools and didn't really like any of them. I've come up with this solution. I run about 35 servers. Every morning, I execute a batch file that connects to the server and runs dumpevt (http://www.somarsoft.com/somarsoft_main.htm) against each server. (Install documentation is included) Here's an example of the syntax in the batch file: dumpevt /computer=ServerName /logfile=sec /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt dumpevt /computer=ServerName /logfile=app /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt dumpevt /computer=ServerName /logfile=sys /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt dumpevt /computer=ServerName /logfile=dns /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt dumpevt /computer=ServerName /logfile=dir /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt dumpevt /computer=ServerName /logfile=rp /outdir=c:\dumpevt\ServerName c:\dumpevt\errors.txt Replace servername with the name of the server you want to check. That creates a set of files with a .tmp extension that correlate to each log on each server. I then use Windows Grep (http://www.wingrep.com) to parse the .tmp files. I set up three filters to search for error, warning, or failure. That gives me a display that shows the matching strings for each server. What's really cool about Dumpevt is that it keeps an Access DB of what it has checked before, so each time you run it, it starts where it left off the last time. So every morning at about 6, I run the batch file. It takes about 10 minutes to run from my workstation across my VPN connection (I work from home in the AM). Once done, I fire up Windows Grep and execute my saved search strings. It takes about 10 seconds to parse all the files, and then it takes me about 10 minutes to read through all the found events. What I like about this is that I see a lot of the same events over and over. Many of them are noise, but when I see something out of the ordinary, it stands out like a sore thumb. For my size organization, it was the most elegant solution I could find. Let me know if you need more info... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] event logs Hi, i'm one admin in charge of about 30 servers(ad,exchange,sql,etc), does anyone know of a good cheap(free) way to monitor eventlogs without having to term or connect to each server? i was thinking of a perl script maybe via ms sql or mysql to send event errors or warnings to a centralized db or file. i find i spend about an hour or more of my morning monitoring and checking logs and i thought i'd use a pc to actually help me and do what it was meant to do- boring tedious tasks. how do you guys do it on this list? Thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/