RE: [ActiveDir] HELP!!! Undelete required
Hi guys, I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute. Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved. My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect. Thx all... A restore is one option I don't ever want to take in a production environment.!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Heh, I actually typoed that response. It should have been If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the really painful answer. The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it. It scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that. The painful answer is to recover the object from the deleted objects container. Depending on the type of object and the schema mods made you will have various levels of frustration with this because not everything comes back the way you want. By default, very little comes back. However, I much prefer this solution to recovering from backup. This is something I would actually do. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, February 16, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Joe, Out of curiousity, what do you define as the painful versus really painful option in 2K3? Now I'm curious. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Have you considered a 3rd party tool which offers object level restores? There is no rule that states that MS must provide all the functionality that we require, after all :) Have you considered delayed replication sites, which only receive changes on an infrequent basis? DCs in these sites can then be used to auth restore the deleted object and thus re-animate it back into the environment, before they have received the deletion event. Of course, your most proactive measure is to ensure that only a minimal number of admins have the ability to delete objects. The removal of a group or OU can be catastrophic and should be mitigated against proactively. HTH, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: 17 February 2005 08:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Hi guys, I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute. Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved. My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect. Thx all... A restore is one option I don't ever want to take in a production environment.!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Heh, I actually typoed that response. It should have been If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the really painful answer. The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it. It scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that. The painful answer is to recover the object from the deleted objects container. Depending on the type of object and the schema mods made you will have various levels of frustration with this because not everything comes back the way you want. By default, very little comes back. However, I much prefer this solution to recovering from backup. This is something I would actually do. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, February 16, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Joe, Out of curiousity, what do you define as the painful versus really painful option in 2K3? Now I'm curious. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from system state backups, that's an option I don't want to follow... There should be a way.. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Few quick ones on password polices
Title: Few quick ones on password polices cheers for the answers, boys and girls. strictly speaking, I didn't need to deny the users the ability to change their password but did it anyway. mostly so they wouldn't complain that'd they'd just changed their password during the implementation period. I did miss blocking the inheritance for the OUs I wasn't rolling out to immediately though. bit of a boo-boo on my behalf, but nothing major kicked off. well, other than their machines locking after 20 mins of inactivity. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map From: joe [mailto:[EMAIL PROTECTED] Sent: 17 February 2005 03:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices This would put the domain into an entirely inconsistent state. I have helped companies get out of similar predicaments that they got into accidently like this that was due to poor FRS replication. Basically what happens is that the changes get applied locally, replicate out through the domain partition, get stomped on by some other DC somewhere else which replicates back out. If you different policies on several DCs you would be entirely in flux and could never guarantee where you would be in terms of settings as it would depend on which DC you last replicated in changes from and whether or not the local policy had recently reapplied. I have seen this for password policies, lockout policies, and restricted groups (this is a hoot if the group is admins or domain admins because you have to time your logon at a point when you have rights). Basically anything that replicates in the directory as well as through FRS. This is fairly easy to catch by looking at version numbers on the domain nc attributes, when you see something that is the hundreds, you may have an issue. Alternatively have a script that watches for changes and you will keep seeing the domain NC popping up as changing. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, February 16, 2005 7:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices Actually, this isn't entirely true. A little testing on Win2K3 shows the following: If I have domain account policy defined, say, on the Default Domain Policy, and I set block inheritance on the Domain Controllers OU, then any changes to the domain account policy on that domain-linked GPO will be ignored by DCs located in the DC OU. You can see this by looking at the effective account policy on a given DC by firing up the local GPO editor (gpedit.msc). If you look at account policy on the local GPO of a DC, it shows the current effective policy as delivered by any domain linked GPOs. If you try to change it from the local GPO, you'll noticed its grayed out--and can't be changed. Interestingly, if you set Block Inheritance on the DC OU, not only are changes to domain account policy from that domain-linked GPO ignored, but you can now change the local account policy on a given DC from the local GPO editor. Obviously that isn't too desirable since this would imply to me that you could have a different account policy on each DC. Yuck. Its unclear to me whether AD has any kind of mechanism to prevent this, but I am currently doubting it until I test some more. So bottom line is don't put Block Inheritance on the DC OU or, better yet, always set the GPO where you define domain account policy to Enforced. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, February 16, 2005 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Few quick ones on password polices 1. Correct 2. Yes and no. Account policies as applied onto domain users can't be blocked. However you can block those policies from being applied to the local policies of member machines. I don't think you need to set "user can not change password", if the person doesn't want their password changed, setting that only prevents them from doing it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Wednesday, February 16, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Few quick ones on password polices Hey all! Can you do me a quick favour and just confirm that I'm not going mad by agreeing (or not, if I'm wrong) with these: 1) you can only apply password policies (account policies to be exact, but this is a bone of contention here at the moment) at the domain level. i.e.: if the domain is abc.com you have to apply it at that level, not below. 2) account policies cannot be blocked by using the "block inheritance" option? Not too sure on this one, so could do with it clearing up. As a fail safe
[ActiveDir] DC or not DC
However MS does support DCs on Virtual Server if the guidelines in this whitepaper are strictly followed: http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en Alberto Boczar [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: quarta-feira, 16 de fevereiro de 2005 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Couple of issues. No Microsoft products are supported by MS on VMWARE, you have to duplicate the problem on physical hardware which may be feasible sometimes, but not all of the time and maybe not even most of the time. MS doesn't support Exchange in any virtual environment, including their own. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Wednesday, February 16, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange
[ActiveDir] Updating ADM files - best practices
Title: Updating ADM files - best practices Scenario: W2k DCs and multiple w2k domains I plan to implement and enable the GPO setting 'turn off automatic update of ADMs' in the default domain GPO as part of the upgrade from w2k DCs and domains to w2k3 DCs and domains. [For obvious reasons, I hope] Issue: This new setting requires an updated system.adm. Naturally I could place this one setting in a new GPO (in a test env) and after testing, transport the whole GPO (incl ADMs) using GPMCs backup/restore feature. However, I would rather simply update the ADM file(s) and then make the change to the def domain GPO. Question: What is the preferred method for updating ADM files? I don't see any reason why I can't just copy a new system.adm into SYSVOL, wait for replication to finish and then change the def domain GPO. Is this logic flawed in any way? Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] OT: Exchange 2003 Forestprep
Are you running the forestprep directly on the server that holds the schema master role? Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui HurstSent: Wednesday, February 16, 2005 11:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Exchange 2003 Forestprep Pre-requisites all in place and all DC's are GC's so I guess it can't be that. I feel a PSS call coming :-) [EMAIL PROTECTED] wrote: Assuming that the necessary components (SMTP, NNTP, ASP, etc) are already inplace on the Exchange server, the only thing I have seen that causes thaterror is where there is no GC at the site where the Exchange server islocated. I have no explanation for why it is so, but I ran into this twicealready. In both situations, there were already E2K in place and functionaland installing a new E2K at the site does not present the same problem. Theproblem only manifested itself when installing E2K3. Putting up a GC at thesite and allowing time for replication was the only way I was able to getE2K3 installed.YMMVSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Jacqui HurstSent: Wed 2/16/2005 6:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Exchange 2003 ForestprepThis is a shot in the dark but has anyone experienced (and solved) thisbefore.Forestprep was run quite sometime ago on a clean Windows 2003 AD environment.In addition to this a couple of other schema extensions have been applied (ILO and Novadigm extensions).I am now in the process of installing Exchange 2003 after completing thesetup and sync with ADC.When I run the setup I receive the following errorSetup failed while installing sub component Microsoft ExchangeOrganization-Level Container chilren with error code 0xc1037ae6.I have looked at the LDIF.err file and found it to be failing when trying tomodify an object in the CN=Address-Templates container (within Exchange partof configuration container) I have looked in here and found that there areno template objects.I uninstalled Exchange (fully) and rerun forestprep but this still hasn'tcreated them. The account being used to install Exchange has Schema,Enterprise, Exchange delegation, local machine admin rights but I didn'tthink it really need all this once the forestprep had been run.I have looked at article 870829 but unless I doing something wrong thisdoesn't appear to help (I did change the paths while the setup was halfwaythrough (at the error) and tried a retry instead of cancel and rerunning thesetup process as it takes an age to complete the installtion and then removeit to start again) Hope all this makes sense after all it is 2am Cheers JacquiList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Help!!! - Urgent Issue...
Dunno if this response is urgent enough, but a good place to look at is TCP/IP properties and see if the client is configured to use lmhosts. Uncheck that option and try again. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Chandra Burra Sent: Wed 2/16/2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Help!!! - Urgent Issue... Hi, Not able to add PC's to thedomaini get the DNS error ...lookedup the link poped up to find this http://www.microsoft.com/windows2000/dns/tshoot/dns_tshoot2A.asp#Join_RR Checked all (DNS and also AD - both on the same server) and everything works fine..any quick help please... Regards, Chandra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
I agree with Neil. I've seen good results with ERDisk from Aelita, which is now called Recovery Manager for AD from Quest. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, February 17, 2005 10:17 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] HELP!!! Undelete required Have you considered a 3rd party tool which offers object level restores? There is no rule that states that MS must provide all the functionality that we require, after all :) Have you considered delayed replication sites, which only receive changes on an infrequent basis? DCs in these sites can then be used to auth restore the deleted object and thus re-animate it back into the environment, before they have received the deletion event. Of course, your most proactive measure is to ensure that only a minimal number of admins have the ability to delete objects. The removal of a group or OU can be catastrophic and should be mitigated against proactively. HTH, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: 17 February 2005 08:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Hi guys, I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute. Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved. My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect. Thx all... A restore is one option I don't ever want to take in a production environment.!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Heh, I actually typoed that response. It should have been If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the really painful answer. The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it. It scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that. The painful answer is to recover the object from the deleted objects container. Depending on the type of object and the schema mods made you will have various levels of frustration with this because not everything comes back the way you want. By default, very little comes back. However, I much prefer this solution to recovering from backup. This is something I would actually do. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Wednesday, February 16, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Joe, Out of curiousity, what do you define as the painful versus really painful option in 2K3? Now I'm curious. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Ah I need a miracle.a technical miracle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required You aren't going to like the answer... If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the painful answer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: Wednesday, February 16, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] HELP!!! Undelete required Hi guys, What is the fastest way of recovering a group object deleted in AD 2000?? The changes have been replicated to all other DCs I want something precise, nothing fanciful, something tested and proved working...pls don't let it involve restoring from
[ActiveDir] script to convert userID to first and lastname of users
I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] script to convert userID to first and lastname of users
Marie-Therese Fahmy wrote: I need a script to search for userID for users and give me their full name. We have Active Directory 2003. What You mean as userID? Take a look at this examples: http://www.rallenhome.com/books/adcookbook/code.html and scriptomatic tool: http://www.microsoft.com/technet/scriptcenter/default.mspx You should be able to customize examples from Cookbook and scriptomatic to Your needs. -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
They do have an undelete
option... It is in Windows Server 2003 AD. Don't expect it to be back ported to
Windows 2000 AD as that OS is now over 5 years old and the newer version is a
couple of years old.You can actually use admod as well as other tools to
undelete things in Windows Server 2003 AD, the issue comes down to how much data
actually gets pulled back. This is controlled by the schema and you can set some
additional items to be returned when the object is returned from the deleted
objects container. Note some things you can and can't return regardless of
settings.Ex:Command line snippets[Thu 02/17/2005
8:21:28.40]F:\tempmakeu DelTestMicrosoft (R) Windows Script Host
Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights
reserved.Completed.[Thu 02/17/2005
8:21:36.28]F:\tempadfind -default -f name=deltest
-dsq"CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"[Thu
02/17/2005 8:22:10.34]F:\tempadfind -default -f name=deltest -dsq
|admod -rmAdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July
2004DN Count: 1Using server: 2k3dc01.joe.comDeleting specified
objects... DN:
cn=deltest,ou=tmptestou,ou=joeware2,ou=exchange,dc=joe,dc=com...The
command completed successfully[Thu 02/17/2005
8:22:18.99]F:\tempadfind -default -f name=deltest -dsq[Thu
02/17/2005 8:22:45.21]F:\tempadfind -default -f name=deltest -dsq
-showdel[Thu 02/17/2005 8:22:51.88]F:\tempadfind
-default -f name=deltest* -dsq
-showdel"CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com"[Thu 02/17/2005
8:22:57.68]F:\tempadfind -default -f name=deltest* -dsq -showdel |admod
-undelAdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July
2004DN Count: 1Using server: 2k3dc01.joe.comUndeleting specified
objects... DN:
cn=deltest\0adel:2b2b6bc9-c4cc-49af-886a-df1b504ae919,cn=deleted
objects,dc=joe,dc=com...The command completed
successfully[Thu 02/17/2005 8:23:09.15]F:\tempadfind
-default -f name=deltest
-dsq"CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"[Thu
02/17/2005 8:23:43.97]F:\tempadfind -default -f
name=deltestAdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005Using server: 2k3dc01.joe.comDirectory: Windows Server
2003Base DN:
DC=joe,DC=comdn:CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=comobjectClass:
topobjectClass: personobjectClass:
organizationalPersonobjectClass: usercn:
deltestdistinguishedName:
CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=cominstanceType:
4whenCreated: 20050217132136.0ZwhenChanged:
20050217132309.0ZuSNCreated: 1458430uSNChanged:
1458455name: deltestobjectGUID:
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}userAccountControl:
546badPwdCount: 0codePage: 0countryCode:
0badPasswordTime: 0lastLogoff: 0lastLogon:
0pwdLastSet: 0primaryGroupID: 513operatorCount:
0objectSid:
S-1-5-21-1862701446-4008382571-2198042679-8347adminCount:
0accountExpires: 0logonCount: 0sAMAccountName:
DelTestsAMAccountType: 805306368lastKnownParent:
OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=comobjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=comdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132219.0ZdSCorePropagationData: 16010108151056.0Z1
Objects returned[Thu 02/17/2005
8:23:51.97]F:\tempTracking log
Snippet-Creates
between Thu Feb 17 08:24:57 2005 - Thu Feb 17 08:25:08 2005Initial
Settings
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
cn : DelTest
distinguishedName :
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
instanceType : 4 name
: DelTest
objectCategory :
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass :
top#person#organizationalPerson#user
objectGUID :
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
objectSid :
S-1-5-21-1862701446-4008382571-2198042679-8347
primaryGroupID : 513
sAMAccountName :
DelTest sAMAccountType
: 805306368 uSNChanged
: 1458431 uSNCreated :
1458430
userAccountControl :
546 whenChanged :
20050217132136.0Z
whenCreated :
20050217132136.0Z--Updates
between Thu Feb 17 08:25:42 2005 - Thu Feb 17 08:25:54 2005UPDATE:
CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com
GUID=c96b2b2bccc4af49886adf1b504ae919 UPD cn: (DelTest)
- (DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) ADD
dSCorePropagationData:
(20050217132219.0Z#20050217132219.0Z#20050217132218.0Z#16010108151056.0Z)
UPD distinguishedName:
(CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com) -
(CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com) ADD isDeleted: (TRUE) UPD
name: (DelTest) -
(DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919) UPD
uSNChanged: (1458431) -
RE: [ActiveDir] DC or not DC
The Snapshot feature is also really useful, especially in a development/test environment. Being able to quickly roll back the machine without requiring a restore can save hours! If you have ESX on a SAN, Vmotion can provide some interesting DR/BCP options for server apps that are not cluster aware. I saw a demo at HP a while back where they failed a VM over to another node whilst pinging the server - it didn't even drop a packet. Cool but pricey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: 16 February 2005 19:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest
RE: [ActiveDir] HELP!!! Undelete required
We have been using that here as well, and outside of the somewhat less then intuitive interface it has worked very well for us. It will not solve the problem today of recovering a deleted group (unless you have an offline DC that still has it) but it will for future issues. We have used it to recover GPOs, OUs, computers, users and groups - both in production and in testing. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Ryan A. Conrad | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 02/17/2005 12:58 PM GMT| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] HELP!!! Undelete required | --| I agree with Neil. I've seen good results with ERDisk from Aelita, which is now called Recovery Manager for AD from Quest. -Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, February 17, 2005 10:17 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] HELP!!! Undelete required Have you considered a 3rd party tool which offers object level restores? There is no rule that states that MS must provide all the functionality that we require, after all :) Have you considered delayed replication sites, which only receive changes on an infrequent basis? DCs in these sites can then be used to auth restore the deleted object and thus re-animate it back into the environment, before they have received the deletion event. Of course, your most proactive measure is to ensure that only a minimal number of admins have the ability to delete objects. The removal of a group or OU can be catastrophic and should be mitigated against proactively. HTH, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aramide Adebanjo Sent: 17 February 2005 08:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Hi guys, I have resolved the issue..it could have been worse however but the group deleted was a distribution group. The painful fact was that it wasone that had 700 member users and I did not know howi could repopulate that fast. However I had done a csvde export just the day beforeand I ran iquery to get all users with the required attribute. Simply put, I recreated the distribution group again. I just pasted all the members into a text file with all usenames seperated by a semicolon and then pasted them all into the new group. The names were all resolved. My fear is this; what if it was a user or a security group that was mistakenly deleted. Micorsosft shld have a solution that enables u undelete..like a Cntrl Z.mistakes can be made by anyone...a mouse slip etc...no one is perfect. Thx all... A restore is one option I don't ever want to take in a production environment.!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] HELP!!! Undelete required Heh, I actually typoed that response. It should have been If you had K3 you would have at least 2 options, one painful, one really painful. Here you only have the really painful answer. The really painful answer is obviously recovery from a backup. I have never really done this in production and I have no intention of ever doing it. It scares me. If something was deleted, I have faith that the person who deleted something is someone who could be trusted to have made that decision. If they made a bad decision, the trust was misplaced. This is yet another reason to not let people have native rights in the directory like that. The painful answer is to recover the object from the deleted objects container.
RE: [ActiveDir] script to convert userID to first and lastname of users
I'm curious though. You want to convert their userid from what it is now and change it to first name last name ?? Is this just to make the MMC tools look better or is there some other reason? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] HELP!!! Undelete required
Title: Message
Very
true, joe, but then that's precisely why I'd advocate the use of the 3rd party
tools, since there offer a far more robust solution.
The
thought of re-animating an object only to find most of its attributes are
missing (e.g. SIDHistory) is pretty useless, albeit by design. If a "full"
restore of the object is required, and an auth restore is not feasible, then
we're back to tools such as those provided by Quest etc.
neil
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of joeSent: 17 February 2005 14:00To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] HELP!!!
Undelete required
They do have an undelete
option... It is in Windows Server 2003 AD. Don't expect it to be back ported
to Windows 2000 AD as that OS is now over 5 years old and the newer version
is
a couple of years old.You can actually use admod as well as other
tools to undelete things in Windows Server 2003 AD, the issue comes down to
how much data actually gets pulled back. This is controlled by the schema
and
you can set some additional items to be returned when the object is returned
from the deleted objects container. Note some things you can and can't
return
regardless of settings.Ex:Command line snippets[Thu 02/17/2005
8:21:28.40]F:\tempmakeu DelTestMicrosoft (R) Windows Script Host
Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights
reserved.Completed.[Thu 02/17/2005
8:21:36.28]F:\tempadfind -default -f name=deltest
-dsq"CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"[Thu
02/17/2005 8:22:10.34]F:\tempadfind -default -f name=deltest
-dsq |admod -rmAdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED])
July
2004DN Count: 1Using server: 2k3dc01.joe.comDeleting
specified
objects... DN:
cn=deltest,ou=tmptestou,ou=joeware2,ou=exchange,dc=joe,dc=com...The
command completed successfully[Thu 02/17/2005
8:22:18.99]F:\tempadfind -default -f name=deltest
-dsq[Thu
02/17/2005 8:22:45.21]F:\tempadfind -default -f name=deltest
-dsq -showdel[Thu 02/17/2005
8:22:51.88]F:\tempadfind -default -f name=deltest* -dsq
-showdel"CN=DelTest\0ADEL:2b2b6bc9-c4cc-49af-886a-df1b504ae919,CN=Deleted
Objects,DC=joe,DC=com"[Thu 02/17/2005
8:22:57.68]F:\tempadfind -default -f name=deltest* -dsq -showdel
|admod -undelAdMod V01.01.00cpp Joe Richards ([EMAIL PROTECTED]) July
2004DN Count: 1Using server: 2k3dc01.joe.comUndeleting
specified objects... DN:
cn=deltest\0adel:2b2b6bc9-c4cc-49af-886a-df1b504ae919,cn=deleted
objects,dc=joe,dc=com...The command completed
successfully[Thu 02/17/2005
8:23:09.15]F:\tempadfind
-default -f name=deltest
-dsq"CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com"[Thu
02/17/2005 8:23:43.97]F:\tempadfind -default -f
name=deltestAdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005Using server: 2k3dc01.joe.comDirectory: Windows
Server 2003Base DN:
DC=joe,DC=comdn:CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=comobjectClass:
topobjectClass: personobjectClass:
organizationalPersonobjectClass: usercn:
deltestdistinguishedName:
CN=deltest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=cominstanceType:
4whenCreated: 20050217132136.0ZwhenChanged:
20050217132309.0ZuSNCreated: 1458430uSNChanged:
1458455name: deltestobjectGUID:
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}userAccountControl:
546badPwdCount: 0codePage: 0countryCode:
0badPasswordTime: 0lastLogoff: 0lastLogon:
0pwdLastSet: 0primaryGroupID: 513operatorCount:
0objectSid:
S-1-5-21-1862701446-4008382571-2198042679-8347adminCount:
0accountExpires: 0logonCount: 0sAMAccountName:
DelTestsAMAccountType: 805306368lastKnownParent:
OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=comobjectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=comdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132309.0ZdSCorePropagationData:
20050217132219.0ZdSCorePropagationData:
16010108151056.0Z1
Objects returned[Thu 02/17/2005
8:23:51.97]F:\tempTracking log
Snippet-Creates
between Thu Feb 17 08:24:57 2005 - Thu Feb 17 08:25:08 2005Initial
Settings
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
cn : DelTest
distinguishedName :
CN=DelTest,OU=tmptestou,OU=joeware2,OU=Exchange,DC=joe,DC=com
instanceType : 4
name : DelTest
objectCategory :
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com
objectClass :
top#person#organizationalPerson#user
objectGUID :
{2B2B6BC9-C4CC-49AF-886A-DF1B504AE919}
objectSid :
S-1-5-21-1862701446-4008382571-2198042679-8347
primaryGroupID :
513
sAMAccountName :
DelTest
sAMAccountType :
805306368
uSNChanged
: 1458431
uSNCreated
: 1458430
userAccountControl :
546 whenChanged :
20050217132136.0Z
[ActiveDir] DC or not DC
Return Receipt Your document: [ActiveDir] DC or not DC was received by: nelson yong/IT/KSL at: 17/02/2005 10:14:13 PM
RE: [ActiveDir] script to convert userID to first and lastname of users
I'm assuming by convert you mean associate? (i.e. given a user ID, show me the Full Name? You could use adfind (www.joeware.net) adfind -b dc=mydomain,dc=com -gc -f objectCategory=person sAMAccountName Name That returns something like: dn:CN=Robert Smith,CN=Users,DC=mydomain,DC= name: Robert Smith sAMAccountName: SmithR mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called "OU policies", wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Thursday, February 17, 2005 7:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesnt have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] OT:IIS 5.0
When you get that error, do you get the same error when connecting to the root of the webserver? I.e. http://webserver/default.htm ? Is that what you're saying? If so, then you don't have the web site permissions correct. If you don't have those correct, you won't be able to get to the rest of the virtual directories. Something changed because by default you can get to the default web page when you first set one up. It's much easier to use SSL and not make the mods. That way you won't wonder what got changed that's screwing you up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, February 16, 2005 2:30 PM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:IIS 5.0 Hi, i'm running IIS 5.0 on win2k sp3 and i'm trying to get the change password functionality working with no sucess. I created the vir iisadmpwd dir with read and script permissions. i allow anyomous access to this dir. i edited the metabase with adsutil.vbs to allow password change on non-secire ports(just for testing right now). In app mappings the .htr ext is mapped to ism.dll. however, when i browse to the site from anywhere(including the webserver itself), i get http 403 forbidden error. I understand that with sp4, MS changed the functionality of this to use asp instead of isapi for good security reasons and the app mapping changed to asp.dll, but the webserver i have is on sp 3(and while i plan on installing sp4 and going the asp path, i figured since i can't even get it to work using ism.dll, i shouldn't throw more software at the problem till i get this resolved). I know this is OT, but could someone direct me as to what i'm screwqing up here? thanks. p.s.- as i said, i am going to use asp for this and ssl and i realize the security risks of running ism.dll as local system but i'm just trying to get this to work in the defaults for testing before i go live with the other features. thanks again List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] script to convert userID to first and lastname of users
dsquery can also find the information also. The syntax is: dsquery * -filter (samAccountName=name) -attr displayName I would use the Joeware tool, because I'm frustrated with some of the limitations of dsquery. I just haven't had the need yet to learn to use the Joeware tool. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to convert userID to first and lastname of users I'm assuming by convert you mean associate? (i.e. given a user ID, show me the Full Name? You could use adfind (www.joeware.net) adfind -b dc=mydomain,dc=com -gc -f objectCategory=person sAMAccountName Name That returns something like: dn:CN=Robert Smith,CN=Users,DC=mydomain,DC= name: Robert Smith sAMAccountName: SmithR mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2003 Forestprep
Yes the forestprep was run on the schema master. The actual forestprep process works fine the issue occurs when I try to join the Exchange 5.5 organisation. The organisation object is created in the AD and a number = of sub containers eg Addressing it begins to fail when creating the country code address templates containers. Jacqui From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: 17 February 2005 11:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2003 Forestprep Are you running the forestprep directly on the server that holds the schema master role? Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacqui Hurst Sent: Wednesday, February 16, 2005 11:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2003 Forestprep Pre-requisites all in place and all DC's are GC's so I guess it can't be that. I feel a PSS call coming :-) [EMAIL PROTECTED] wrote: Assuming that the necessary components (SMTP, NNTP, ASP, etc) are already in place on the Exchange server, the only thing I have seen that causes that error is where there is no GC at the site where the Exchange server is located. I have no explanation for why it is so, but I ran into this twice already. In both situations, there were already E2K in place and functional and installing a new E2K at the site does not present the same problem. The problem only manifested itself when installing E2K3. Putting up a GC at the site and allowing time for replication was the only way I was able to get E2K3 installed. YMMV Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacqui Hurst Sent: Wed 2/16/2005 6:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2003 Forestprep This is a shot in the dark but has anyone experienced (and solved) this before. Forestprep was run quite sometime ago on a clean Windows 2003 AD environment. In addition to this a couple of other schema extensions have been applied ( ILO and Novadigm extensions). I am now in the process of installing Exchange 2003 after completing the setup and sync with ADC. When I run the setup I receive the following error Setup failed while installing sub component Microsoft Exchange Organization-Level Container chilren with error code 0xc1037ae6. I have looked at the LDIF.err file and found it to be failing when trying to modify an object in the CN=Address-Templates container (within Exchange part of configuration container) I have looked in here and found that there are no template objects. I uninstalled Exchange (fully) and rerun forestprep but this still hasn't created them. The account being used to install Exchange has Schema, Enterprise, Exchange delegation, local machine admin rights but I didn't think it really need all this once the forestprep had been run. I have looked at article 870829 but unless I doing something wrong this doesn't appear to help (I did change the paths while the setup was halfway through (at the error) and tried a retry instead of cancel and rerunning the setup process as it takes an age to complete the installtion and then remove it to start again) Hope all this makes sense after all it is 2am Cheers Jacqui List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
OT::RE: [ActiveDir] script to convert userID to first and lastnam e of users
I think Joe should put that quote on the website as a testimonial :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew Sent: Thursday, February 17, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to convert userID to first and lastname of users dsquery can also find the information also. The syntax is: dsquery * -filter (samAccountName=name) -attr displayName I would use the Joeware tool, because I'm frustrated with some of the limitations of dsquery. I just haven't had the need yet to learn to use the Joeware tool. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] script to convert userID to first and lastname of users I'm assuming by convert you mean associate? (i.e. given a user ID, show me the Full Name? You could use adfind (www.joeware.net) adfind -b dc=mydomain,dc=com -gc -f objectCategory=person sAMAccountName Name That returns something like: dn:CN=Robert Smith,CN=Users,DC=mydomain,DC= name: Robert Smith sAMAccountName: SmithR mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marie-Therese Fahmy Sent: Thursday, February 17, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] script to convert userID to first and lastname of users I need a script to search for userID for users and give me their full name. We have Active Directory 2003. Thanks, Marie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called OU policies, wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesnt have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
RE: [ActiveDir] Account policies and groups
The key here is that policy is only processed by user and computer objects, but its effect can be filtered by security groups (and WMI queries). So, in this scenario, putting block inheritance on the OU where the user object resides would prevent the user from receiving upstream GPOs, even though the user's group resides elsewhere. From: [EMAIL PROTECTED] on behalf of Passo, Larry Sent: Thu 2/17/2005 8:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups But group membership can determine which GPOs get applied if you are using GPO filtering. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, February 17, 2005 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account policies and groups No, group membership does not determine what policies get applied. If they did, they would be called OU policies, wouldn't they? :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Thursday, February 17, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesn't have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client=nonelang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jladdr3=addr1= Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. winmail.dat
[ActiveDir] Time sync on non-domain W2K server?
I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] W32Time and *nix
Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC or not DC
Return Receipt Your RE: [ActiveDir] DC or not DC document: wasLucia Washaya/UNAMSIL received by: at:17/02/2005 18:55:33 GMT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC or not DC
Return Receipt Your [ActiveDir] DC or not DC document: wasLucia Washaya/UNAMSIL received by: at:17/02/2005 18:56:19 GMT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W32Time and *nix
Maybe try what we did; set the AD time source to be a router or switch that can act as a time server. That router or switch then connects to an external time source. Different flavors of time synch can then connect to that router or switch and get time... That way, you also don't have to have a connection open on the time ports into your DC... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
Doesn't work. System error 5 has occurred. Access is denied. The Cisco servers are not in the domain, and the DCs won't allow communications from outside. If I do a runas with domain credentials, I can make it work, but I was hoping for a more elegant solution. I don't like doing runas with domain pwds in a file somewhere. It's my biggest beef with runas... If I try to do the same to the IP address of our switch, it says network path not found. You'd think there would be a way to allow a stand-alone server to synch with an external time source... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Thursday, February 17, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Time sync on non-domain W2K server?
When you run Net Time \\somemachine /set you are using the old LanMan NetTOD api to locate an authoritative time source which doesn't work because you aren't in the domain and you have already told the box to use SNTP with the /setsntp arg. You want to use w32tm to test the SNTP function. Stop W32Time service and try w32tm -once and observe the console output. The arguments have changed in 2003 and XP and I don't have a W2K box handy but w32tm /? will give you all the args. It is confusing because you can use Net Time with the /setsntp or /querysntp but all you are doing there is making the registry setting or reading it. On Thu, 17 Feb 2005 11:45:42 -0800, Charlie Kaiser [EMAIL PROTECTED] wrote: Doesn't work. System error 5 has occurred. Access is denied. The Cisco servers are not in the domain, and the DCs won't allow communications from outside. If I do a runas with domain credentials, I can make it work, but I was hoping for a more elegant solution. I don't like doing runas with domain pwds in a file somewhere. It's my biggest beef with runas... If I try to do the same to the IP address of our switch, it says network path not found. You'd think there would be a way to allow a stand-alone server to synch with an external time source... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Thursday, February 17, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] W32Time and *nix
It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 5.5
Has anyone come across an article on how to take control of public folders if the home server is gone? This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] Exchange 5.5
Title: Message IIRC, IF the folders have been replicated to another Exchange 5.5 server, you can specify the home server on that other server. I had that happen to me years ago, so I'm not positive about the procedure. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Thursday, February 17, 2005 4:02 PMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Exchange 5.5 Has anyone come across an article on how to take control of public folders if the home server is gone? This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] Exchange 5.5
Title: Message Do you have a white paper on the procedure? Lynden From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange 5.5 IIRC, IF the folders have been replicated to another Exchange 5.5 server, you can specify the home server on that other server. I had that happen to me years ago, so I'm not positive about the procedure. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Thursday, February 17, 2005 4:02 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Exchange 5.5 Has anyone come across an article on how to take control of public folders if the home server is gone? This message is intended for the use of the individual or entity to which it is addressedand may contain information that is privileged, confidential and exempt from disclosureunder applicable law. If the reader of this message in not the intended recipient or theemployer or agent responsible for delivering the message to the recipient, you arehereby notified that dissemination, distribution or copying of this communication isstrictly prohibited. If you have received this communication in error, please notify usimmediately by email or telephone, and delete this message and all of its attachments. This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] W32Time and *nix
W2K3 is supposed to answer for both IIRC, It will in my experience. It will answer *NTP queries as NTP Version 3, Mode 4 Windows Time Service Technical Reference - Networking Services: Windows Server 2003: http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/te chref/en-us/W2K3TR_times_intro.asp?frame=true The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000. from one of the MS Folks- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 12:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 17, 2005 12:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] W32Time and *nix It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W32Time and *nix
The ubiquitous No Server Suitable for Synchronization Found. I've found lots of questions about this in my googling, but no definitive answers. If I understand right, SNTP is the client implementation of the NTP protocol? If that's true, how could it serve time updates to anything? What's your understanding of W32Time? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 17, 2005 3:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] W32Time and *nix It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time sync on non-domain W2K server?
Ah. There we go. The w32tm -once showed a sync. Now the next question is: will the standalone server automatically sync with the listed time source or will I have to perform manual/scripted syncs? I know it's automatic within an AD structure, but what I've been reading doesn't address non-domain scenarios... Thanks much! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Free Sent: Thursday, February 17, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Time sync on non-domain W2K server? When you run Net Time \\somemachine /set you are using the old LanMan NetTOD api to locate an authoritative time source which doesn't work because you aren't in the domain and you have already told the box to use SNTP with the /setsntp arg. You want to use w32tm to test the SNTP function. Stop W32Time service and try w32tm -once and observe the console output. The arguments have changed in 2003 and XP and I don't have a W2K box handy but w32tm /? will give you all the args. It is confusing because you can use Net Time with the /setsntp or /querysntp but all you are doing there is making the registry setting or reading it. On Thu, 17 Feb 2005 11:45:42 -0800, Charlie Kaiser [EMAIL PROTECTED] wrote: Doesn't work. System error 5 has occurred. Access is denied. The Cisco servers are not in the domain, and the DCs won't allow communications from outside. If I do a runas with domain credentials, I can make it work, but I was hoping for a more elegant solution. I don't like doing runas with domain pwds in a file somewhere. It's my biggest beef with runas... If I try to do the same to the IP address of our switch, it says network path not found. You'd think there would be a way to allow a stand-alone server to synch with an external time source... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Thursday, February 17, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one works, but when I do a net time /set, it fails with Could not locate a time-server. Q243574 explains that only the PDCe can so an external synch. So how do we get a stand-alone machine to set the time? It's kind of important, because the phones get their time display from the Call Managers' OS time. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are
RE: [ActiveDir] W32Time and *nix
Ah...maybe it's the difference between Win2000 and Win2003 then. My domains are still 2000. Thanks Bob mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, February 17, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix W2K3 is supposed to answer for both IIRC, It will in my experience. It will answer *NTP queries as NTP Version 3, Mode 4 Windows Time Service Technical Reference - Networking Services: Windows Server 2003: http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/te chref/en-us/W2K3TR_times_intro.asp?frame=true The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000. from one of the MS Folks- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 12:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 17, 2005 12:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] W32Time and *nix It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error
[ActiveDir] Startup Scripts?
I cant seem to get a startup script to create a local account on all domain computers. Ive created an OU, dragged the user account into that OU applied a GPO for that OU to have a startup script which contain the following: echo Adding local Consulting account net user consulting temp1234 /add Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469
[ActiveDir] Backups...
Slightly OT for an AD forum, but since I've seen so much great advice flow through this list, and we're populated with Sys Admins (who are frequently in charge of backups) I figured I'd throw it out there. We have two Dell Tape autoloaders that have 8 slots (7 DLT IV + 1 cleaning tape). One of the autoloaders exclusively handles Exchange backups, the other is for backup of our NAS and Samba file shares. Each DAT tape can hold 70-80GB compressed and we have ~280GB of data to be backed up on multiple file servers (NAS, Samba shares and others). We use CA's Brightstor ArcServe for backups (yuck - I MUCH prefer BackupExec, and almost prefer NTBackup to ArcServe, but I'm deviating). Right now, all that's done is load 7 tapes in there and perform a full backup on Friday and incremental M-Th, and then overwrite that each week - not desireable. I just acquired ~30 additional new tapes (DLT IV) and want to see a few common backup rotations (like GFS) that would work for us. Does anyone know of any "Backup calculators" where you can put in the amount of data you have to back up, the time you want to have backups for (like, say 3 months), etc... and have it make some recomendations? I've seen some web-based tools like this, and IIRC, BackupExec had one built in, but I can't seem to find any. Does anyone know of any? Thanks.
RE: [ActiveDir] W32Time and *nix
Sheesh, now someone with Win2K that does work!! :-) My domain is Win2000 also Mike. Now I'm just confused again. W32Time wizard Nathan - are you still monitoring this list? mc -Original Message- From: Michael Wallendahl [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 5:02 PM To: Creamer, Mark Subject: Re: [ActiveDir] W32Time and *nix Hi Mark: What version of Windows Server are you running? I have a Windows 2000 AD at work. I successfully synchronize several non-windows devices against my DC's without a problem. You can synchronize against any DC in your network (no need to specifiy a particular DC). A neat trick is to just sync against your AD domain name as that name resolves to a list of all of your DC's. That way if you ever change a DC's name you won't have to reconfigure all your timesync configs. My FreeBSD 5.3 server synchronizes against my DC just fine. The configuration file /etc/ntp.conf has the following two lines in it: server domain.com driftfile /var/db/ntp.drift My Windows 98 machines sync using a freeware utility called Automachron. If you are running Windows Server 2003, it *may* not allow non-domain members to sync with it out of the box.I can't find anything on google right now. I just tested against my test 2003 server at home and it did allow a non-domain member to sync with it but I don't know if I've changed anything on it since building it. Best bet would be to try and run Automachron on your own workstation against a DC and see if it reports any errors that you can google on. Do you have a firewall or router between you and your DC's that is filtering NTP ports? Good luck! Let me know what you find out! -Mike Creamer, Mark wrote: Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Startup Scripts?
"user account" and "startup script" ? Try the computer account in the OU. Startup scripts apply to computers :-) -DaveC Reuters America From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, February 17, 2005 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: [spam] [ActiveDir] Startup Scripts? I cant seem to get a startup script to create a local account on all domain computers. Ive created an OU, dragged the user account into that OU applied a GPO for that OU to have a startup script which contain the following: echo Adding local Consulting account net user consulting temp1234 /add Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Startup Scripts?
That worked! Thanks, -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, February 17, 2005 5:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Startup Scripts? user account and startup script ? Try the computer account in the OU. Startup scripts apply to computers :-) -DaveC Reuters America From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, February 17, 2005 5:02 PM To: ActiveDir@mail.activedir.org Subject: [spam] [ActiveDir] Startup Scripts? I cant seem to get a startup script to create a local account on all domain computers. Ive created an OU, dragged the user account into that OU applied a GPO for that OU to have a startup script which contain the following: echo Adding local Consulting account net user consulting temp1234 /add Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 - Visit our Internet site at http://www.reuters.com Get closer to the financial markets with Reuters Messaging - for more information and to register, visit http://www.reuters.com/messaging Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re: [ActiveDir] Startup Scripts?
net localgroup Users /add"consulting temp1234" - Original Message - From: Harding, Devon To: ActiveDir@mail.activedir.org Sent: Thursday, February 17, 2005 3:02 PM Subject: [ActiveDir] Startup Scripts? I cant seem to get a startup script to create a local account on all domain computers. Ive created an OU, dragged the user account into that OU applied a GPO for that OU to have a startup script which contain the following: echo Adding local Consulting account net user consulting temp1234 /add Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469
RE: [ActiveDir] W32Time and *nix
If I understand right, SNTP is the client implementation of the NTP protocol? SNTP can actually be a client or a server, it is unreliable (my word) compared to NTP and some devices simply won't accept time from it. RFC 1769 The model for a SNTP server operating with either a NTP or SNTP client is an RPC server with no persistent state. Since a SNTP server ordinarily does not implement the full set of NTP algorithms intended to support redundant peers and diverse network paths, it is recommended that a SNTP server be operated only in conjunction with a source of external synchronization, such as a reliable radio clock. Similarly, an SNTP client is one which receives time from a server, but makes no independent assessment as to the quality of the data. It simply assumes the server is authoritative. Quoting Nick Maclaren who wrote an SNTP server- The client-side of SNTP is really just a description of some common synchronisation methods that have been used since time immemorial, applied to NTP. You don't HAVE to be as crude as the RFC implies, though you can be. The server-side of SNTP is really just a description of short cuts that you could take in a dedicated stratum 1 time-server. If it were used at another level, it should be described differently. If you really want the nitty gritty, read the stuff Nick and David Mills (father of NTP) write in comp.protocols.time.ntp or visit David's site. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix The ubiquitous No Server Suitable for Synchronization Found. I've found lots of questions about this in my googling, but no definitive answers. If I understand right, SNTP is the client implementation of the NTP protocol? If that's true, how could it serve time updates to anything? What's your understanding of W32Time? mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 17, 2005 3:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] W32Time and *nix It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please
RE: [ActiveDir] Time sync on non-domain W2K server?
W32time will synch as long as you leave the service running. It will peer up to the source and then synch periodically, 3x a day at the default IIRC. You can turn on logging and it will log to the event log if you want to keep an eye on it. For W2K- Add the following values and bounce the service and it will write synchronization events to the system log. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters Value name: Log Data type: REG_DWORD Value: 0x0064 (Hex) Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Parameters Value name: WriteLog Data type: REG_SZ Value: True -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Ah. There we go. The w32tm -once showed a sync. Now the next question is: will the standalone server automatically sync with the listed time source or will I have to perform manual/scripted syncs? I know it's automatic within an AD structure, but what I've been reading doesn't address non-domain scenarios... Thanks much! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Free Sent: Thursday, February 17, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Time sync on non-domain W2K server? When you run Net Time \\somemachine /set you are using the old LanMan NetTOD api to locate an authoritative time source which doesn't work because you aren't in the domain and you have already told the box to use SNTP with the /setsntp arg. You want to use w32tm to test the SNTP function. Stop W32Time service and try w32tm -once and observe the console output. The arguments have changed in 2003 and XP and I don't have a W2K box handy but w32tm /? will give you all the args. It is confusing because you can use Net Time with the /setsntp or /querysntp but all you are doing there is making the registry setting or reading it. On Thu, 17 Feb 2005 11:45:42 -0800, Charlie Kaiser [EMAIL PROTECTED] wrote: Doesn't work. System error 5 has occurred. Access is denied. The Cisco servers are not in the domain, and the DCs won't allow communications from outside. If I do a runas with domain credentials, I can make it work, but I was hoping for a more elegant solution. I don't like doing runas with domain pwds in a file somewhere. It's my biggest beef with runas... If I try to do the same to the IP address of our switch, it says network path not found. You'd think there would be a way to allow a stand-alone server to synch with an external time source... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Thursday, February 17, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Seems to me, if the Cisco servers can talk to the DC's via TCP/IP, then you should be able to do a simple NET TIME \\DCname /SET /YES NET TIME \\DCipaddress . Make a batch file or run an AT job, anything that syncs them periodically. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time sync on non-domain W2K server? Interesting...Charlie's message just popped up in my inbox as well. Looks like time sync is a current hot topic. Eagerly awaiting thoughts from the group. mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 17, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time sync on non-domain W2K server? I have a W2K3 AD domain. Gets its time synch from our Cisco switch, which gets time from outside. Usually works OK; hiccups once in a while; no big deal. I've run into an interesting problem, though. We have Cisco VoIP phones, which display the time on the screen. A user complained because the time was about 6 minutes different between the phone and her PC. I started looking into it, took care of a few things, but came across something I can't resolve. Our Cisco Call Managers (W2K servers running Cisco call-handling apps) are not members of the domain. Cisco documentation says they should be stand-alone servers. I try and use net time /setsntp:switchIPaddress or net time /setsntp:PDCEname. Either one
RE: [ActiveDir] W32Time and *nix
I'm still here :) Regarding: If you are running Windows Server 2003, it *may* not allow non-domain members to sync with it out of the box. NTP is not a secure protocol. You can sync non-domain joined severs with a DC. SNTP and NTP are exactly the same network packet. The only difference is how the packets are processed. So you can sync a NTP client against SNTP and vice versus. Additionally the Windows OS version won't matter here (well, at least 2000 vs 2003 vs XP). Getting a Unix NTP client syncing with a 2000 forest should work just fine. You may have to turn off any add-on NTP security on the Unix client. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 2:10 PM To: Michael Wallendahl; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix Sheesh, now someone with Win2K that does work!! :-) My domain is Win2000 also Mike. Now I'm just confused again. W32Time wizard Nathan - are you still monitoring this list? mc -Original Message- From: Michael Wallendahl [mailto:[EMAIL PROTECTED] Sent: Thursday, February 17, 2005 5:02 PM To: Creamer, Mark Subject: Re: [ActiveDir] W32Time and *nix Hi Mark: What version of Windows Server are you running? I have a Windows 2000 AD at work. I successfully synchronize several non-windows devices against my DC's without a problem. You can synchronize against any DC in your network (no need to specifiy a particular DC). A neat trick is to just sync against your AD domain name as that name resolves to a list of all of your DC's. That way if you ever change a DC's name you won't have to reconfigure all your timesync configs. My FreeBSD 5.3 server synchronizes against my DC just fine. The configuration file /etc/ntp.conf has the following two lines in it: server domain.com driftfile /var/db/ntp.drift My Windows 98 machines sync using a freeware utility called Automachron. If you are running Windows Server 2003, it *may* not allow non-domain members to sync with it out of the box.I can't find anything on google right now. I just tested against my test 2003 server at home and it did allow a non-domain member to sync with it but I don't know if I've changed anything on it since building it. Best bet would be to try and run Automachron on your own workstation against a DC and see if it reports any errors that you can google on. Do you have a firewall or router between you and your DC's that is filtering NTP ports? Good luck! Let me know what you find out! -Mike Creamer, Mark wrote: Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] W32Time and *nix
Yep, the 2000 boxes wouldn't talk back to many of the *NIX utilities because they only did SNTP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix Ah...maybe it's the difference between Win2000 and Win2003 then. My domains are still 2000. Thanks Bob mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, February 17, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] W32Time and *nix W2K3 is supposed to answer for both IIRC, It will in my experience. It will answer *NTP queries as NTP Version 3, Mode 4 Windows Time Service Technical Reference - Networking Services: Windows Server 2003: http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/te chref/en-us/W2K3TR_times_intro.asp?frame=true The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. NTP is an Internet time protocol that includes the discipline algorithms necessary for synchronizing clocks. NTP is a more accurate time protocol than the Simple Network Time Protocol (SNTP) that is used in some versions of Windows; however W32Time continues to support SNTP to enable backward compatibility with computers running SNTP-based time services, such as Windows 2000. from one of the MS Folks- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 12:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, February 17, 2005 12:47 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] W32Time and *nix It can work, what problems are you having? What kinds of errors and what are you using? W2K3 is supposed to answer for both IIRC, but that was in the archives. There are still some nuances that might be getting in your way. You know, the nuances about how an RFC is interpreted when it says things like SHOULD vs. MUST :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, February 17, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] W32Time and *nix Folks, I'd like to throw this back out for comments if I can. A while back I asked about using our current W32Time server, the forest root AD box, as the authoritative time server for the non-Windows clients on our network. I haven't had any luck getting this to work. If I remember correctly, W32Time is a derivation of the NTP protocol, (is it SNTP maybe??). Anyway, nothing I've tried enables the Linux and Unix boxes to sync with this server. One article I read said it will not work, but you obviously can't rely on everything posted on the net :-) Am I missing something, or do I need to maybe look at a 3rd party solution to handle all of the time services? What are some of you using for this situation? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent
RE: [ActiveDir] DC or not DC
Keep in mind you can run a DC for even a moderately sized org on a typical desktop machine. Since DC's (except the FSMO role holders) are scale-out redundant, there's no reason not to add additional capacity by using desktop class machines. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 8:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Wednesday, February 16, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC or not DC Last night I received the latest MCPMag email newsletter and always read the questions that people ask. I was kind of surprised by the opening sentence of the question. I know that the Microsoft gospel is never to run Exchange, SQL Server, etc. on a domain controller. I've never seen or heard this before. I realize having the server be a DC would add some overhead, but what are the lists thoughts on this? Good or Bad? Thanks, Zo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] DC or not DC
Its logical separation vs. physical separation. Mainframes have had LPAR's (logical partitions) for ever, which do the same basic thing. Logically separating the platforms does protect from most of the issues caused by putting a crapload of services on one box. However, I'd never use a virtualizing solution like this on anything that has intensive hardware level requirements like file, network or memory. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Wednesday, February 16, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC I hate to drag this off subject slightly and since no one has mentioned it, but isn't the whole point of Microsoft Virtual Server and VMware GSX/ESX so that you can run multiple servers on the same physical server and not have the application/security/resource conflicts that you can get by running everything on one server? At the last MS TechEd several of the MS people I talked to were pitching Virtual Server as *the* solution to the I only have one server and branch office scenarios. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, February 16, 2005 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC Yeah MS has always said best practice is not to put back office apps or IIS on domain controllers for as long as I can recall. Ditto file and print. There are possible resource and security issues. Then they have SBS SBS bothers me because you take everything MS has every said and you say, hmmm, forget about it At that point, what do you and don't you listen to from MS? My thoughts? Listen to all of it but don't trust any of it until you have proven it yourself. I generally (there are exceptions to make the rule) consider anything from MS as propaganda until I have proven with my direct experience or it has been stated to me by my very few trusted advisors. Like if Dean tells me something, I tend to listen closely, I may argue, but I start from a losing position because if I don't agree it is probably because I don't understand through no fault of Dean's explanation. Many conversations I have with Dean start out with me thinking, oh shit, he expects I know what I am talking about with this functionality... With Rick, well you argue with Rick about everything because he is a hoot to argue with. With Deji... Check it twice - all of it. ;oP Tony... Never argue with Tony's dinner wine choice, never. My thoughts are that if you have a company small enough that SBS works for you. You probably won't have too many resource issues unless you have some serious power users. However security concerns will *always* be there simply because you are adding additional vectors. You can't add more services to service users and NOT open up more possible security holes. Additionally one of the methods for fixing replication hangs and such in AD is a reboot because attempting to stop and start the AD services is less than helpful. Tougher to do that when you have people using fixed services such as FP, SQL, Exchange, etc as they tend to get cranky when the server side of the equation disappears. My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of a blanched look and I don't even really like DHCP/WINS/DNS on the DC because I think that also raises the security vectors too much. Keep in mind, AD is the bastion of your enterprise security. Why give people holes to poke at to see if they can compromise the entire forest? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Wednesday, February 16, 2005 11:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC or not DC If you have the resources on the box and can not afford to purchase a new box for SQL or Exchange, then you are stuck with the only one option. However, I am a big believer of keeping the server roles separate. I find that the overhead of SQL (and even Exchange) is rather high during peek times. And, if SQL runs on the DC, this may cause latency issues with DNS lookups, group policy updates to clients and/or log in issues. I believe that Microsoft's best practices said to keep things separate. (But, I may be dreaming...Like I often do...) However, with everything that I have said, it is just my opinion and is dependant on how many users you have and if your company can afford the cost. * Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
Re: [ActiveDir] Updating ADM files - best practices
Title: Updating ADM files - best practices Neil, Not sure if it is best practice, but what I do is:- 1. Leave on the Auto upgrade of ADM files. We assume that Microsoft always adds to ADM files, never changes existing keys. 2. Always use a different ADM file for your modifications. Never change the microsoft ones. 3.Leave the Domain GPO alone for security settings and password policy etc. Create another GPO for the "non standard" stuff. (Note there was a long discussion on this very point 6 months ago and I think the general conclusion was that there wasn't a lot of technical reasons for doing so, just easier to understand what was going on) 4. I also create a GPO applied to a Test OU and then link it across when it is fully tested. I feel this is just as safe (or maybe safer) than doing it in a different domain then importing it. Admittedly, if you are testing complex changes were multiple policies interact, a separate domain is good since the policies will apply in exactly the same order as your final implementation. Alan C Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Ruston, Neil To: 'ActiveDir@mail.activedir.org' Sent: Thursday, February 17, 2005 10:24 PM Subject: [ActiveDir] Updating ADM files - best practices Scenario: W2k DCs and multiple w2k domains I plan to implement and enable the GPO setting 'turn off automatic update of ADMs' in the default domain GPO as part of the upgrade from w2k DCs and domains to w2k3 DCs and domains. [For obvious reasons, I hope] Issue: This new setting requires an updated system.adm. Naturally I could place this one setting in a new GPO (in a test env) and after testing, transport the whole GPO (incl ADMs) using GPMCs backup/restore feature. However, I would rather simply update the ADM file(s) and then make the change to the def domain GPO. Question: What is the preferred method for updating ADM files? I don't see any reason why I can't just copy a new system.adm into SYSVOL, wait for replication to finish and then change the def domain GPO. Is this logic flawed in any way? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] Account policies and groups
Title: Account policies and groups Yes, the password policy will still apply to that user - it applies to every object in the domain, regardless of block inheritance settings. Roger SeielstadE-mail Geek MS-MVP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim SuttonSent: Thursday, February 17, 2005 6:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Account policies and groups If a user is in an OU which has the block inheritance selected but is in member of group that's in a different OU and doesnt have block inheritance applied, will the password policy for example still apply to that user? Just curios really For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map Groupshield 6.0 - Troup Bywaters AndersPrivilege and Confidentiality NoticeThis email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you.
[ActiveDir] Email plug
FYI. If anyone posted anything specifically aimed at me, I just want to let you know I haven't seen it yet and I apologize. My provider GLOBAT got plugged for inbound SMTP sometime around Thu 3AM (Last post I saw was the HELP!!! Undelete required post from Aramide. Most of my email seems to be flowing in now. At least tons of spam and bogus virus and bounced mail notifications (if you have my [EMAIL PROTECTED] email address in your contact list, feel free to remove it, my email address isn't that hard to recall - especially if you have a virus) has come through now. However mail from this list doesn't seem to be bouncing back like the mail from all the other lists. I see the 3AM post and then some posts from Roger at 11PM. I have (or at least should have) the rest in an archive account on my Exchange server which is also registered to receive, I will just have to go dig it out. Should be done tomorrow. I also need to look for another provider, this is the third inbound SMTP blowup in three months. I stopped using their outbound SMTPs some time ago because of their delays. joe List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
