RE: [ActiveDir] Delprof.exe en mass
We run the following script at machine startup for all student computers to delete any stray profiles - all users should have mandatory profiles except for local admin, domain admin. We also don't want to delete all users. It gets rid of both the profile and the reference to it in the registry. You may want to do something to make sure that you only run this once (otherwise you'll keep deleting user profiles!). We have a registry key at HKLM\software\cnwl and set values there for events which have happened or version numbers of installed software etc. and check that to make sure certain processes only get run once. Steve Set ofso=createobject(scripting.filesystemobject) root=c:\documents and settings Set folder=oFSO.GetFolder(root) Set flist=folder.subfolders For Each fo In flist fname=lcase(fo.name) If fnameadministrator and fnameadministrator.student and left(fname,9)all users Then Set f1=oFSO.getfolder(root \ fname) f1.delete true End If Next Set objReg=GetObject(winmgmts:{impersonationLevel=impersonate}!\\.\root\def ault:StdRegProv) strKeyPath = SOFTWARE\Microsoft\windows nt\currentversion\profilelist objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys For Each subkey In arrSubKeys if right(subkey,3)500 then objreg.deletekey HKEY_LOCAL_MACHINE, strKeyPath \ subkey end if Next -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: 18 August 2005 23:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delprof.exe en mass I am in the process of creating new profiles for a few thousand users. In order to make a clean switch, I will need to delete the local cached copy of several user profiles delprof.exe can do this on the individual basis. Has anyone had experience using it for thousands of machines, maybe writing a script to have it run domain wide? fred List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: AD MMC Snap ins
Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark
RE: [ActiveDir] OT: AD MMC Snap ins
If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark
[ActiveDir] User SIDs...
Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Brad, did you happen to catch this part of the kb? MORE INFORMATION Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations. If you use the hotfix that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases. However, there are some scenarios in which you have to modify the MaxTokenSize registry value after you apply this hotfix. After you apply this hotfix to all the domain controllers, use the following formula to determine whether you have to modify the MaxTokenSize value: TokenSize = 1200 + 40d + 8s This formula uses the following values: *d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history. *s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain. *1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors. In scenarios in which delegation is used (for example, when users authenticate to a domain controller), Microsoft recommends that you double the token size. If the token size that you calculate by using this formula is less than 12,000 bytes (the default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, see the following Microsoft Knowledge Base article for a description of how to adjust the MaxTokenSize registry value: Saying that, it's likely that if you're having this problem you may want to consider changing your group strategy. To reach that, you'd have to be a member of a lot of groups and there may be a better and more usable way to structure group membership. Does that help or do you need to search each SID and figure out if it's going to have problems by looking at the length? Al From: [EMAIL PROTECTED] on behalf of Smith, Brad Sent: Fri 8/19/2005 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
Re: [ActiveDir] OT: AD MMC Snap ins
I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Title: [ActiveDir] User SIDs... Al, thanks for that, I hadn't caught that bit of the article and have approprialtely chastised myself. The reason I missed it is because I jumped to the end of the article to see if it applies to Windows XP. It applies to Win2k, which we have for DC's, but not for XP, which is what the client is running. The line under "More Information" reads "Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations" which leads me to believe that this hotfix is workstation specific. Also FYI, the user is in 46 groups only, as is reported by a basic gpresult query that I calculate to incude nested groups. From: Al Mulnick [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 19 August 2005 14:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] User SIDs... Brad, did you happen to catch this part of the kb? MORE INFORMATION Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations.If you use the hotfix that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases. However, there are some scenarios in which you have to modify the MaxTokenSize registry value after you apply this hotfix. After you apply this hotfix to all the domain controllers, use the following formula to determine whether you have to modify the MaxTokenSize value: TokenSize = 1200 + 40d + 8s This formula uses the following values: d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history. s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain. 1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors.In scenarios in which delegation is used (for example, when users authenticate to a domain controller), Microsoft recommends that you double the token size.If the token size that you calculate by using this formula is less than 12,000 bytes (the default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, see the following Microsoft Knowledge Base article for a description of how to adjust the MaxTokenSize registry value: Saying that, it's likely that if you're having this problem you may want to consider changing your group strategy. To reach that, you'd have to be a member of a lot of groups and there may be a better and more usable way to structure group membership. Does that help or do you need to search each SID and figure out if it's going to have problems by looking at the length? Al From: [EMAIL PROTECTED] on behalf of Smith, BradSent: Fri 8/19/2005 8:28 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User SIDs... Hello All,Does anyone know the default length a users SID (Win2K DC's, WinXPSP2clients ) can be before problems such ashttp://support.microsoft.com/?kbid=327825http://support.microsoft.com/?kbid=327825 start occuring ? Also, thereanyway to determine the actual length of a users SID???TIA,BradThis email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150)
RE: [ActiveDir] User SIDs...
The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
This as always been the case IIRC. The adminpack.msi set is if you want to install the admin tools on a workstation such XP or W2K Prof to allow you do admin. One of things that happens during a dcpromo process is the enabling and registering of all admin tools in the user interface rather than you having to open up the mmc console and manually add the snapins. Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 19 August 2005 15:18 To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OMG, the most aweful ESE event info ever!!! ...
In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System log to determine the exact sequence of related events leading up to this event. For more information about this event, see article Q274321 in the Microsoft Knowledge Base. --- Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx. This is the actual ESENT EventID 101: Event Type: Information Event Source:ESENT Event Category: General Event ID: 101 Date:6/28/2005 Time:2:52:49 PM User:N/A Computer: BRETTSH-RG Description: ESENTUTL (3044) The database engine stopped. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Tokensz results: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Did you intend on posting that? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Tokensz results: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
So there it is I think you said it yourself Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. Why would they? Most events take you to a bank page, many take you to erroneous information as you noticed. rant From my perspective this is so sad. Recently we had talks of why this was - why is there a site like http://www.eventid.net/ to cover events, but MS cant even come up with a decent site to list the ID's for various components and possible actions to take on them, as THE authority? Why is that? Because IMHO supportability comes as a second thought to many dev teams, if you asked them to document all events they throw and actions ( or even decipher the events sometimes see ttp://blogs.msdn.com/ericfitz/ ) I believe I would be faced by blank stares or be told there isn't enough heads to accomplish this. Is it the PM's fault? It's higher than that... it's a conscious decision of Microsoft on where they invest their for heads. It's all a tradeoff right? Pay now or pay later, but it'llcome back to you. /rant my .75 worth steve - Original Message - From: Brett Shirley [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 19, 2005 7:13 AM Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System log to determine the exact sequence of related events leading up to this event. For more information about this event, see article Q274321 in the Microsoft Knowledge Base. --- Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx.
RE: [ActiveDir] User SIDs...
Brad, to my knowledge, you haven't described the specifics of problem you refer to below (outside of the article you provided) ... what symptoms are you experiencing? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
Sorry about the name - I just setup my new computer and email last night - not trying to mask myself or anything. steve patrick - Original Message - From: me [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 19, 2005 8:08 AM Subject: Re: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... So there it is I think you said it yourself Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. Why would they? Most events take you to a bank page, many take you to erroneous information as you noticed. rant From my perspective this is so sad. Recently we had talks of why this was - why is there a site like http://www.eventid.net/ to cover events, but MS cant even come up with a decent site to list the ID's for various components and possible actions to take on them, as THE authority? Why is that? Because IMHO supportability comes as a second thought to many dev teams, if you asked them to document all events they throw and actions ( or even decipher the events sometimes see tp://blogs.msdn.com/ericfitz/ ) I believe I would be faced by blank stares or be told there isn't enough heads to accomplish this. Is it the PM's fault? It's higher than that... it's a conscious decision of Microsoft on where they invest their for heads. It's all a tradeoff right? Pay now or pay later, but it'llcome back to you. /rant my .75 worth steve - Original Message - From: Brett Shirley [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 19, 2005 7:13 AM Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System log to determine the exact sequence of related events leading up to this event. For more information about this event,
Re: [ActiveDir] w2k sp4 Kerberos changes?
Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
No worries. I agree that it's important to have useful information available for the products that we sell and support (both externally and internally). I have tried really really hard not to use the system. It's distracting and usually not helpful in the least. KB's are usually more helpful, as long as your google whacking skills are pretty good so you can wade through the vast amount of data there. No worries, more is better when it comes to information about the product and how it exactly works. Here's a thought: it actually could help to keep Microsoft's costs down by not requiring support time be taken to resolve something that could have been avoided or fixed by onsite personnel had they had the correct information. That was my complaint at last years summit and I think it might be that we still need to carry the flag of good and useful (not either) documentation for the products we deploy and recommend and purchase. As a side note, I usually discard vendors from selection if their documentation a) sux or b) requires that I login to a website to obtain it. I can't get a feel for a product based on marketecture slicks and I don't feel like being prodded with spam and phone calls every ten minutes because I want more information. It's one of the allures of opensource; I can find out all about the product. The difference is that I have to work harder to get that information if it's not already documented. I think Microsoft has always done a better job than most about support, but I think it is time to ratchet up the documentation and deployment information. My $0.04 anyway. Go get 'em GDO#7/Janitor; it's worthwhile to make it accurate and useful. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Friday, August 19, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... Sorry about the name - I just setup my new computer and email last night - not trying to mask myself or anything. steve patrick - Original Message - From: me [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 19, 2005 8:08 AM Subject: Re: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... So there it is I think you said it yourself Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. Why would they? Most events take you to a bank page, many take you to erroneous information as you noticed. rant From my perspective this is so sad. Recently we had talks of why this was - why is there a site like http://www.eventid.net/ to cover events, but MS cant even come up with a decent site to list the ID's for various components and possible actions to take on them, as THE authority? Why is that? Because IMHO supportability comes as a second thought to many dev teams, if you asked them to document all events they throw and actions ( or even decipher the events sometimes see tp://blogs.msdn.com/ericfitz/ ) I believe I would be faced by blank stares or be told there isn't enough heads to accomplish this. Is it the PM's fault? It's higher than that... it's a conscious decision of Microsoft on where they invest their for heads. It's all a tradeoff right? Pay now or pay later, but it'llcome back to you. /rant my .75 worth steve - Original Message - From: Brett Shirley [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 19, 2005 7:13 AM Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you
RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
Does your offer apply to Exchange ESE as well as ESENT/NTDS ISAM? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 19, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System log to determine the exact sequence of related events leading up to this event. For more information about this event, see article Q274321 in the Microsoft Knowledge Base. --- Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx. This is the actual ESENT EventID 101: Event Type: Information Event Source:ESENT Event Category: General Event ID: 101 Date:6/28/2005 Time:2:52:49 PM User:N/A Computer: BRETTSH-RG Description: ESENTUTL (3044) The database engine stopped. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] User SIDs...
As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] w2k sp4 Kerberos changes?
A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
Yes. I can promise action immediately though. I've seperated my action plan into 4 phases ... Now: cleanup of crap, I've found 4 events to remove, and 1 that must be modified on a more immediate time scale. Emprace: re-write and re-vet content for all ESE/ESENT/NTDS ISAM events, because it could be way better. Extend: Figure out how to take the Event Help System forward a bit, this is internal improvement stuff, process improvement, DB improvement, etc ... NextGen: Figure out if there are any longer range improvements we can make. I've started 4 threads on it, I've been writing up thoughts all morning, this is absolutely going to sap my day of real work ... They will rue the day, they laid down crappy events help for ESE. I've decided to take an interest in what they do. Like Dean, usually when I take an interest in you, you become more unhappy. (w/ lots of love Dean ;) In fact 2 out of my 4 significant GFs required therapy afterwards. Cheers, -BrettSh G-Door Operator #7 On Fri, 19 Aug 2005, Michael B. Smith wrote: Does your offer apply to Exchange ESE as well as ESENT/NTDS ISAM? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 19, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System log to determine the exact sequence of related events leading up to this event. For more information about this event, see article Q274321 in the Microsoft Knowledge Base. --- Currently there are no Microsoft Knowledge Base articles available for this specific error or
RE: [ActiveDir] Delprof.exe en mass
Thanks for the help. Does delprof use the /F and how would you use the %i again? fred Use delprof /C For /F %i IN (servernames.txt) do delprof /C:\\%i /D:30 /Q /I Put pcnames (fqdn or if you trust your wins resolutions) into servernames.txt Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Friday, August 19, 2005 6:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delprof.exe en mass I am in the process of creating new profiles for a few thousand users. In order to make a clean switch, I will need to delete the local cached copy of several user profiles delprof.exe can do this on the individual basis. Has anyone had experience using it for thousands of machines, maybe writing a script to have it run domain wide? fred List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OMG, the most aweful ESE event info ever!!! ...
Wow, I meant to say, I can _not_ promise immediate action ... It depends upon the severity of the bad text ... Cheers, BrettSh On Fri, 19 Aug 2005, Brett Shirley wrote: Yes. I can promise action immediately though. I've seperated my action plan into 4 phases ... Now: cleanup of crap, I've found 4 events to remove, and 1 that must be modified on a more immediate time scale. Emprace: re-write and re-vet content for all ESE/ESENT/NTDS ISAM events, because it could be way better. Extend: Figure out how to take the Event Help System forward a bit, this is internal improvement stuff, process improvement, DB improvement, etc ... NextGen: Figure out if there are any longer range improvements we can make. I've started 4 threads on it, I've been writing up thoughts all morning, this is absolutely going to sap my day of real work ... They will rue the day, they laid down crappy events help for ESE. I've decided to take an interest in what they do. Like Dean, usually when I take an interest in you, you become more unhappy. (w/ lots of love Dean ;) In fact 2 out of my 4 significant GFs required therapy afterwards. Cheers, -BrettSh G-Door Operator #7 On Fri, 19 Aug 2005, Michael B. Smith wrote: Does your offer apply to Exchange ESE as well as ESENT/NTDS ISAM? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 19, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OMG, the most aweful ESE event info ever!!! ... In the event view, you know how you can click the fwlink page to get help and support text for any given event? So I found the support and help text (below) for EventID 101 (farther below) for Windows NTDS ISAM and for general ESENT, and it's like about as close to 100% wrong as you can get. It's talking about Restore.env, and the Information Store, Windows now thinks it's Exchange? Was it just like make stuff up day at work or something? WTF. Does the internet / network produce ANY valid content anymore? I think the new quote should be, It must be false, I read it on the internet. Anyway, I've gotten a hold of the people responsible for this database, we're having words ... I'll fix this. OMG, I just found the text for Event ID 102 %1 (%2) %3The database engine started a new instance(%4). ... and it's help text is worse than event ID 101's text. Event ID 102's help text: There is only one Jet database engine, ESE.dll, per server. However, there can be one instance of Jet running per storage group. Event 102 signifies that an instance of Jet has started and indicates which instance has started. And oh my gosh I just thought someone could be trying to act on this text on like an Exchange or SBS servers ... I'm nateous, I'm actually wretching over this find ... SOOO Why don't you guys tell us about this shtuff? Seriously. You guys should hold your vendors in to higher responsibility. Comments anyone? joe, surely you must have a comment? Tragically, I'll bet it is a waste, I'll bet no one uses the system anymore. I give uou permission to email me about any ESE event text and fwlinks that suck, send mail to: [EMAIL PROTECTED] Only email that mail, about this stuff. Well, give me a week or two to take out the trash on the fwlinks. BTW, I can't promise a reply or speedy fixes, or anything. Oh in case it isn't clear the ESE events are under, ESE (for Exchange, SPS, Windows Desktop Search), ESENT (for General Windows), and for Active Directory the events are categorized under NTDS ISAM. This is going to be a great Friday, i can just tell ... BrettSh G-Door Operator #7, but currently serving as Janitor (of the Event Help Text system) Details if you click that fwlink, in the event box of NTDS ISAM | ESENT Eevent ID 101 ... Details Product: Windows Operating System ID: 101 Source: ESENT Version: 5.2 Symbolic Name: STOP_ID Message: %1 (%2) %3The database engine stopped. Explanation The extensible storage engine database engine stopped. Possible causes include: - An online restoration failed. There may be missing log files on the computer or in an online restoration, or there may be old log files that are out of sequence with the log that is mentioned in the Restore.env file. - A database could not be loaded. The directory where the database or logs exist might not have the correct permissions assigned to it in order to load the store. - An information store was unloaded. - There might be file-level virus-scanning software running against the log file directory. User Action To troubleshoot the problem, check the Application log and the System
RE: [ActiveDir] User SIDs...
Sorry Ppl. Contributors to this list are so helpful that I forget that they aren't quite smart enough to read my mind, they have been able to do everything else ;-) The problem is thus: I have a user in a group, which through 4 levels of nesting is a member of the local administrators group on a server (no restricted groups or anything, just plain simple addition of the group the user is in to the local Administrators group). Call this ServerA. The local administrators group is configured in the setting Impersonate a client after authentication. I have set up a web page in IIS (on ServerB) that attaches to ServerA to perform some folder manipulation (profile and home directory changes and the like). It does this using kerberos to pass the authentication through. The page fails, because their kerberos authentication fails. I have added the same user explicity to the Impersonate a client after authentication setting on ServerA, and presto, it works. Just to reiterate, The user is in less than 50 groups, including netsing results. ServerA and ServerB are both Win2k3. The domain is all Win2K DC's, SP3. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 19 August 2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... As Dean keeps saying, how about describing the actual problem as you see/experience it. Could be something totally different. I'll bet somebody here would be helpful if they knew what to help with. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Looks like the PAC is intact, and all SIDs are well within the limit. This is done from the user account that is exhibiting the problem. I am at a loss on this one now Tokensz Results: Name: Kerberos Comment: Microsoft Kerberos V1.0 Current PackageInfo-MaxToken: 12000 QueryKeyInfo: Signature algorithm = Encrypt algorithm = RSADSI RC4-HMAC KeySize = 128 Flags = 2081e Signature Algorithm = -138 Encrypt Algorithm = 23 Start:8/19/2005 16:19:12 Expiry:8/20/2005 2:16:44 Current Time: 8/19/2005 16:19:15 MaxToken (complete context) 1790 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 19 August 2005 14:56 To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... ... it still doesn't look quite right, I'm thinking the issuing auth. is 48 bits by itself but I've no recollection as to where I'm getting that from. If the precise length constraints remain important (following everything else already posted), I'll see if I can dig it up later when I return. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 19, 2005 9:29 AM To: Send - AD mailing list Subject: RE: [ActiveDir] User SIDs... The URL you supplied does not relate to a problem with the length of any one specific SID, it is describing a problem relating to the overall size of all of the SIDs that represent the identity of a particular user, i.e. user SID, group SID, SID history. This identity information is known as the user's token (or PAC) and has a supported maximum (which has been steadily increasing with each iteration of the OS). Beyond (or in some cases, approaching) that maximum, many products utilizing the Windows authorization model will begin to exhibit erratic behavior or fail completely. Regarding SID construct, they're comprised of a number of elements but since I don't have the doc. to hand at the moment (though I'm certain you'll find something through google) I'll offer what I remember of their construct - Example SID - S-1-5-21-2123478354-492892223-854245498-1113 [1] [2][2] [2][3] Breakdown - [1] = I'm a SID, revision, issuing (or identifier) authority, sub-authorities and some additional metadata (don't recollect its size I'm afraid, I'd guess, however, at 32 bits broken down into some kind of ordered grouping to represent the afore mentioned elements) [2] = domain component (96 bits I believe) [3] = relative identifier (RID = 30 bits) In addition, you may want to locate and download a Microsoft tool named tokensz.exe and run something like - C:\tokensz /compute_tokensize Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825
RE: [ActiveDir] w2k sp4 Kerberos changes?
Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] AD attribute
My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
This is probably just me not comprehending this, but when you said The confusion is that, there is also a /p option that can be provided to defrag, like so: Did you mean the confusion is that they are both** valid, or that one is valid and one is not? ** eseutil /p mydb.edb and eseutil /d mydb.edb /p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat I am actually a programmer for ESE (you know the database under Exchange, once know as JET Blue ... ) ... yes, it may come as a shock to some of you that building 7 garage door operator is not my only job duty at msft ... Anyway, I'd like to clear up some confusion and mistatements ... 1. The /p switch ... There was some confusion on the /p switch ... There are two different operations being discussed below that one can perform on an ESE database. One is called defrag and the other repair. It is CRITICAL everyone understand the difference between the two, because one is dangerous and destructive under certain circumstances. Defrag: eseutil /d mydb.edb Repair: eseutil /p mydb.edb The confusion is that, there is also a /p option that can be provided to defrag, like so: Defrag (w/o instate): eseutil /d mydb.edb /p The original mail understood this, but some subsequent mails got it mixed up, just wanted to make it explicit. I loathe ESEUtil's command syntax, BTW. :P Subcommands should always be full words, like repadmin. ;) 2. Repair (/p) is destructive. Repair is really an unfortunate term for this functionality, because like when you repair a car, it works again! That may not be the case after ESE's repair. The command should've been called salvage. The command basically throws out any data that ESE doesn't understand due to physical or ESE logical corruptions in your database, basically salvaging what's left. The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Repair is dangerous. I always try to steer people away from repair. If though somehow the database has been corrupted, there is irreplaceable data it can really save you. If the database is in perfect order, both physically (eseutil /k checks this) and ESE logically (eseutil /g checks that), then in theory repair is safe. But that idea gives me the hee-bee-jee-bees. It is possible for a disk to return valid data on one read, and invalid data on a 2nd read, so it could never be perfectly safe. Did I mention I try to steer people away from repair. 2.a. Aside: NEVER run repair on an AD database. Off the subject of this mail, but it bears repeating. As you may or may not know, the ESE database engine is used in both Windows for Active Directory's database/ntds.dit and in Exchange for mailbox stores. In the Windows version of the ESE database engine, eseutil.exe is called esentutl.exe. Even though these binaries are similar, and based off similar sources, the versions are different, and compiled with the Esentutl.exe and eseutil.exe are Never run repair on an AD database. In fact in Win2k3 SP1, we disabled that functionality in esentutl.exe for AD databases. Ok, we're really offtopic for the thread, moving back to ... 3. Defrag (how it works) ... I'd like to go over very approximately the steps that ESE (offline) defrag goes through, because it will make some of the comments in the next point more poinaintly clear. Defrag works like this: Step 1 - Open the source database. ESE opens for reading the source or target database, that you've asked specified as the first non-flag argument after the /d sub- command. i.e. mydb.edb above. Step 2 - Create a destination database with a temporary name. By default the destination or temporary DB, is created in the same directory as the source database. Step 3 - Move the data table by table to the destination database. Enumerate over each table in the source database, and move each row of data to the destination database. This is why I call them source and destination. However, usually, eseutil and docs call the destingation the temp. database. You'll see why in step 4. And indices are recreated in the process too of course. Step 4 - Move the destination database to the source database. ESE moves the destination/temp database name, to the source database name. This is the step that specifying /p to defrag skips. Note: You may specify the destination database name for step 2, in this process by adding an argument like /tE:\mytempdrive\emailstuff.db to the defrag command line. Also there is another option /b, that makes a backup copy. /bD:\mydb.backup.edb That I think (83% sure) pretty much inserts a step 3.5, which just moves the source database to this backup copy name, before
RE: [ActiveDir] AD attribute
If you are running Windows Server 2003 SP1 I would investigate using the confidential attribute setting. Take a look at the Confidential attributes section of this resource http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/e3525d00-a746-4466-bb87-140acb44a603.mspx for more details. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:55 AM To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Both are valid, but do VERY different things. The first of the two you listed is the repair/salvage sub-command, the second is offline defrag. Cheers, -B On Fri, 19 Aug 2005, Douglas M. Long wrote: This is probably just me not comprehending this, but when you said The confusion is that, there is also a /p option that can be provided to defrag, like so: Did you mean the confusion is that they are both** valid, or that one is valid and one is not? ** eseutil /p mydb.edb and eseutil /d mydb.edb /p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat I am actually a programmer for ESE (you know the database under Exchange, once know as JET Blue ... ) ... yes, it may come as a shock to some of you that building 7 garage door operator is not my only job duty at msft ... Anyway, I'd like to clear up some confusion and mistatements ... 1. The /p switch ... There was some confusion on the /p switch ... There are two different operations being discussed below that one can perform on an ESE database. One is called defrag and the other repair. It is CRITICAL everyone understand the difference between the two, because one is dangerous and destructive under certain circumstances. Defrag: eseutil /d mydb.edb Repair: eseutil /p mydb.edb The confusion is that, there is also a /p option that can be provided to defrag, like so: Defrag (w/o instate): eseutil /d mydb.edb /p The original mail understood this, but some subsequent mails got it mixed up, just wanted to make it explicit. I loathe ESEUtil's command syntax, BTW. :P Subcommands should always be full words, like repadmin. ;) 2. Repair (/p) is destructive. Repair is really an unfortunate term for this functionality, because like when you repair a car, it works again! That may not be the case after ESE's repair. The command should've been called salvage. The command basically throws out any data that ESE doesn't understand due to physical or ESE logical corruptions in your database, basically salvaging what's left. The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Repair is dangerous. I always try to steer people away from repair. If though somehow the database has been corrupted, there is irreplaceable data it can really save you. If the database is in perfect order, both physically (eseutil /k checks this) and ESE logically (eseutil /g checks that), then in theory repair is safe. But that idea gives me the hee-bee-jee-bees. It is possible for a disk to return valid data on one read, and invalid data on a 2nd read, so it could never be perfectly safe. Did I mention I try to steer people away from repair. 2.a. Aside: NEVER run repair on an AD database. Off the subject of this mail, but it bears repeating. As you may or may not know, the ESE database engine is used in both Windows for Active Directory's database/ntds.dit and in Exchange for mailbox stores. In the Windows version of the ESE database engine, eseutil.exe is called esentutl.exe. Even though these binaries are similar, and based off similar sources, the versions are different, and compiled with the Esentutl.exe and eseutil.exe are Never run repair on an AD database. In fact in Win2k3 SP1, we disabled that functionality in esentutl.exe for AD databases. Ok, we're really offtopic for the thread, moving back to ... 3. Defrag (how it works) ... I'd like to go over very approximately the steps that ESE (offline) defrag goes through, because it will make some of the comments in the next point more poinaintly clear. Defrag works like this: Step 1 - Open the source database. ESE opens for reading the source or target database, that you've asked specified as the first non-flag argument after the /d sub- command. i.e. mydb.edb above. Step 2 - Create a destination database with a temporary name. By default the destination or temporary DB, is created in the same directory as the source database. Step 3 - Move the data table by table to the destination database. Enumerate over each table in the source database, and move each row of data to the destination database. This is why I call them source and destination. However, usually, eseutil and docs call the destingation the temp. database. You'll see why in step 4. And indices are recreated in the process too of course. Step 4 - Move the destination database to the source database. ESE moves the destination/temp database name, to the source database name. This is the step that specifying /p to defrag skips. Note: You may specify the destination database name
RE: [ActiveDir] AD attribute
Return Receipt Your RE: [ActiveDir] AD attribute document : was Ricardo Konno/SCI received by: at: 19/08/2005 14:29:12 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Both are valid, but one is destructive (repair) as in 2. Repair (/p) is destructive. and The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Better? Or did I confuse it worse? From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Fri 8/19/2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat This is probably just me not comprehending this, but when you said The confusion is that, there is also a /p option that can be provided to defrag, like so: Did you mean the confusion is that they are both** valid, or that one is valid and one is not? ** eseutil /p mydb.edb and eseutil /d mydb.edb /p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat I am actually a programmer for ESE (you know the database under Exchange, once know as JET Blue ... ) ... yes, it may come as a shock to some of you that building 7 garage door operator is not my only job duty at msft ... Anyway, I'd like to clear up some confusion and mistatements ... 1. The /p switch ... There was some confusion on the /p switch ... There are two different operations being discussed below that one can perform on an ESE database. One is called defrag and the other repair. It is CRITICAL everyone understand the difference between the two, because one is dangerous and destructive under certain circumstances. Defrag: eseutil /d mydb.edb Repair: eseutil /p mydb.edb The confusion is that, there is also a /p option that can be provided to defrag, like so: Defrag (w/o instate): eseutil /d mydb.edb /p The original mail understood this, but some subsequent mails got it mixed up, just wanted to make it explicit. I loathe ESEUtil's command syntax, BTW. :P Subcommands should always be full words, like repadmin. ;) 2. Repair (/p) is destructive. Repair is really an unfortunate term for this functionality, because like when you repair a car, it works again! That may not be the case after ESE's repair. The command should've been called salvage. The command basically throws out any data that ESE doesn't understand due to physical or ESE logical corruptions in your database, basically salvaging what's left. The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Repair is dangerous. I always try to steer people away from repair. If though somehow the database has been corrupted, there is irreplaceable data it can really save you. If the database is in perfect order, both physically (eseutil /k checks this) and ESE logically (eseutil /g checks that), then in theory repair is safe. But that idea gives me the hee-bee-jee-bees. It is possible for a disk to return valid data on one read, and invalid data on a 2nd read, so it could never be perfectly safe. Did I mention I try to steer people away from repair. 2.a. Aside: NEVER run repair on an AD database. Off the subject of this mail, but it bears repeating. As you may or may not know, the ESE database engine is used in both Windows for Active Directory's database/ntds.dit and in Exchange for mailbox stores. In the Windows version of the ESE database engine, eseutil.exe is called esentutl.exe. Even though these binaries are similar, and based off similar sources, the versions are different, and compiled with the Esentutl.exe and eseutil.exe are Never run repair on an AD database. In fact in Win2k3 SP1, we disabled that functionality in esentutl.exe for AD databases. Ok, we're really offtopic for the thread, moving back to ... 3. Defrag (how it works) ... I'd like to go over very approximately the steps that ESE (offline) defrag goes through, because it will make some of the comments in the next point more poinaintly clear. Defrag works like this: Step 1 - Open the source database. ESE opens for reading the source or target database, that you've asked specified as the first non-flag argument after the /d sub- command. i.e. mydb.edb above. Step 2 - Create a destination database with a temporary name. By default the destination or temporary DB, is created in the same directory as the source database. Step 3 - Move the data table by table to the destination database. Enumerate over each table in the source database, and move each row of data to the destination database. This is why I call them source and destination. However, usually, eseutil and docs call the destingation the temp. database. You'll see why in step 4. And indices are recreated in the process too of course. Step 4 - Move the destination database to the source database. ESE moves the destination/temp database name, to the source database name. This is the step that specifying /p
RE: [ActiveDir] AD attribute
Return Receipt Your RE: [ActiveDir] AD attribute document : was Chris Ryan/MIS/CORP/KrogerCo received by: at: 08/19/2005 13:41:55 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
Oh, yeah, is there a way to do this without altering the Schema? Like using an existing attirb? I don't have access to the Schema master(loong story) or anything in the root domain. And never will. On 8/19/05, Tom Kern [EMAIL PROTECTED] wrote: I'm running win2k in native mode. how would I do this in win2k AD? Thanks On 8/19/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
Pardon me - you're absolutely correct. I, in my haste this morning, failed to note the WINDOWS SERVER 2003 SP1. Yes, they are installed and registered by default, but are only added to menus created for the appropriate application or in the Administrative tools. As mentioned, I do view this as some degree of risk, but much less now that I see that it's on Server. One, servers should have tight Interactive and physical controls (i.e. no console access or TS access, except to your most trusted). Two, no one should be able to install server in your environment without your knowledge or control without fear of serious, immediate and dismiss-able consequences. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 8:18 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
I'm running win2k in native mode. how would I do this in win2k AD? Thanks On 8/19/05, Marc A. Mapplebeck [EMAIL PROTECTED] wrote: This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
how 'bout the Employee-Number? or does that need to be linked via schema master? Thanks again On 8/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Return Receipt Your RE: [ActiveDir] AD attribute document : was Ricardo Konno/SCI received by: at: 19/08/2005 14:29:12 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
In addition to the information provided below, you can refer to those articles (if you have an access ...): http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21839 http://www.win2000mag.com/Articles/Index.cfm?ArticleID=22540 http://www.winnetmag.com/Article/ArticleID/41666/41666.html /Alain Complete list of articles at http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, August 19, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD attribute This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
If you want to split hairs the largest token a user can have may only contain 1024 SIDs that is if they want to logon. This is a hard coded limitation and we actually publish 1015 since there are built-in groups that get added to every user token. This is documented here: http://support.microsoft.com/default.aspx?scid=kb;en-us;328889. That being said that does not mean that the authorization protocols or applications leveraging those protocols can/will work with tokens that large. For example IIS has limits on the amount of data that is exchange in a get request etc... So even though the underlying OS can build a token with 1024 SIDs in it does not mean everything is going to work. This limit of 1024 SIDs has been in the product for sometime, at least since NT 4.0 and likely earlier. What has changed over time is the way the different authentication providers and applications handle this as referenced in the various Emails below. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Steve Linehan wrote: Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Same error but some new information. It turns out that one of the other domain admins rebooted one of the root DCs (in WIN) around 7:00am. The scheduled updates from the MIT side worked for a period of time. Once they started failing we rebooted that same dc and updates started working again. I didn't mention that we have a empty root (WIN) with the users and computers in a child domain (FERMI). The MIT realm trust is to WIN. I also just found out that a Fermi DC was patched and booted before a Win DC was up (another UNIX/AD application that had to be up ASAP) so we're thinking the trust isn't stable. We're rebooting the other root dc and then we're going to reboot the child DCs that the Unix app talks to and see what happens. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we
RE: [ActiveDir] User SIDs...
A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
Yes. adfind -default -f displayname=Username cn streetaddress st co -noctl -nodn -nolabel outputfile.txt (or csv) You may have to play with the order in the output file to get what you want. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] export to csv
Unless I'm misunderstanding your question, this should be very similar to what you used to export computer information with csvde, just using a different ldap filter to grab the info you're looking for this time 'round. Adfind or dsquery should also fit the bill here as well. - Laura RE: [ActiveDir] csvde syntax Rick Kingslan Thu, 11 Aug 2005 12:21:02 -0700 Just put the LDAP filter into an appropriate batch or VBscript file to accomplish http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange .htm Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 1:18 PM To: activedirectory Subject: [ActiveDir] csvde syntax what's the ldap filter to use with csvde to just export all computer objects in a domain to a file? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Original Message Subject: [ActiveDir] export to csv Date: Fri, 19 Aug 2005 14:41:58 -0400 From: Tom Kern [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: activedirectory ActiveDir@mail.activedir.org Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange public folders(OT)
I had someone delete a PF in Exchange from Outlook which had child folders. We have deleted item retension on the PF store but when he restored the folder, only some of the child folders came back. Is this normal? also, where does exchange actually keep deleted items and is there a way to view it? I'm running exchange 2k. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
Sorry, I have just been lurking occasionally lately, I am quite busy with the book and some stupid things with Exchange I am looking into at work in how failovers are detected and reported and the fact that the ESM and WMI don't seem to do a very good job reporting what is happening but the event log seems to have good info Anyway this post caught my attention. I was shocked to see JoeK saying a SID could have 15 RIDs. Knowing JoeK I was like, where is that coming from?. So I looked up the docs in MSDN as I haven't peeked in a while and they do in fact say a variable number of subauthority or relative identifier (RID) values. This is, in my opinion, extremely misleading and could cause confusion as people try to figure out how the RIDs get stacked up to produce a SID. Also, IMO, the subauthorities are generally NOT RIDs, at least not in the common use of the word RID by Windows Admins. Note this isn't an attack on JoeK's explanation, I am just pointing out what I consider to be some confusing if not hokey MS documentation here and bad use of well known terms. A RID is a 32 bit value, issued by a given authority to indicate a unique object in the realm of authority the authority is well, authoritative for. :o) When I think RID, I think the values that a computer or domain generate to attach to the SID that the computer or domain has for itself which it, in turn, assumes as unique. When you take a domain or computer SID made of the revision (1), the identifier (5), the first DWORD subauthority (21), and the remaining computer or domain subauthorities (usually 3 for a total of 96 bits or 3 DWORDS) there is NOTHING guaranteeing that SID is unique anywhere, it is a complete and utter prayer. There isn't an authority of S-1-5-21 that issues a a unique RID used for the next subauthority which in turn issues the next, etc. You simply have 3 randomly generated subauthorities that are tacked onto S-1-5-21 [1]. That SID is in turn a real authority and generates real RIDs that are combined with the SID and assigned to specific objects making that SID a unique identifier within the realm of that authority but not necessarily unique anywhere else. In other words, it is absolutely possible to have duplicate SIDs in different realms. Consider the case of ghosted machines for instance. In that case, you are guaranteed to have duplicated SIDs across multiple realms representing different objects unless you have changed the machines' SIDs. So anyway, a version 1 SID could contain 15 DWORD subauthorities maximum (or 14 SubAuthorities and a RID). This would make your maximum SID size of 15*32 + 4*16 or 480+64=544 bits (68 bytes) [2]. The standard SID (i.e. not well known principals) that you usually see that is assigned to a user or group, etc contains 4 subauthorities, 21-xx-yyy-zzz and a RID (or 5 subauthorities). For a total size of 5*32+4*16 = 160+64=224 bits (28 bytes) [3]. If the idea of the SID had taken off and others outside of MS started issuing SIDs from specific authorities and the subauthorities issued their own SIDs etc etc etc then I would swallow the whole subauthorities as RIDs explanation but that hasn't occurred. MS instead has jumped off the SID bandwagon and gone to the GUID which is a fixed length value that is also not guaranteed to be unique but is far easier to deal with being a fixed size. Personally, it may have been more logical to go to the OID type space and run with that. It is like the SID but you have multiple issuing authorities and companies could further subdivide its issue value internally and specify its own subauthorities, etc etc... :o) So anyway, all of this to say that when discussing SIDs of normal objects we should think of them as a revision, an identifier authority, a variable number of random subauthorities, and a RID. :o) joe [1] Which BTW, has a constant name of SECURITY_NT_NON_UNIQUE... [2] Which explains the reason why someone had an issue creating a SID of 68 bytes. The structure is capped at 68 bytes due to the definitions of the size of the subauthorities and how many subauthorities can reside in a SID structure. Even if someone were successful at creating the SID, it would be considered invalid at best and at worst, it would be truncated down to the size specified by the subauthority count field. If I heard someone was trying to create a SID greater than 68 bytes I would ask... Why? [3] Note that ADAM SIDs seem to jump around considerably. I haven't had a chance to sit down and discern the patterns, if any exist, yet. The builtin groups such as administrators/users/readers all have two subauthorities that seem to be randomly generated and the normal users created seem to have 3 additional randomly generated subauthorities and a seemingly randomly generated RID instead of an incrementing RID. This would seem to be a trifle dangerous in a multi-host ADAM instance. I need to play with it. It could be another one of those cases of it
RE: [ActiveDir] export to csv
After you export to a file, then you can use adcsv.pl (also in the zip) to convert the file to a delimited single liner per object file. Version 2.0.0, if I ever get to work on it, will have native delimited output capability. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Friday, August 19, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] export to csv Yes. adfind -default -f displayname=Username cn streetaddress st co -noctl -nodn -nolabel outputfile.txt (or csv) You may have to play with the order in the output file to get what you want. ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:42 AM To: activedirectory Subject: [ActiveDir] export to csv Whats the best utility to export only user object and attribs like st,streetAddress,c,email addy,etc. Just the human stuff a manager would be interested in? could adfind do this? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Database Corruption
Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Im concerned that this may happen again and wasnt able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date: 8/19/2005 Time: 2:00:24 PM User: N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
RE: [ActiveDir] Database Corruption
My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Friday, August 19, 2005 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Im concerned that this may happen again and wasnt able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date: 8/19/2005 Time: 2:00:24 PM User: N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file "C:\WINNT\NTDS\ntds.dit" at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
RE: [ActiveDir] Database Corruption
Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Im concerned that this may happen again and wasnt able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date: 8/19/2005 Time: 2:00:24 PM User: N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
RE: [ActiveDir] OT: AD MMC Snap ins
It comes as part of a server load. Any 2K/23 server will have it. Adminpak is for client OS. All you can do is ACL the msc files with a files system policy. Taking away ADUC rights is not going to stop anyone determined to see what they want. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 8:18 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat No longer confused and much more informed. Thanks to everyone. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, August 19, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Both are valid, but one is destructive (repair) as in 2. Repair (/p) is destructive. and The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Better? Or did I confuse it worse? From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Fri 8/19/2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat This is probably just me not comprehending this, but when you said The confusion is that, there is also a /p option that can be provided to defrag, like so: Did you mean the confusion is that they are both** valid, or that one is valid and one is not? ** eseutil /p mydb.edb and eseutil /d mydb.edb /p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brett Shirley Sent: Thursday, August 18, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat I am actually a programmer for ESE (you know the database under Exchange, once know as JET Blue ... ) ... yes, it may come as a shock to some of you that building 7 garage door operator is not my only job duty at msft ... Anyway, I'd like to clear up some confusion and mistatements ... 1. The /p switch ... There was some confusion on the /p switch ... There are two different operations being discussed below that one can perform on an ESE database. One is called defrag and the other repair. It is CRITICAL everyone understand the difference between the two, because one is dangerous and destructive under certain circumstances. Defrag: eseutil /d mydb.edb Repair: eseutil /p mydb.edb The confusion is that, there is also a /p option that can be provided to defrag, like so: Defrag (w/o instate): eseutil /d mydb.edb /p The original mail understood this, but some subsequent mails got it mixed up, just wanted to make it explicit. I loathe ESEUtil's command syntax, BTW. :P Subcommands should always be full words, like repadmin. ;) 2. Repair (/p) is destructive. Repair is really an unfortunate term for this functionality, because like when you repair a car, it works again! That may not be the case after ESE's repair. The command should've been called salvage. The command basically throws out any data that ESE doesn't understand due to physical or ESE logical corruptions in your database, basically salvaging what's left. The defrag w/o instate (eseutil /d mydb.edb /p) is NOT destructive. Repair is dangerous. I always try to steer people away from repair. If though somehow the database has been corrupted, there is irreplaceable data it can really save you. If the database is in perfect order, both physically (eseutil /k checks this) and ESE logically (eseutil /g checks that), then in theory repair is safe. But that idea gives me the hee-bee-jee-bees. It is possible for a disk to return valid data on one read, and invalid data on a 2nd read, so it could never be perfectly safe. Did I mention I try to steer people away from repair. 2.a. Aside: NEVER run repair on an AD database. Off the subject of this mail, but it bears repeating. As you may or may not know, the ESE database engine is used in both Windows for Active Directory's database/ntds.dit and in Exchange for mailbox stores. In the Windows version of the ESE database engine, eseutil.exe is called esentutl.exe. Even though these binaries are similar, and based off similar sources, the versions are different, and compiled with the Esentutl.exe and eseutil.exe are Never run repair on an AD database. In fact in Win2k3 SP1, we disabled that functionality in esentutl.exe for AD databases. Ok, we're really offtopic for the thread, moving back to ... 3. Defrag (how it works) ... I'd like to go over very approximately the steps that ESE (offline) defrag goes through, because it will make some of the comments in the next point more poinaintly clear. Defrag works like this: Step 1 - Open the source database. ESE opens for reading the source or target database, that you've asked specified as the first non-flag argument after the /d sub- command. i.e. mydb.edb above. Step 2 - Create a destination database with a temporary name. By default the destination or temporary DB, is created in the same directory as the source database. Step 3 - Move the data table by table to the destination database. Enumerate over each table in the source database, and move each row of data to the destination database. This is why I call them source and destination. However, usually, eseutil and docs call the destingation the temp. database. You'll see why in step 4. And indices are recreated
RE: [ActiveDir] User SIDs...
:o) Right, Joe! They don't come from us, as far as I can tell. If you look at the function AllocateAndInitializeSid(), it is hard coded to 8 sub-authorities. However, the customer in question from the 68 bytes max defined his own function with base level calls and worked around the 8 sub-auths by defining a variable that would accept however many he wanted to input. Bottomline: WE might give you the instructions on how to blow your foot off, but generally you are expected to supply your own ammo and finger to pull the trigger. :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
LOL! The great irony of this message is that Dean emailed me offline to ask me something about it too and I lamented that I had probably under-engineered my response, but I had assumed that you would come along to clean up my mess. :) I also claim lack of time due to book writing responsibilities and such. However, aside from my smearing of the distinction between a sub authority and a RID, I believe I was correct from a binary standpoint. The winnt.h structure definition actually doesn't make a distinction between a sub authority and a RID, so I always thought the terms could be used interchangeably. Given that the sub authorities and the RID are both DWORDs that are treated as integers when converted to the SDDL representation, it is a pretty natural mistake to make. I'm still wondering what situation would call for a SID with more than 15 sub authorities (or 14 + 1 RID, however you want to slice it). Thanks, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 19, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry, I have just been lurking occasionally lately, I am quite busy with the book and some stupid things with Exchange I am looking into at work in how failovers are detected and reported and the fact that the ESM and WMI don't seem to do a very good job reporting what is happening but the event log seems to have good info Anyway this post caught my attention. I was shocked to see JoeK saying a SID could have 15 RIDs. Knowing JoeK I was like, where is that coming from?. So I looked up the docs in MSDN as I haven't peeked in a while and they do in fact say a variable number of subauthority or relative identifier (RID) values. This is, in my opinion, extremely misleading and could cause confusion as people try to figure out how the RIDs get stacked up to produce a SID. Also, IMO, the subauthorities are generally NOT RIDs, at least not in the common use of the word RID by Windows Admins. Note this isn't an attack on JoeK's explanation, I am just pointing out what I consider to be some confusing if not hokey MS documentation here and bad use of well known terms. A RID is a 32 bit value, issued by a given authority to indicate a unique object in the realm of authority the authority is well, authoritative for. :o) When I think RID, I think the values that a computer or domain generate to attach to the SID that the computer or domain has for itself which it, in turn, assumes as unique. When you take a domain or computer SID made of the revision (1), the identifier (5), the first DWORD subauthority (21), and the remaining computer or domain subauthorities (usually 3 for a total of 96 bits or 3 DWORDS) there is NOTHING guaranteeing that SID is unique anywhere, it is a complete and utter prayer. There isn't an authority of S-1-5-21 that issues a a unique RID used for the next subauthority which in turn issues the next, etc. You simply have 3 randomly generated subauthorities that are tacked onto S-1-5-21 [1]. That SID is in turn a real authority and generates real RIDs that are combined with the SID and assigned to specific objects making that SID a unique identifier within the realm of that authority but not necessarily unique anywhere else. In other words, it is absolutely possible to have duplicate SIDs in different realms. Consider the case of ghosted machines for instance. In that case, you are guaranteed to have duplicated SIDs across multiple realms representing different objects unless you have changed the machines' SIDs. So anyway, a version 1 SID could contain 15 DWORD subauthorities maximum (or 14 SubAuthorities and a RID). This would make your maximum SID size of 15*32 + 4*16 or 480+64=544 bits (68 bytes) [2]. The standard SID (i.e. not well known principals) that you usually see that is assigned to a user or group, etc contains 4 subauthorities, 21-xx-yyy-zzz and a RID (or 5 subauthorities). For a total size of 5*32+4*16 = 160+64=224 bits (28 bytes) [3]. If the idea of the SID had taken off and others outside of MS started issuing SIDs from specific authorities and the subauthorities issued their own SIDs etc etc etc then I would swallow the whole subauthorities as RIDs explanation but that hasn't occurred. MS instead has jumped off the SID bandwagon and gone to the GUID which is a fixed length value that is also not guaranteed to be unique but is far easier to deal with being a fixed size. Personally, it may have been more logical to go to the OID type space and run with that. It is like the SID but you have multiple issuing authorities and companies could further subdivide its issue value internally and specify its own subauthorities, etc etc... :o) So anyway, all of this to say that when discussing SIDs of normal objects we should think of them as a revision, an identifier authority, a variable number of random subauthorities, and a RID. :o)
RE: [ActiveDir] User SIDs...
joe: If I heard someone was trying to create a SID greater than 68 bytes I would ask... Why? [RTK] No worries, as it fails, so it doesn't matter. However, over 8 is not really supported - it's a hack, nothing more. In all honesty, I'm surprised that you're not less surprised at JoeK coming up with what he did (accurate, but a different way of looking at it) but more absolutely astonished that I'D come up with what *I* did... :oD Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 19, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Sorry, I have just been lurking occasionally lately, I am quite busy with the book and some stupid things with Exchange I am looking into at work in how failovers are detected and reported and the fact that the ESM and WMI don't seem to do a very good job reporting what is happening but the event log seems to have good info Anyway this post caught my attention. I was shocked to see JoeK saying a SID could have 15 RIDs. Knowing JoeK I was like, where is that coming from?. So I looked up the docs in MSDN as I haven't peeked in a while and they do in fact say a variable number of subauthority or relative identifier (RID) values. This is, in my opinion, extremely misleading and could cause confusion as people try to figure out how the RIDs get stacked up to produce a SID. Also, IMO, the subauthorities are generally NOT RIDs, at least not in the common use of the word RID by Windows Admins. Note this isn't an attack on JoeK's explanation, I am just pointing out what I consider to be some confusing if not hokey MS documentation here and bad use of well known terms. A RID is a 32 bit value, issued by a given authority to indicate a unique object in the realm of authority the authority is well, authoritative for. :o) When I think RID, I think the values that a computer or domain generate to attach to the SID that the computer or domain has for itself which it, in turn, assumes as unique. When you take a domain or computer SID made of the revision (1), the identifier (5), the first DWORD subauthority (21), and the remaining computer or domain subauthorities (usually 3 for a total of 96 bits or 3 DWORDS) there is NOTHING guaranteeing that SID is unique anywhere, it is a complete and utter prayer. There isn't an authority of S-1-5-21 that issues a a unique RID used for the next subauthority which in turn issues the next, etc. You simply have 3 randomly generated subauthorities that are tacked onto S-1-5-21 [1]. That SID is in turn a real authority and generates real RIDs that are combined with the SID and assigned to specific objects making that SID a unique identifier within the realm of that authority but not necessarily unique anywhere else. In other words, it is absolutely possible to have duplicate SIDs in different realms. Consider the case of ghosted machines for instance. In that case, you are guaranteed to have duplicated SIDs across multiple realms representing different objects unless you have changed the machines' SIDs. So anyway, a version 1 SID could contain 15 DWORD subauthorities maximum (or 14 SubAuthorities and a RID). This would make your maximum SID size of 15*32 + 4*16 or 480+64=544 bits (68 bytes) [2]. The standard SID (i.e. not well known principals) that you usually see that is assigned to a user or group, etc contains 4 subauthorities, 21-xx-yyy-zzz and a RID (or 5 subauthorities). For a total size of 5*32+4*16 = 160+64=224 bits (28 bytes) [3]. If the idea of the SID had taken off and others outside of MS started issuing SIDs from specific authorities and the subauthorities issued their own SIDs etc etc etc then I would swallow the whole subauthorities as RIDs explanation but that hasn't occurred. MS instead has jumped off the SID bandwagon and gone to the GUID which is a fixed length value that is also not guaranteed to be unique but is far easier to deal with being a fixed size. Personally, it may have been more logical to go to the OID type space and run with that. It is like the SID but you have multiple issuing authorities and companies could further subdivide its issue value internally and specify its own subauthorities, etc etc... :o) So anyway, all of this to say that when discussing SIDs of normal objects we should think of them as a revision, an identifier authority, a variable number of random subauthorities, and a RID. :o) joe [1] Which BTW, has a constant name of SECURITY_NT_NON_UNIQUE... [2] Which explains the reason why someone had an issue creating a SID of 68 bytes. The structure is capped at 68 bytes due to the definitions of the size of the subauthorities and how many subauthorities can reside in a SID structure. Even if someone were successful at creating the SID, it would be considered invalid at best and at worst, it would be truncated down to the size specified by the subauthority count
[ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Heres a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do?
RE: [ActiveDir] Kinda OT: Advice welcomed
You make your disagreement known to the CIO in a corporately-acceptable way - and move on. Chalk it down as one of the things numerous IT personnel encounter on a very regular basis everyday. Don't take it personal, is what I tell myself. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Douglas M. Long Sent: Fri 8/19/2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Here's a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kinda OT: Advice welcomed
Title: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat Send your manager an email, memo (whatever your company does) saying that you think this is a poor decision and why. Thats about all you can do. Your CxO is the top of the pecking order and I have no idea what the poitics are like at your office with regard to arguing with the brass. Its not your fault and dont take it in a bad way personally. This sort of thing has been explained to me in the past like this: Its not your donkey, so its not your job to tie it where you want. Tie it up where the donkeys owner thinks it should be tied. Just make sure you let the guy above you know it wasnt your decision to tie the donkey there. That way when the donkey gets killed, youve got some insurance for yourself. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 19, 2005 10:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kinda OT: Advice welcomed Heres a question for everyone: Your CIO decides it is cheaper to host an application remotely at a site that you know nothing about (and for that reason do not trust). He then decides on his own that he will just tell the network guy to open port 389 to one of your production DCs without consulting, or even mentioning it to you or anyone else that may have something to say about the security risks. Then he asks you to create a test user account for a junior admin to test with, and gives the remote site the username and password. What do you do?