RE: [ActiveDir] Active Directory wish list
Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have something to say about it but I figure the best thing from them is if they pronounced their thoughts from the bottom of Lake Washington. People don't install servers because they have cool names. The biggest non-NDA pieces that I have heard announced in conferences or seen on the web already is the Read Only DC to limit security exposure for WAN deployments, restartable AD that can be stopped/started as necessary, DA/Admin separation so that you can have an Admin on a DC that can't achieve Domain-wide DA level rights, and DCs running on Server Foundation or now its called Server Core which is a GUI-challenged Windows Server. I can also say that there are a myriad of GUI updates for the Admin tools though I can't state specifics. BJ Whalen who was involved with the GPMC project has been brought in to work on admin experience and anyone who has worked with GPOs with and without GPMC know that he really helped out. All in all, there is some very cool stuff and MS has really been listening to the community on what they want and need. I know that this list is watched for ideas and such and has been the source of DCRs internally. So if you have ideas, spout them here, they will most certainly be heard. They may not make Longhorn as it is getting a bit late to add major changes but your ideas could make it into a later rev. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven Wood Sent: Monday, October 03, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory wish list Hi, With Windows Vista on it's way what's on people's wish list as far as Active Directory is concerned? Also are there any big enhancements due? Thanks Steven List info :
RE: [ActiveDir] Adding local admin rights to non english native o s?
Thanks for the replies guys Joe, converting the administrator wellknown sid to user seems like a great idea - but then involves copying the .exe into the local machines first and executing it? Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done like below but just aint working out :( perhaps some variables like set L is not avail yet on startup? for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy \\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do set gpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdmins Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that Powerum Tripum Maximum or else Laura might get on your about only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 07, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Powerus Tripus Maximus ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Friday, October 07, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? What is Administrators in Latin? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!(tm) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will need to know what administrators translates to in the target language. For example, in German, it's administratoren, so your code will look like this: net localgroup administratoren blah blah blah HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 10/7/2005 8:51 AM To: 'activedir@mail.activedir.org' Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all, Usually net localgroup administrators xxx /add would work fine on computer startup gpo - but how about on non english native oses? Would this work as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Permissions with .vbs
_vbscript_ version below. If you launch this with: wscript scriptname.vbs then it won't create a window (so you don't need quiet) I've added an inital check so the program just terminates if the needed time has passed. Joe - I can't get to your web site today; nslookup doesn't give me an IP address. Not sure if that's a problem with your site or our DNS ... Steve set oShell=createobject("wscript.shell")sTime="10 oct 2005 09:09"scmd="c:\\progra~1\\intern~1\\iexplore.exe -new www.joeware.net"if datediff("s",now,sTime) 0 then do while datediff("s",now,sTime) 0 wscript.sleep 6 loop oShell.run sCmdend if From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 08 October 2005 04:21To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs Now that I have a nice steak from Texas Roadhouse in my belly I can think straight. :o) Assuming the perl script is called timedfire.pl my $d1="10/7/2005";my $t1="23:04";my $cmd="c:\\progra~1\\intern~1\\iexplore.exe -new www.joeware.net"; my ($mon,$day,$year)=split(/\//,$d1);my ($hour,$min)=split(/:/,$t1);my $cmp=GetCmpVal($year,$mon,$day,$hour,$min);$curr=GetCurrentTime();while($cmp$curr){ sleep 60; $curr=GetCurrentTime();} exec $cmd; sub GetCmpVal{ return sprintf("%04s%02s%02s%02s%02s",@_);} sub GetCurrentTime{ my @lt=localtime(); return GetCmpVal($lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1]);} You should be able to put in the logon script quiet timedfire.pl And you can get quiet from http://www.joeware.net/win/free/tools/quiet.htm That can be further reduced but I wanted it to be readable. If someone wants to convert to _vbscript_, that might be fun for people who don't do perl. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, October 07, 2005 9:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs This should be a piece of cake to do with a .net app. It's got an easy option to hide from the taskbar, so you don't have to call the Win32 API to do that (not that its hard...), it has a couple of timer classes, and it has a Process class you can use to kick off a process. Sounds like a compelling reason to learn C# or VB.Net to me. ;) Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs Oh I just chased back through this thread... You want to fire up IE, I didn't catch that before, I didn't look that close at the specific process you wanted fire, just that you wanted to fire a process. You should still be able to do this with a startup script with AT as long as you specify interactive, it should pop in the current interactive session but I would be concerned of the security context it runs in which would be localsystem. In order to schedule something in the security context of another ID you will need to be able to specify userid/password which isn't fun either since someone will probably be able to see it if they are bright. What you want is something that opens an IE window in the context of the currentuser at a specified time. I am not aware of anything that will do that. You almostneed a special app that can be launched by the user in the logon script in their security context that will sleep until the specified time and then fire the app. Here is a point where being an admin with programming skills is nice though you may be able to do this with a script. Have the script fire another process that hides itself from the task bar and pops into the screen at the designated time. I will think aboutthis. There might be a way to pull this off with a perl script. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Friday, October 07, 2005 4:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs How would I use schtask to assign to more than one computer. It seems like that may be our only option. I cant believe its that difficult to get a popup of IE on ALL users desktop at a specific time. -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, October 07, 2005 2:45 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GPO Permissions with .vbs This is specific to opening the internet explorer with higher privileges... (nothing to do with script runing at logon or startup)If I knew, that this scheduled job runs under Admin accountI can elevate my privileges to local
RE: [ActiveDir] GPO Permissions with .vbs
I think that the difficulty is because you're trying to schedule a task to do somethingwhich (I think) it was never intended to do. All the scheduled tasks I use are ones which run without interfering with what's happening on the desktop - the last thing I want is for (eg) a backup process to pop up on my screen while I'm trying to do something. As Joe said, I think this is a custom app type of job and, as I hope you can see from his and my scripts, it's actually quite easy to do it without having to write a major app. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: 07 October 2005 21:46To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions with .vbs How would I use schtask to assign to more than one computer. It seems like that may be our only option. I cant believe its that difficult to get a popup of IE on ALL users desktop at a specific time. -Devon
Re: [ActiveDir] oldcmp
i'm trying to get rid of all those fields except sAMAccountName with perl. any ideas? can oldcmp take as input the same file it created to disable accounts? anyway, i'd like to know how to parse that file in perl and get rid of all the fields except that one and use that file as input to oldcmp or ds* commands with For, to disable just some accounts that oldcmp finds. thanks On 10/9/05, joe [EMAIL PROTECTED] wrote: Noyup From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Sunday, October 09, 2005 9:10 AMTo: activedirectorySubject: [ActiveDir] oldcmp is there anyway to just dump the sAMAccountName from oldcmp for inactive computers to csv? I want to filter all the default fields out(pwdLastSet,dn,cn,etc). thanks
[ActiveDir] The local policy of this system does not permit you to logon interactively
Hi guys, Im having trouble logging on remotely to some of my pcs on the net work. When I try logon it gives me The local policy of this system does not permit you to logon interactively. I am a Domain administrator so i cant see how it can be rights. Are there group policy setting that im missing? Again I dont see how it can be because i can logon remotely onto other pcs. Any help will be greatly appreciated. Thanks -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44(0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] report on permissions of files and folder
Hi, Basically I want to take report on the permissions given to the users in the File and printer server.Does windows 2000 serverhave the inbuilt tools or does any third part tools satisfy my requirement. Regards, Senthil Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] oldcmp
Assuming you've chosen to output OLDCMP's report switchto CSV format, youcould start with something like below. In this example, "oldcmp.txt" is the name of the output file you've generated with OLDCMP. Hope it helps give you some ideas...probably not really the polished version : - ) -DaveC # perl # Set up an output file...open ( OUT , " oldcmp-sams.txt" ) ; # Read in the existing CSV/TXT file...open ( LOG , "oldcmp.txt" ) ;@a = LOG ;close LOG ; # Get rid of all lines that don't begin with a DN...for $i ( @a ) { push ( @b , $i ) if ( $i =~ /^cn=/ ) ;} # Keep just the samaccountname, which is the 3rd field in joe's output in this case...for $j ( @b ) { push ( @c , ( split ( /;/ , $j ) ) [2] ) ;} # Write out that last array to a file...print OUT join ( "\n" , @c ) ;close OUT ; # End! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 4:21 AMTo: ActiveDir@mail.activedir.orgSubject: [spam] Re: [ActiveDir] oldcmp i'm trying to get rid of all those fields except sAMAccountName with perl. any ideas? can oldcmp take as input the same file it created to disable accounts? anyway, i'd like to know how to parse that file in perl and get rid of all the fields except that one and use that file as input to oldcmp or ds* commands with For, to disable just some accounts that oldcmp finds. thanks On 10/9/05, joe [EMAIL PROTECTED] wrote: Noyup From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Sunday, October 09, 2005 9:10 AMTo: activedirectorySubject: [ActiveDir] oldcmp is there anyway to just dump the sAMAccountName from oldcmp for inactive computers to csv? I want to filter all the default fields out(pwdLastSet,dn,cn,etc). thanks - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] report on permissions of files and folder
cacls.exe? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Senthil Kumar [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 6:24 PMTo: Active directory groupSubject: [ActiveDir] report on permissions of files and folder Hi, Basically I want to take report on the permissions given to the users in the File and printer server.Does windows 2000 serverhave the inbuilt tools or does any third part tools satisfy my requirement. Regards, Senthil Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
[ActiveDir] LDAP Query Fails
Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [ActiveDir] report on permissions of files and folder
Dumpsec is a nice free tool that should do the job too http://www.somarsoft.com/ I've used it a few times and it has definitely helped out. Thanks Mike On 10/10/05, Freddy HARTONO [EMAIL PROTECTED] wrote: cacls.exe? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Senthil Kumar [mailto:[EMAIL PROTECTED]] Sent: Monday, October 10, 2005 6:24 PMTo: Active directory groupSubject: [ActiveDir] report on permissions of files and folder Hi, Basically I want to take report on the permissions given to the users in the File and printer server.Does windows 2000 serverhave the inbuilt tools or does any third part tools satisfy my requirement. Regards, Senthil Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
[ActiveDir] AD Migration Question
I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 8:26 AMPosted To: ActiveDirectoryConversation: AD Migration QuestionSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] Adding custom fields to AD
Ah, Brettsh, maybe that explains why I had trouble opening my Exchange 5.5 store with Access 97 ;) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Mylo, from the way you speak of JET, I suspect you might not know of the two JETs, and be thinking that JET = Access ... make sure you're edJETicated (man, I slay me! ;), see Notes at bottom of this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /portal.asp This frequent confusion, is the reason we use the more desired term, ESE. The two JETs once compatible at the top level API, have not even had to maintain API compatibility for nearly 10 years, so they are quite different. If the _active amount of data_ (and the active amount of data, can be grossly enlarged by bad queries) exceeds memory, some operations will probably be thrown down to random disk IO speed (100 IOs / second is a standard single spindle/disk) ... ergo you get slow quick. And like most database servers in such a situation, you can often throw hardware at it. We have Exchange servers with a TB of databases attached, and a much higher update rate, BUT a big SAN to satisfy the IO load. With AD you have the added advantage of being able to throw RAM at the situations, with a 64-bit native OS and 32 GBs of RAM, a 29 GB database performs quite well. So where AD caves in, is very hardware and workload dependant ... joe's production numbers aren't even interesting anymore. (implying many customers are in production with much bigger databases) ;-) Cheers, BrettSh [msft] JET Blue, not JET Red Developer. On Sat, 8 Oct 2005, Gil Kirkpatrick wrote: Much of AD's heritage lies in the old Exchange directory, which was ESE-based. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What do you feel is wrong with ESE (aka Jet Blue)? What's the ceiling on actual database size before it caves in (performance-wise)? Max size for an ESE DB for AD is ~16TB (8KB pages * 2147483646 max pages [1]). As for when it caves perf wise from an AD standpoint it really depends on what you are doing with it and what you have indexed from what I have seen. If someone is issuing crappy inefficient queries it will seem to be pretty slow pretty fast with relatively little data. The largest DB I have seen in production has been ~20GB and that was with W2K on a GC and a bunch of that data shouldn't have been in the AD like duplicated ACEs and misc unneeded objects, etc. Going to K3 would probably reduce that DB to about 10-12GB or better due to single instance store, cleanup would reduce it even further. One Fortune 5 company I have worked with had a K3 GC DB in the area of 5GB and that was for some 250,000 users with Exchange and multiple custom attributes. joe [1] See the docs for JetCreateDatabase - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /jet createdatabase.asp?frame=true -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, October 07, 2005 9:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD That's a good point about plonking stuff in AD a case of once a good thing comes along everyone wants to climb aboard. I remember doing ZENworks stuff with Novell where all the application configuration information for software distribution was shunted into NDS/E-Directory... all that bloat adds up replication-wise (still, at least there was partitioning). One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What's the ceiling on actual database size before it caves in (performance-wise)? Mylo joe wrote: I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all
RE: [ActiveDir] AD Migration Question
Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm From: ActiveDirectory [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 08:44:10 -0500 My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Posted At: Monday, October 10, 2005 8:26 AM Posted To: ActiveDirectory Conversation: AD Migration Question Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Query Fails
What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 07:37:57 -0400 Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Migration Question
When we have inplaced upgraded SBS 2000's to SBS 2003's they leave behind a mixmass of permissions i.e. a blend of 2000 and 2003. Many in our gang really do not like inplaces at all. You don't get a comparable box to a clean 2003. You want nice, clean 2003 permission structure? You'll want to swing over those roles. ActiveDirectory wrote: My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Alborzfard, Alex *Posted At:* Monday, October 10, 2005 8:26 AM *Posted To:* ActiveDirectory *Conversation:* AD Migration Question *Subject:* [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema Updates
Title: Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity I wish to Christ theyd stick to hardware and stop venturing into software :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
RE: [ActiveDir] Adding custom fields to AD
Your blog link being what? :) :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, October 10, 2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Yes, I was hoping you wouldn't take it has who has a bigger database contest, that was not my intent. Besides it was really who has seen the bigger database, and who wants to admit that, you want to HAVE the bigger database. My databases aren't really that big, usually a smidgen over the default 10 MB size for testing, really quite small actually. As for the wondering what kind of crap is stuffed into the AD DB, I'd agree with you to some degree ... for corp / NOS type AD DBs ... but the ones I'm think of are almost always internet auth DBs, and have millions to 10s of millions of identities stored. Then the size starts to make sense. So you can imagine why they get big. And finally about the size limit on AD objects, how many attrs, multi-values, link values, etc, and such, I have a blog post planned about that ... actually 3 posts ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Sun, 9 Oct 2005, joe wrote: Ah Brett, you incorrigible one, you misunderstand my point of posting those numbers It wasn't to say, look how big I have seen, but instead, look how big these companies are and they still have small DBs. When I hear of some giant DB I don't think wow, what a big DB, I think, what kind of sh*t is being thrown into that AD to bloat it to that extent[1]? I especially love hearing about companies that jam huge binaries into the directory like images that get replicated to the four corners of the earth and are only read by one program, a web app, in one or two of the company's datacenters. Great use of bandwidth. I also especially love seeing a crap load of data going into the directory for Exchange when Exchange is centralized, also great use of bandwidth. That site in South America or in Kuala Lumpur with 10 people and a GC because they have crappy connectivity certainly needs to have every object and the entire Exchange selection of data for the other 200,000 users. No possible issues in data theft there... I think after we get past the training of everyone to only grant permissions to those that really need the permissions and just those specific permissions to just those specific people, we will start training everyone to only put the data where it is really needed. Anyone with a really large DIT should sit down and look at what is in it and say, is it really necessary for all of this data to go where it goes? Is there additional exposure that I have for putting it there that isn't necessary? Brett, while we have your attention if we do... How about some training on max data stored per object. What are the limits that we will hit as we stuff more and more data into say every user object? I know I have found the magic admin limit exceeded when punching a bunch of data into a non-linked multivalue attribute and it causing me to not be able to add any new attributes to the same user object. What other limits are we going to see? Also, why do I see that admin limit on new attributes when the one single multivalue attribute get filled up? joe [1] I really am not an entirely negative person. I am best described as a optimistic pessimist. Hope for the best of all worlds but plan for the worst. I have also been called a Socialist because I am willing to buy a burger for a friend and a good conversation. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Mylo, from the way you speak of JET, I suspect you might not know of the two JETs, and be thinking that JET = Access ... make sure you're edJETicated (man, I slay me! ;), see Notes at bottom of this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /por tal.asp This frequent confusion, is the reason we use the more desired term, ESE. The two JETs once compatible at the top level API, have not even had to maintain API compatibility for nearly 10 years, so they are quite different. If the _active amount of data_ (and the active amount of data, can be grossly enlarged by bad queries) exceeds memory, some operations will probably be thrown down to random disk IO speed (100 IOs / second is a standard single spindle/disk) ... ergo you get slow quick. And like most database servers in such a situation, you can often throw hardware at it. We have Exchange servers with a TB of databases attached, and a much higher update rate, BUT a big SAN to satisfy the IO load. With AD you have the added advantage of being
RE: [ActiveDir] Active Directory wish list
While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have something to say about it but I figure the best thing from them is if they pronounced their thoughts from the bottom of Lake Washington. People don't install servers because they have cool names. The biggest non-NDA pieces that I have heard announced in conferences or seen on the web already is the Read Only DC to limit security exposure for WAN deployments, restartable AD that can be stopped/started as necessary, DA/Admin separation so that you can have an Admin on a DC that can't achieve Domain-wide DA level rights, and DCs running on Server Foundation or now its called Server Core which is a GUI-challenged Windows Server. I can also say that there are a myriad of GUI updates for the Admin tools though I can't state specifics. BJ Whalen who was involved with the GPMC
Re: [ActiveDir] Adding local admin rights to non english native o s?
IF i am correct, you are placing this script in computer startup, then it won't resolve LOGONSERVER variable.. instead, you can use \\domain.com\netlogon which will always resolve to nearest DC. -- Kamlesh On 10/10/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Thanks for the replies guysJoe, converting the administrator wellknown sid to user seems like a greatidea - but then involves copying the .exe into the local machines first andexecuting it?Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done likebelow but just aint working out :( perhaps some variables like set L is notavail yet on startup?for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy\\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exefor /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do setgpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdminsThank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp-Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED]]Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 07, 2005 9:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?Better make that Powerum Tripum Maximum or else Laura might get on yourabout only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful.;o)-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Friday, October 07, 2005 5:54 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os?Powerus Tripus Maximus ?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP]Sent: Friday, October 07, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?What is Administrators in Latin?Ed Crowley MCSE+Internet MVP Freelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!(tm)-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?This is when your high school language classes come in handy. You will need to know what administrators translates to in the target language. Forexample, in German, it's administratoren, so your code will look likethis:net localgroup administratoren blah blah blah HTHSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 10/7/2005 8:51 AMTo: 'activedir@mail.activedir.org'Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all,Usually net localgroup administrators xxx /add would work fine on computerstartup gpo - but how about on non english native oses? Would this work aswell?Thank you and have a splendid day! Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] AD Migration Question
Also check if you have hosts and lmhosts files, and static WINS entries if WINS is running on your DCs. We (different org) had issues once with static mappings and apps looking for a certain machine name, we brought up a new W2K DC, and then demoted DC1, rebuilt it with the same name, and dcpromo'd it. Did the same with DC2, then brought DCTemp down. Went very smoothly, and no in-place upgrades. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 8:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm From: ActiveDirectory [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 08:44:10 -0500 My personal opinion is that you carry less crap over if you bring up a new 2k3 DC (even if only temporarily). You can always reformat and reuse the original server then move it back if you need to. Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Posted At: Monday, October 10, 2005 8:26 AM Posted To: ActiveDirectory Conversation: AD Migration Question Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Query Fails
Hi Mulnick, I get the same error when i give ldap://domainname. Yes i am using IE. Sorry i didnt get what u mean to ask by How are your directory settings in OE configured exactly? Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Al Mulnick amulnick @hotmail.com Sent by: ActiveDir-owner 10/10/2005 10:01 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject: RE: [ActiveDir] LDAP Query Fails What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 07:37:57 -0400 Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
Re: [ActiveDir] Adding local admin rights to non english native o s?
Also, I don't think the command u r using for extracting administrators name also works, independently. Try this one, for /f tokens=1-2 Delims=: %%A in ('SidToName.exe s-1-5-32-544 ^| find \') do set gpoadminvar=%%B On 10/10/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: IF i am correct, you are placing this script in computer startup, then it won't resolve LOGONSERVER variable.. instead, you can use \\domain.com\netlogon which will always resolve to nearest DC. -- Kamlesh On 10/10/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Thanks for the replies guysJoe, converting the administrator wellknown sid to user seems like a greatidea - but then involves copying the .exe into the local machines first andexecuting it?Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done likebelow but just aint working out :( perhaps some variables like set L is notavail yet on startup?for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy\\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exefor /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do setgpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdminsThank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp-Original Message-From: Brian Desmond [mailto: [EMAIL PROTECTED]]Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?Better make that Powerum Tripum Maximum or else Laura might get on yourabout only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful.;o)-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Friday, October 07, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os?Powerus Tripus Maximus ?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP] Sent: Friday, October 07, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? What is Administrators in Latin?Ed Crowley MCSE+Internet MVP Freelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!(tm)-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will need to know what administrators translates to in the target language. Forexample, in German, it's administratoren, so your code will look likethis:net localgroup administratoren blah blah blah HTHSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 10/7/2005 8:51 AMTo: 'activedir@mail.activedir.org 'Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all,Usually net localgroup administrators xxx /add would work fine on computerstartup gpo - but how about on non english native oses? Would this work aswell?Thank you and have a splendid day! Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
RE: [ActiveDir] Adding custom fields to AD
Heck NetBEUI with all broadcasts would work perfectfor all internal SBS needs. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, October 10, 2005 12:33 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom fields to AD coughI love DNS and AD and argue strongly for the glue all the time. {example answer in SBS newsgroup to person not wanting a domain."why in the WORLD do you want to run as workgroup? A domain is just a workgroup with more toys!"}But then again I run insecure SBS where our wizards set up the glue for us and we don't have to worry about it.okay back to lurkingjoe wrote: I don't think the rest of the planet loves DNS, I think a lot of people put up with it as a necessary evil due to exactly the reason you state. There isn't even a viable option on the table. WINS simply won't scale due to the lack of hierarchy. I myself also realize that it is a necessary evil but it doesn't mean I have to necessarily like it. ;o) I certainly don't like managing it nor running it as integrated into the AD itself. The fact that AD is critically dependent on a service that it itself provides smacks my internal like it or hate it sensors about. I am very much pro-someone else running DNS properlyand I run AD properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick KingslanSent: Sunday, October 09, 2005 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding custom fields to AD "what would you think would be a good replacement for dns/wins?" There currently isn't one. Not really even a viable option on the table. joe doesn't like DNS. The rest of the planet loves DNS- including those eggheads (loveable eggheads that they are) at IETF are the holders of the standards, and they love DNS too. :-) Microsoft fought hard to get TO standards cooperation . Don't look for anything in the near future to break away from that in regards to DNS. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, October 08, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom fields to AD I've had the reverse- last place i worked at had corrupted WINS at least once every 2 months(this could of been due to my lousy admin skills) i've never had issues with dns(could be my dumb luck) now i work for a corp that has netbios/tcp disabled and relies solely on dns(both MS and BIND) with no name resolution issues. also wins replication seems much more complex than standard primary/secondarydns replication. and i'm not one to think i know anything as an admin or would even think of getting into such a disscussion with someone as experienced and knowldgable as you, but i've always found dns easier than wins and netbios names in general. my only diffculty came with learning dns on BIND/Linux and just wrapping my head around AD intergrated dns when i first came to Windows. sometimes when you learn something via the command line, using the gui just confuses things. then again i'm probably one of those guys who "thinks" he knows dns but really doesn't know anything and hasen't found out yet :( what would you think would be a good replacement for dns/wins? thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: I wasn't saying I like WINS better than DNS or vice versa, just said I don't like DNS. I especially dislike the AD/DNS integration. I don't like chicken and egg problems. BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer admins had name resolution issues replication based issues with WINS than they do with DNS. 3. The complexity ofDNS seems to put many admins off the deep end, interestingly enough, the same admins who said they couldn't figure out WINS say they know all about DNS. But again, my comment wasn't I like WINS more than DNS, or I like any name resolution systems better than DNS, it was simply I don't like DNS. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, October 08, 2005 12:42 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom fields to AD ok, i'll bite. GPO's, i understand but whats there to hate about DNS? its better than WINS. I've never had a corrputed dns database. thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. DNStoo.:o)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL
RE: [ActiveDir] Adding custom fields to AD
You are holding onto that 3.50 functionality anger much too long Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, October 10, 2005 12:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD In the NT 3.50 days, WINS was a mess. I'm sorry but no amount of good design would help it. It just sucked. It got progressively better in NT 4.0 but I saw lots of corruptions of many kinds in 3.5x and I knew a thing or two about WINS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD I would guess that it never got that far. My experience with folks troubleshooting WINS is that they don't look very deep, someone can't resolve XYZ server name and they stop the service, delete the DB, and repopulate and call the DB corrupt. I think I said this in another post but I have never seen a corrupt WINS DB though I have had lots of people tell me that WINS was corrupt. I have seen lots of dorked up individual entries and simply deleting that entry and reregistering gets everything working fine again. The worst cases I have seen have been really poorly configured SAMBA machines stomping on domain records though I once heard of a really misconfigured Windows machine knocking a Fortune 50 down for a bit because someone built there own domain with the same domain name as the corporate domain and registered it in the production WINS environment. The solution there ended up being shut down WINS and deleting the WINS DB and letting it rebuild... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD Tom, what revision of the server OS was the WINS server? NT 4.0? Did you ever determine if the WINS DB corruptions were being exposed at the app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)? esentutl /g (the svc/DB must be offline for this) is the (slightly simplistic) method for determining if the corruption is exposing itself at the app logic level or the ESE level. Was the server being hard powered down (power outage)? Just curious. Cheers, -BrettSh [msft] - ESE Developer On Sat, 8 Oct 2005, Tom Kern wrote: I've had the reverse- last place i worked at had corrupted WINS at least once every 2 months(this could of been due to my lousy admin skills) i've never had issues with dns(could be my dumb luck) now i work for a corp that has netbios/tcp disabled and relies solely on dns(both MS and BIND) with no name resolution issues. also wins replication seems much more complex than standard primary/secondary dns replication. and i'm not one to think i know anything as an admin or would even think of getting into such a disscussion with someone as experienced and knowldgable as you, but i've always found dns easier than wins and netbios names in general. my only diffculty came with learning dns on BIND/Linux and just wrapping my head around AD intergrated dns when i first came to Windows. sometimes when you learn something via the command line, using the gui just confuses things. then again i'm probably one of those guys who thinks he knows dns but really doesn't know anything and hasen't found out yet :( what would you think would be a good replacement for dns/wins? thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: I wasn't saying I like WINS better than DNS or vice versa, just said I don't like DNS. I especially dislike the AD/DNS integration. I don't like chicken and egg problems. BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer admins had name resolution issues replication based issues with WINS than they do with DNS. 3. The complexity of DNS seems to put many admins off the deep end, interestingly enough, the same admins who said they couldn't figure out WINS say they know all about DNS. But again, my comment wasn't I like WINS more than DNS, or I like any name resolution systems better than DNS, it was simply I don't like DNS. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Tom Kern *Sent:* Saturday, October 08, 2005 12:42 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adding custom fields to AD ok, i'll bite. GPO's, i understand but whats there to hate about DNS? its better than WINS. I've never had a corrputed dns database. thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. DNS too. :o) -Original Message- From: [EMAIL
RE: [ActiveDir] Adding custom fields to AD
Ah true, I didn't think uses of ADAM which I think may make more sense than AD for some of those internet uses. So do we have a timeline on these blog entries? eg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, October 10, 2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Yes, I was hoping you wouldn't take it has who has a bigger database contest, that was not my intent. Besides it was really who has seen the bigger database, and who wants to admit that, you want to HAVE the bigger database. My databases aren't really that big, usually a smidgen over the default 10 MB size for testing, really quite small actually. As for the wondering what kind of crap is stuffed into the AD DB, I'd agree with you to some degree ... for corp / NOS type AD DBs ... but the ones I'm think of are almost always internet auth DBs, and have millions to 10s of millions of identities stored. Then the size starts to make sense. So you can imagine why they get big. And finally about the size limit on AD objects, how many attrs, multi-values, link values, etc, and such, I have a blog post planned about that ... actually 3 posts ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Sun, 9 Oct 2005, joe wrote: Ah Brett, you incorrigible one, you misunderstand my point of posting those numbers It wasn't to say, look how big I have seen, but instead, look how big these companies are and they still have small DBs. When I hear of some giant DB I don't think wow, what a big DB, I think, what kind of sh*t is being thrown into that AD to bloat it to that extent[1]? I especially love hearing about companies that jam huge binaries into the directory like images that get replicated to the four corners of the earth and are only read by one program, a web app, in one or two of the company's datacenters. Great use of bandwidth. I also especially love seeing a crap load of data going into the directory for Exchange when Exchange is centralized, also great use of bandwidth. That site in South America or in Kuala Lumpur with 10 people and a GC because they have crappy connectivity certainly needs to have every object and the entire Exchange selection of data for the other 200,000 users. No possible issues in data theft there... I think after we get past the training of everyone to only grant permissions to those that really need the permissions and just those specific permissions to just those specific people, we will start training everyone to only put the data where it is really needed. Anyone with a really large DIT should sit down and look at what is in it and say, is it really necessary for all of this data to go where it goes? Is there additional exposure that I have for putting it there that isn't necessary? Brett, while we have your attention if we do... How about some training on max data stored per object. What are the limits that we will hit as we stuff more and more data into say every user object? I know I have found the magic admin limit exceeded when punching a bunch of data into a non-linked multivalue attribute and it causing me to not be able to add any new attributes to the same user object. What other limits are we going to see? Also, why do I see that admin limit on new attributes when the one single multivalue attribute get filled up? joe [1] I really am not an entirely negative person. I am best described as a optimistic pessimist. Hope for the best of all worlds but plan for the worst. I have also been called a Socialist because I am willing to buy a burger for a friend and a good conversation. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Mylo, from the way you speak of JET, I suspect you might not know of the two JETs, and be thinking that JET = Access ... make sure you're edJETicated (man, I slay me! ;), see Notes at bottom of this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/e se/por tal.asp This frequent confusion, is the reason we use the more desired term, ESE. The two JETs once compatible at the top level API, have not even had to maintain API compatibility for nearly 10 years, so they are quite different. If the _active amount of data_ (and the active amount of data, can be grossly enlarged by bad queries) exceeds memory, some operations will probably be thrown down to random disk IO speed (100 IOs / second is a standard single spindle/disk) ... ergo you get slow quick. And like most database servers in such a situation, you can often throw hardware at it. We have Exchange servers with a TB of databases
RE: [ActiveDir] Adding local admin rights to non english native o s?
I've had to do this a couple of times, but chose a different solution for most of my customers, since they didn't really want to download and execute another tool when running a startup script on their computers. While resolving the SID is certainly the most exact solution, my approach has worked reliably in the past - but you don't get around knowing the group names on your clients: basically the script uses an array of potential administrator group names to be found on clients, then works through them. You'll supply the most appropriate for the region up front in the list. I've included the appropriate bits of the VB script below. And as most customers have deployed a naming convention for their computers that relates in one way or another to the location which is to manage the client, the script derives the name of the group to add to the local admin group from the computername (e.g. for client called LGER0815001 = group to add would be ADM_GER0815_AdminClient) let me know if you want the whole script. /Guido 'set list of potential names for local administrator group sLocalAdminGroupNames = Administratoren,Administrators,Administrateurs arrLocalAdminGroupNames = Split(sLocalAdminGroupNames,,) 'get computername and check AdminClient groupname to use Set oNet = CreateObject(WScript.Network) sCurCompName = oNet.ComputerName If bVerbose Then Log(CurrentComputer: sCurCompName) sCurCompHomeSite = Mid(sCurCompName,2,7) If bVerbose Then Log(HomeSite: sCurCompHomeSite) 'create appropriate group-name sGroupMemberLocation = ADM_ sCurCompHomeSite _AdminClient Log(AdminClient group for Location: sDomainName \ sGroupMemberLocation) 'adding group to local administrator group For R = 0 To UBound(arrLocalAdminGroupNames) sLocalAdminGroupName = arrLocalAdminGroupNames(R) On Error Resume Next Set oAdminGroup = GetObject(WinNT:// sCurCompName /sLocalAdminGroupName) If not(lcase(oAdminGroup.name) = lcase(sLocalAdminGroupName)) Then 'wrong groupname bFoundAdminGroup = False If bVerbose Then Log( can't find sLocalAdminGroupName) Else 'continue with adding group bFoundAdminGroup = True If bVerbose Then Log( found sLocalAdminGroupName) 'adding domain-groupmember to local group on client Log(adding 'sDomainName\sGroupMemberLocation' to local admin group) oAdminGroup.Add WinNT:// sDomainName / sGroupMemberLocation CheckError Exit For End If Next'Loop through list of admin groupnames If Not bFoundAdminGroup Then Log(can't find a matching name for local Admingroup...) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Montag, 10. Oktober 2005 10:08 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Adding local admin rights to non english native o s? Thanks for the replies guys Joe, converting the administrator wellknown sid to user seems like a great idea - but then involves copying the .exe into the local machines first and executing it? Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done like below but just aint working out :( perhaps some variables like set L is not avail yet on startup? for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy \\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do set gpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdmins Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that Powerum Tripum Maximum or else Laura might get on your about only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 07, 2005 5:54 PM
RE: [ActiveDir] BlackComb Super Forest Functional Mode
To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 04, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Vista is the client OS. I don't believe they have named Longhorn Server yet.I am voting for something like Windows Server 5.4.0 or something like that. I realize that the marketing group would have
RE: [ActiveDir] Adding local admin rights to non english native o s?
Can't you run sid2user from the netlogon share? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Monday, October 10, 2005 4:08 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Adding local admin rights to non english native o s? Thanks for the replies guys Joe, converting the administrator wellknown sid to user seems like a great idea - but then involves copying the .exe into the local machines first and executing it? Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done like below but just aint working out :( perhaps some variables like set L is not avail yet on startup? for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy \\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do set gpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdmins Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that Powerum Tripum Maximum or else Laura might get on your about only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 07, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Powerus Tripus Maximus ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Friday, October 07, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? What is Administrators in Latin? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!(tm) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will need to know what administrators translates to in the target language. For example, in German, it's administratoren, so your code will look like this: net localgroup administratoren blah blah blah HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 10/7/2005 8:51 AM To: 'activedir@mail.activedir.org' Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all, Usually net localgroup administrators xxx /add would work fine on computer startup gpo - but how about on non english native oses? Would this work as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Active Directory wish list
In order to understand what Novell did/does we need to stop using terms like DC and domain and instead think of partitions within the directory. Novell allowed the directory to be carved up into manageable chunks (partitions) and then for these partitions to be replicated as read only or read write to one or more servers. I could for example, slice the directory into 3 partitions and then replicate a read write copy of all 3 partitions to the same server. [On its own this is pointless, but it serves its purpose as an illustration]. Note: partitions could be contiguous or overlapping. Each 'part' of the directory must be represented within at least partition, however. These partitions are analogous to domains and so I merely stated that Novell offered us a way to expose multiple partitions/domains via the same server/DC way back when NDS hit the streets in 93. That said, NDS/eDIR and AD are very different beasts at the fundamental level, but as time goes on, we seem to be looking for features which were available in Novell offerings, but which cannot easily be exposed in AD due to its very different architecture. [I do not cite this as a flaw but merely as an observation]. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 10 October 2005 15:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of
RE: [ActiveDir] AD Migration Question
Check out the upgrade docs at http://www.microsoft.com/ad and the readme that comes with your 2003 server media for more specifics. You won't coexist, you'll insert a 2K3 DC into your 2K domain/forest. As for DNS, DHCP, and WINS, the migration is a little different. DNS - If AD integrated, install on the new DC at installation. Let replicate. - if not AD integrated, then you'll have to replicate the zone to the new server. - recommended to ad-integrate if that works the domain you have. WINS - WINS replicates. Replicate it to the new instance. Change the client settings before sunsetting the old WINS replica. Be sure the clients have started using the new instance. DHCP - no replication :( you'll have to migrate it. There are tools to help, but it takes some time while you update the client settings. It's not overnight neccessarily. -ajm From: Alborzfard, Alex [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 10:16:10 -0400 Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Just bring up a new 2k3 server, DCPromo it and it will do the rest as the first 2k3 DC. Once it is successfully promoted transfer all roles. Once you are sure everything is transferred and working correctly you can DCPromo to demote the old server wipe reinstall whatever. There is no coexistence other than working in Hybrid mode, and you can switch it to native once all of your 2K DCs are upgraded to 2K3. As to moving DNS, WINS, DHCP if your DC is serving all those functions then yes activate them on the new server, and make sure you have updated the required clients to point at the new server for those services. If those services are working on a separate stand-alone server then don't worry about them other than to make sure any static entries are updated. If you are planning to bring in Exchange 2k3 I believe it is best to get your 2k3 domain stable first. I don't think it is required though, but I'm not positive. Just like anything else though it is best to finish one project before starting the next that way you aren't caught trying to troubleshoot conflicting issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 9:16 AMPosted To: ActiveDirectoryConversation: [ActiveDir] AD Migration QuestionSubject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Monday, October 10, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexSent: 10 October 2005 15:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DCs then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] Adding custom fields to AD
http://blogs.msdn.com/brettsh/ I would post a comment to the blog, but it requires a post first. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Your blog link being what? :) :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, October 10, 2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Yes, I was hoping you wouldn't take it has who has a bigger database contest, that was not my intent. Besides it was really who has seen the bigger database, and who wants to admit that, you want to HAVE the bigger database. My databases aren't really that big, usually a smidgen over the default 10 MB size for testing, really quite small actually. As for the wondering what kind of crap is stuffed into the AD DB, I'd agree with you to some degree ... for corp / NOS type AD DBs ... but the ones I'm think of are almost always internet auth DBs, and have millions to 10s of millions of identities stored. Then the size starts to make sense. So you can imagine why they get big. And finally about the size limit on AD objects, how many attrs, multi-values, link values, etc, and such, I have a blog post planned about that ... actually 3 posts ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Sun, 9 Oct 2005, joe wrote: Ah Brett, you incorrigible one, you misunderstand my point of posting those numbers It wasn't to say, look how big I have seen, but instead, look how big these companies are and they still have small DBs. When I hear of some giant DB I don't think wow, what a big DB, I think, what kind of sh*t is being thrown into that AD to bloat it to that extent[1]? I especially love hearing about companies that jam huge binaries into the directory like images that get replicated to the four corners of the earth and are only read by one program, a web app, in one or two of the company's datacenters. Great use of bandwidth. I also especially love seeing a crap load of data going into the directory for Exchange when Exchange is centralized, also great use of bandwidth. That site in South America or in Kuala Lumpur with 10 people and a GC because they have crappy connectivity certainly needs to have every object and the entire Exchange selection of data for the other 200,000 users. No possible issues in data theft there... I think after we get past the training of everyone to only grant permissions to those that really need the permissions and just those specific permissions to just those specific people, we will start training everyone to only put the data where it is really needed. Anyone with a really large DIT should sit down and look at what is in it and say, is it really necessary for all of this data to go where it goes? Is there additional exposure that I have for putting it there that isn't necessary? Brett, while we have your attention if we do... How about some training on max data stored per object. What are the limits that we will hit as we stuff more and more data into say every user object? I know I have found the magic admin limit exceeded when punching a bunch of data into a non-linked multivalue attribute and it causing me to not be able to add any new attributes to the same user object. What other limits are we going to see? Also, why do I see that admin limit on new attributes when the one single multivalue attribute get filled up? joe [1] I really am not an entirely negative person. I am best described as a optimistic pessimist. Hope for the best of all worlds but plan for the worst. I have also been called a Socialist because I am willing to buy a burger for a friend and a good conversation. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Mylo, from the way you speak of JET, I suspect you might not know of the two JETs, and be thinking that JET = Access ... make sure you're edJETicated (man, I slay me! ;), see Notes at bottom of this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /por tal.asp This frequent confusion, is the reason we use the more desired term, ESE. The two JETs once compatible at the top level API, have not even had to maintain API compatibility for nearly 10 years, so they are quite different. If the _active amount of data_ (and the active amount of data, can be grossly enlarged by bad queries) exceeds memory, some operations will probably be thrown down to random disk IO speed (100
RE: [ActiveDir] Schema Updates
Title: Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity I wish to Christ theyd stick to hardware and stop venturing into software :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
[ActiveDir] single login size in bytes?
Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? Ive been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. Were talking simple logging in, including a single GPO or maybe two but no replication, etc. They do already get their email using Outlook to a pst. And please dont laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Active Directory wish list
For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support domains, etc. Just because a business is small doesn't mean it can't have complex requirements... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 7:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. /QUOTE
[ActiveDir] Interesting Scripting Task.....
All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
You need to upgrade the schema first (before you install the first 2k3 DC). Do an adprep /forestprep from the 2003 CD on the 2000 box. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Monday, October 10, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while Im installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. Whats the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] BlackComb Super Forest Functional Mode
it would certainly be a good way to promote the sales for client inventory tools ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 10. Oktober 2005 16:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October
RE: [ActiveDir] BlackComb Super Forest Functional Mode
2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server... I remember discussing this with Stuart Kwan at DEC a couple of years ago. I hope it makes it into the mix... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one
[ActiveDir] single login size in bytes?
Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? Ive been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. Were talking simple logging in, including a single GPO or maybe two but no replication, etc. They do already get their email using Outlook to a pst. And please dont laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] LDAP Query Fails
Outlook Express (OE) and Search for People use the same WAB provider IIRC. When you open ldap://servername you're really making a call to use WAB.EXE which is the same address book that OE uses to search for users. I notice though, that if you specify a server to contact, that you get that pre-filled in vs. if you open it in search or via OE. Interesting IE uses the following key to control what it uses for the ldap url: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Protocols\ldap\shell\open\command So my thinking was that you needed to properly specify the directory on the client. It may just be permissions related however, as utilizing the ldap url to open a DC for search provides null credentials by default. Check your security logs (if auditing) to see if this is the case. Note: I notice as I looked at this in my test environment that I had no notification in the event logs. I didn't look at it long enough to see if I had the audit settings perfected, so it's possible I missed something. However, a network trace shows the attempt and an error indicating that I need to first bind. That's not really correct, because I do bind, but I bind anonymously. It should be telling me to allow anonymous bind in order to search etc. If it helps, ldap url syntax is defined in RFC 2255. Al From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 10:07:57 -0400 Hi Mulnick, I get the same error when i give ldap://domainname. Yes i am using IE. Sorry i didnt get what u mean to ask by How are your directory settings in OE configured exactly? Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. Al Mulnick amulnick @hotmail.com Sent by: ActiveDir-owner 10/10/2005 10:01 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject:RE: [ActiveDir] LDAP Query Fails What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 07:37:57 -0400 Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
Upgrade KBs: See: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ324392_Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 Also see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc5ebbdb-a8d7-4761-b38a-e207baa73419.mspx) http://www.petri.co.il/windows_2003_adprep.htm MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 2003 MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 Cheers Jorge From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Mon 10/10/2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC's then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO Permissions with .vbs
my BAD :) yes, AT /interactive works with GUI apps. Joe Every method you list below messes with changing user context and IMO added complexity in a case where it isn't necessary.As I mentioned earlier and you confirmed that, running under SYSTEM context is very bad, so If I want to use Task Scheduler then I have to change the context to normal user. I know this is added complexity for a one off job. but If I can create a small infrastructure to leverage scheduling capability of Task Scheduler, then it would be quite helpful when I have more tasks with complex schedules. While in case of _vbscript_ or Perl, I will have to code the scheduling logic every time there is a different need. What would be easier for my replacement, 1) to decode my scripts and documentation and learn from it and create future schedules. or 2) to leverage the infrastructure where scheduling logic is very simple and delivery part is automated[1]. joeBut the fun thing is that for such a simple script as that (and actually even much more complex scripts), you only need two files from the Perl distribution, I am very very novice in Perl, So I assumed it would require me to install the whole 14 MB ActiveState Perl MSI on each machine. That's why I said it MIGHT be overkill. which is not the case, as u mentioned. And Thank you for that info. joe running a batch file from one machine against others for this would be simple only for a small number of machines, probably such a small amount that you could just stand up and yell across the room what people should do. I also mentioned there, only suitable for small number of machines. Tell me, what if the machines, you want to schedule the task, are not on same floor, will you still shout.. ;-) joe As you start to scale you need far more error checking, is the machine up? Use GP Based deployment. Is the scheduler even running? Use GP to make sure it is. so If scalability is the priority, I would use GP to deploy, [1] : I am referring to GP based deployment and not batch file. -- Kamlesh On 10/8/05, joe [EMAIL PROTECTED] wrote: Interactive doesn't help in LOCALSYSTEM context for GUI apps, only CMD.EXE canpop in LOCALSYSTEM context. Not sure where you picked this up, but it is incorrect. I have been doing this for a loong time. Try this if you have SOON loaded soon 60 /interactive C:\PROGRA~1\INTERN~1\iexplore.exe -new http://www.joeware.net If not, just create the appropriate AT command. I just did it on an XP SP2 with all of the latest patches and within a minute I had an IE window up and running focused on my web site. However, just because it can be done, isn't a recommendation to do it. In fact, for this particular task, I would recommend against using the scheduler, it is added complexity that isn't needed. I like to as far as possible, use the tools which come with os itself, so using Perl for this stuff might be overkill. I like to think of overkill as when you go overboard to accomplish something simple. Eitherin terms of permissions or actions. Every method you list below messes with changing user context and IMO added complexity in a case where it isn't necessary. As for tools in the OS itself, the work done in my other post with the perl script coupled with quiet could be done in two_vbscript_ files. There is a WMI piece that will allow you to launch additional processes including hidden processes. It willjust be longer than what I put in that post. For instance the the string comparison I did for the current to desired date would need to be done a different way or would probably take considerably more _vbscript_. But the fun thing is that for such a simple script as that (and actually even much more complex scripts), you only need two files from the perl distribution, perl.exe and perl58.dll (for the current dist, older dists may need a different dll). Both of which could be in the same folder where you have the script and quiet.exe. I have had very complex share/printer reconnection perl scripts and software delivery scripts running as logon scripts for thousands of users where perl is never loaded on the clients, the two binaries are simply in the netlogon share. I havealso had entire server build scripts done this way that take a server from nothing to fully loaded with all apps and tools in place.As long as you aren't using modules you have to import you are fine and it is very rare I use modules for that exact reason. Further, running a batch file from one machine against others for this would be simple only for a small number of machines, probably such a small amount that you could just stand up and yell across the room what people should do. As you start to scale you need far more error checking, is the machine up? Is the scheduler even running? Did the job schedule properly? All of those then require either error reporting or a loop back to hit them again. Plus it would just be plain slow
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Date: Mon, 10 Oct 2005 10:32:26 -0400 To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be
Re: [ActiveDir] Adding local admin rights to non english native o s?
I assume, copying it locally on first run, will make the subsequent run bit faster. Do correct me, if I am mistaken...On 10/10/05, joe [EMAIL PROTECTED] wrote: Can't you run sid2user from the netlogon share?-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Freddy HARTONOSent: Monday, October 10, 2005 4:08 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Adding local admin rights to non english native o s?Thanks for the replies guysJoe, converting the administrator wellknown sid to user seems like a greatidea - but then involves copying the .exe into the local machines first andexecuting it? Havent work out how to do it without copying the sid converter program...ifso would have to copy it from the netlogon? For some reason I've done likebelow but just aint working out :( perhaps some variables like set L is not avail yet on startup?for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if notexist %systemroot%\system32\sid2user.exe copy\\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do setgpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdminsThank you and have a splendid day!Kind Regards, Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp-Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED]]Sent: Saturday, October 08, 2005 9:17 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os?In 9 years of Spanish, I didn't learn Administrator in Spanish.Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 07, 2005 9:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that Powerum Tripum Maximum or else Laura might get on yourabout only representing the masculine gender. :o)I knew 3 years of Latin would eventually come in useful.;o) -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Darren Mar-EliaSent: Friday, October 07, 2005 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? Powerus Tripus Maximus ?-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP]Sent: Friday, October 07, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? What is Administrators in Latin?Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!(tm)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 11:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will needto know what administrators translates to in the target language. Forexample, in German, it's administratoren, so your code will look like this:net localgroup administratoren blah blah blahHTHSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 10/7/2005 8:51 AMTo: 'activedir@mail.activedir.org 'Subject: [ActiveDir] Adding local admin rights to non english native os?Hi all,Usually net localgroup administrators xxx /add would work fine on computerstartup gpo - but how about on non english native oses? Would this work as well?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - tempList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ:
RE: [ActiveDir] Schema Updates
Title: Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity I wish to Christ theyd stick to hardware and stop venturing into software :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
RE: [ActiveDir] Interesting Scripting Task.....
Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Migration Question
How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep domainprep and then introduce win2003 DC. It will be in same domain.This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex [EMAIL PROTECTED] wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] BlackComb Super Forest Functional Mode
I think that's something that needs to happen eventually; if exciting innovations are going to continue to occur, then they really can't be hamstrung by legacy support requirements. joe's suggestion of a functional level-type mechanism for this is quite a useful one: for those orgs that still need to support legacy functionality on their servers and clients, here you go, you've got that support. For those who are willing to make the break and cut all ties to legacy in order to get otherwise unavailable whizz-bang features, then good on you: make the choice and flip the switch. - Laura On 10/10/05, joe [EMAIL PROTECTED] wrote: To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is minimal. This feature sounds like an offshoot of your list below. If you can run AD as a service, it might not be that hard to allow multiple domains similar to multiple websites/DBs on one server...
Re: [ActiveDir] Interesting Scripting Task.....
Exporting users, groups etc and then recreating them in a new environment is not terribly difficult. Getting the security settings and the GPO information recreated is a bit more difficult. This is not an export and copy, it's an export and create new that looks like the old situation if you do it that way. What do you have to work with? Is it too much to recreate the environments by overlaying the production, cleaning up the metadata and letting it loose? Or do you have workstations and servers in the environment to be concerned about? Al - Original Message - From: Smith, Brad [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, October 10, 2005 11:07 AM Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Interesting Scripting Task.....
I am copying the exact post from Tiro Yann, Hi Activedir List :) A new free tool is now available here http://www.yside.com/projects/tools.htm which name is XSync v0.2 It duplicates your real AD Domain in a test lab with no SID issues. Thanks a lot to Chris Wall ([EMAIL PROTECTED] ) who made the information available on the ExhcangeList with the same thread Duplicate your AD domain with this new (free) tool. Cheers, Yann On 10/10/05, Smith, Brad [EMAIL PROTECTED] wrote:All,I am pondering the possibility of automating the creation of development environments.The problem I am hoping to solve is that a lot of our testingneeds to be done in an environment where all our Ous, GPOs, Groups and soforth are present.Recreating this is a nightmare,so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Usersand GPO's (including security) and then restores them in a different targetdomain (different forest too).Has anyone attempted/achieved this before? BradThis email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Why would you want to have them several years earlier available? I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. Once you have upgraded everything to BlackComb you could make the switch. Might even help moving people to the new OS quicker. :) Martin Tuip MVP Exchange -- Original Message -- From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 10 Oct 2005 16:45:03 +0100 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, October 04, 2005 6:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd also like to see the ability to run DCs for multiple domains on the same server. SMBs with limited resources balk at having to buy additional server hardware for redundancy on multiple domains, especially when the AD load on the DCs is
Re: [ActiveDir] Active Directory wish list
I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful to you in these situations? If so, how is that different than VM's? Test environments are notoriously able to take down servers without warning. I would often prefer to use a VM to decrease that risk of consuming all resources to destruction. That provides some isolation while not requiring extra hardware. VM's require licenses (the OS and apps do) FWIW. You're only saving on the hardware and environmentals that I can see, but I'm trying to understand what I'm missing. - Original Message - From: Charlie Kaiser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, October 10, 2005 11:05 AM Subject: RE: [ActiveDir] Active Directory wish list For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support domains, etc. Just because a business is small doesn't mean it can't have complex requirements... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 7:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/10/479186.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. /QUOTE
Re: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Sweet!! -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 10/10/05, joe [EMAIL PROTECTED] wrote: http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server Longhorn Datacenter Edition at no extra cost, Kelly said. /QUOTE List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] LDAP Query Fails
Sudhir do you have a network sniff of the original problem? I think that's likely the easiest way to diagnose this. That way we see the problem itself. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Outlook Express (OE) and Search for People use the same WAB provider IIRC. When you open ldap://servername you're really making a call to use WAB.EXE which is the same address book that OE uses to search for users. I notice though, that if you specify a server to contact, that you get that pre-filled in vs. if you open it in search or via OE. Interesting IE uses the following key to control what it uses for the ldap url: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Protocols\ldap\shell\open\command So my thinking was that you needed to properly specify the directory on the client. It may just be permissions related however, as utilizing the ldap url to open a DC for search provides null credentials by default. Check your security logs (if auditing) to see if this is the case. Note: I notice as I looked at this in my test environment that I had no notification in the event logs. I didn't look at it long enough to see if I had the audit settings perfected, so it's possible I missed something. However, a network trace shows the attempt and an error indicating that I need to first bind. That's not really correct, because I do bind, but I bind anonymously. It should be telling me to allow anonymous bind in order to search etc. If it helps, ldap url syntax is defined in RFC 2255. Al From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 10:07:57 -0400 Hi Mulnick, I get the same error when i give ldap://domainname. Yes i am using IE. Sorry i didnt get what u mean to ask by How are your directory settings in OE configured exactly? Regards, Sudhir --- - This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. --- - Al Mulnick amulnick @hotmail.com Sent by: ActiveDir-owner 10/10/2005 10:01 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject:RE: [ActiveDir] LDAP Query Fails What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 07:37:57 -0400 Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir --- - This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. --- - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] BlackComb Super Forest Functional Mode
or an entirely new model not yet conceived ... Perhaps something that doesn't require NT4 to W2K style migration headaches to keep people from moving to it the way that migration did... I'd hate to see a show of hands for who here is still trying to determine if they should make that leap off NT4... IMHO, at the rate the server infrastructure field is evolving, if Blackcomb looks like W2K under the covers with a lot of enhancements, MS is going to have a hard time getting people to move to it. Look at the heavy trends towards virtualization in only the past couple of years, and at the new face the Internet has with spam, viruses, and exploits in the past few years. Blackcomb is due in, what, 7 years? A lot can happen in 7 years. Maybe I'm alone in this opinion, but with as far as things have come, things like AD replication are too hard (for what they should be). And it's too easy to back yourself into a corner when designing your infrastructure, because to some extent you still have to design to the limitations and nuances of the OS (at least with Windows). I think Dean may have something here... perhaps us saying how AD domains should work is too short-sighted? How should it work? Either the guys at Microsoft are going to come up with something, or just modify the same old stuff, or maybe this list and forums like it with the brain trust that exists here can help suggest the directions. ?? just a few p for thought... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 10:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active
Re: [ActiveDir] Adding custom fields to AD
:-P I think someone needs to run SBS at home. See what nice solid DNS/AD is all about :-) lurk mode back on joe wrote: Heck NetBEUI with all broadcasts would work perfect for all internal SBS needs. :o) *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Monday, October 10, 2005 12:33 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adding custom fields to AD cough I love DNS and AD and argue strongly for the glue all the time. {example answer in SBS newsgroup to person not wanting a domain.why in the WORLD do you want to run as workgroup? A domain is just a workgroup with more toys!} But then again I run insecure SBS where our wizards set up the glue for us and we don't have to worry about it. okay back to lurking joe wrote: I don't think the rest of the planet loves DNS, I think a lot of people put up with it as a necessary evil due to exactly the reason you state. There isn't even a viable option on the table. WINS simply won't scale due to the lack of hierarchy. I myself also realize that it is a necessary evil but it doesn't mean I have to necessarily like it. ;o) I certainly don't like managing it nor running it as integrated into the AD itself. The fact that AD is critically dependent on a service that it itself provides smacks my internal like it or hate it sensors about. I am very much pro-someone else running DNS properly and I run AD properly. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rick Kingslan *Sent:* Sunday, October 09, 2005 11:31 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Adding custom fields to AD what would you think would be a good replacement for dns/wins? There currently isn't one. Not really even a viable option on the table. joe doesn't like DNS. The rest of the planet loves DNS - including those eggheads (loveable eggheads that they are) at IETF are the holders of the standards, and they love DNS too. :-) Microsoft fought hard to get TO standards cooperation . Don't look for anything in the near future to break away from that in regards to DNS. Rick -- Posting is provided AS IS, and confers no rights or warranties ... *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tom Kern *Sent:* Saturday, October 08, 2005 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adding custom fields to AD I've had the reverse- last place i worked at had corrupted WINS at least once every 2 months(this could of been due to my lousy admin skills) i've never had issues with dns(could be my dumb luck) now i work for a corp that has netbios/tcp disabled and relies solely on dns(both MS and BIND) with no name resolution issues. also wins replication seems much more complex than standard primary/secondary dns replication. and i'm not one to think i know anything as an admin or would even think of getting into such a disscussion with someone as experienced and knowldgable as you, but i've always found dns easier than wins and netbios names in general. my only diffculty came with learning dns on BIND/Linux and just wrapping my head around AD intergrated dns when i first came to Windows. sometimes when you learn something via the command line, using the gui just confuses things. then again i'm probably one of those guys who thinks he knows dns but really doesn't know anything and hasen't found out yet :( what would you think would be a good replacement for dns/wins? thanks On 10/8/05, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I wasn't saying I like WINS better than DNS or vice versa, just said I don't like DNS. I especially dislike the AD/DNS integration. I don't like chicken and egg problems. BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer admins had name resolution issues replication based issues with WINS than they do with DNS. 3. The complexity of DNS seems to put many admins off the deep end, interestingly enough, the same admins who said they couldn't figure out WINS say they know all about DNS. But again, my comment wasn't I like WINS more than DNS, or I like any name resolution systems better than DNS, it was simply I don't like DNS. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Tom Kern *Sent:* Saturday, October 08, 2005 12:42 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *Re:
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Im a bit confused as to what she was trying to say in the quote below, she says four VMs, but she doesnt say four instances of Windows and she says that theyll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently Id have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server Longhorn Datacenter Edition at no extra cost, Kelly said. /QUOTE ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] single login size in bytes?
Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory wish list
The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying wish here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory wish list I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful to you in these situations? If so, how is that different than VM's? Test environments are notoriously able to take down servers without warning. I would often prefer to use a VM to decrease that risk of consuming all resources to destruction. That provides some isolation while not requiring extra hardware. VM's require licenses (the OS and apps do) FWIW. You're only saving on the hardware and environmentals that I can see, but I'm trying to understand what I'm missing. - Original Message - From: Charlie Kaiser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, October 10, 2005 11:05 AM Subject: RE: [ActiveDir] Active Directory wish list For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support domains, etc. Just because a business is small doesn't mean it can't have complex requirements... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 7:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and
RE: [ActiveDir] single login size in bytes?
Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
My understanding is as follows: 1 licensed copy of W2K3R2 or Longhorn (EE/DC) provides the following: 1 physical host running the licensed OS 4 virtual guests running the licensed OS or a lesser version (i.e. Enterprise Edition would allow for Web Edition running in a VM) VMs developed and designed for the following purposes (as examples) need not be licensed until which time they no longer fall under the following: Copies of licensed machines (physical or virtual) used for backup purposes only Template virtual disks used for deploying new virtual guests Other virtual machines not generally online and not used for production purposes (e.g. an offline CA in a VM would not qualify) Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. Im a bit confused as to what she was trying to say in the quote below, she says four VMs, but she doesnt say four instances of Windows and she says that theyll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently Id have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server Longhorn Datacenter Edition at no extra cost, Kelly said. /QUOTE ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory failures? Suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) How about an all expenses paid trip to DEC in Vegas, entry to the NDA lunch and of course the obligatory book Active Directory Programming, ISBN: 0672315874? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: 10 October 2005 19:06 To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [Norton AntiSpam] [ActiveDir] Results of survey - Most common cause of Active Directory failures? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the nothing too fancy prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory failures? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory failure (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at
RE: [ActiveDir] Active Directory wish list
Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying wish here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory wish list I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful to you in these situations? If so, how is that different than VM's? Test environments are notoriously able to take down servers without warning. I would often prefer to use a VM to decrease that risk of consuming all resources to destruction. That provides some isolation while not requiring extra hardware. VM's require licenses (the OS and apps do) FWIW. You're only saving on the hardware and environmentals that I can see, but I'm trying to understand what I'm missing. - Original Message - From: Charlie Kaiser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, October 10, 2005 11:05 AM Subject: RE: [ActiveDir] Active Directory wish list For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support
RE: [ActiveDir] TS GPO and Citrix Settings
If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory failures? you forgot to mention the amount USD in casino chips you would like to find in your complimentary hotel room upon arrival ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, October 10, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures? Suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) How about an all expenses paid trip to DEC in Vegas, entry to the NDA lunch and of course the obligatory book Active Directory Programming, ISBN: 0672315874? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: 10 October 2005 19:06 To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [Norton AntiSpam] [ActiveDir] Results of survey - Most common cause of Active Directory failures? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the nothing too fancy prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory failures? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory failure (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical
RE: [ActiveDir] Active Directory wish list
And I wholeheartedly applaud dreaming. Without it we'd still be in a dark wet cave, chewing on roots and hoping to keep warm ;-) It's just that I don't think the licensing case is the big issue. I would guess that Microsoft licensing would find another way to get the pound of flesh. I don't think for a minute that they shouldn't either. Because of that market force, I tend to disassociate the licensing from the solution altogether. Take that away, and I'm not sure that you have solved your technical problem by avoiding the hardware purchase. I have to admit, it sounds cliche but the hardware is cheap. Very cheap and you'd likely have to include bigger hardware to get multiple domains installed anyway. The OS is not taking copious amounts of memory last I checked (128 is fine for just the OS). It's those silly apps that require so much. And if you have to load test, then you're deeper in the water because you'll take the rest of the domains down to their knees while you use one of the others. Virtualization offers a better technical solution in that you can keep them totally separate from each other. They rely on a common OS, so the only real difference is the memory overhead and some of the OS overhead you otherwise might not have. The tradeoff is the stability that comes with the separation and a higher maintenance cost while you rev the OS across 9 instances of the OS. I see that. But there's also some flexibility in that approach because I am not required to upgrade all 9 instances at once. I can create a test environment that works with multiple versions at a time vs. all upgrade at once, like IIS requires (that's a shared code issue, not to pick on IIS). I have to say I think it's a great idea to dream Charlie, but I don't get the advantage of multiple domains (as they exist today) over virtualization. Thanks for clarifying though. We'll have to wait and see how it pans out I suppose. Cheers, Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying wish here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory wish list I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful to you in these situations? If so, how is that different than VM's? Test environments are notoriously able to take down servers without warning. I would often prefer to use a VM to decrease that risk of consuming all resources to destruction. That provides some isolation while not requiring extra hardware. VM's require licenses (the OS and apps do) FWIW. You're only saving on the hardware and environmentals that I can see, but I'm trying to understand what I'm missing. - Original Message - From: Charlie Kaiser [EMAIL
RE: [ActiveDir] TS GPO and Citrix Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Already have tried the deletion but you have to keep on doing it if you want to make changes to Citrix. I was hoping there was a Disable Secure RDP registry setting that wouldnt gray anything out (as in W2K). -Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, October 10, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. Conrad Sent: Monday, October 10, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
[ActiveDir] exchange confusion(OT)
I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying relay not allowed. Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Yeah I didn't want to state going away completely from the domain model. My basic idea is to do something different than is allowed by current legacy systems and their support. Allowing multiple domains on a single DC sounds like an easy way for people to visualize it. It could, in fact, be something more along the partitioning done by Novell or something else entirely different. Either way, the switch turns off all Legacy to never allow it to work in that environment again. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 11:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'd be surprised if we see this in my lifetime, or at least before I retire. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Wednesday, October 05, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list What I want is to be able to run multiple domains on one OS installation and segment the directories from each other. That way I don't need to run multiple licenses of the OS, nor do I need hardware that can power 4 VMs. I already run VMs using VMWare in my test lab; it works but I'd prefer to be able to run AD as a service and have it be smart enough to be able to segment itself without needing a separate OS... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Wednesday, October 05, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list You can. It's called Microsoft Virtual Server. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of I have switch labeled Hurray that shuts off legacy support, it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Date: Mon, 10 Oct 2005 10:32:26 -0400 To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Date: Mon, 10 Oct 2005 08:52:25 +0100 Maybe you should read about eDIR/NDS... :) Novell did this back in '93. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: 06 October 2005 01:51 To:
RE: [ActiveDir] Modifying Domain Admins Administrators Group
Define within reason. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, October 10, 2005 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Is a tool like that something people would be willing to pay for? Affirmative Mr. joe. (Within reason of course) YMYMYM ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 11:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Ah global won't have the issue with primary group since it used the NET* calls. However, it won't catch nesting that is disallowed in NT, those entries will be curiously absent because the NET calls don't know anything about it. If you are simply looking for any change on a group, fire a notification on the changing of the metadata or the USN or the whenChanged stamp. What would I do? The answer is of course, it depends. :o) It depends on what I perceive the risks are and the necessity for protecting things. It could be very little or it could be a lot with several cross checks. Generally, monitoring from multiple angles as well as trying to prevent the possibility of any change is the best solution in my opinion. Sort of like root kit detection, you won't know when looking at things one way, you have to look from different angles and check the shadows. If I really wanted to be sure I would have a service running on every DC that made the sure the group memberships were exactly what I wanted. These would be services that had change notifications set up for each monitored group so AD told me when the group changed versus me looking at it and seeing if something changed on some x interval. But just the same, that service would still look at some very regular very short interval just in case the change notification dorked up and I would do it using multiple interfaces. If I was REALLY being paranoid I would possibly have the service shut down the box if it detected a change being originated on it in case that one box has been somehow compromised. That service might also, for instance, look for certain known vectors and try to clean those up if detected as well. There are other things but the more you tell people about what you are doing to protect a system, the more you tell them on what they may need to do to compromise a system. Is a tool like that something people would be willing to pay for? You set it for how jittery you are about changes to some finite small number of specific groups and depending on the jittery setting it does anything from warn to correct to locking the box down dead from any more mods? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group I'm just using the (I believe) resource kit tool global.exe to return samaccountname of users in the group. A user who has that particular group as primary still shows up. At the time my biggest concern was ANY change. There should not be any changes made to those groups at any time with out my groups knowledge. Obviously if a group (nesting) is added I'll know about it and whip out my ruler to smack someone with. As far as the restricted groups are concerned; when I first added them to the policy it worked like a charm. After some more testing I found it was taking longer than expected...more than 15 minutes. After looking at the policy I saw that I had entered domain admins instead of domain\domain admins. I changed it and it never worked. Changed it back to just domain admins and again it usually works but I recently saw a user sit in the group for an hour or so before I removed it manually. I was however notified with in a minute of the change. Like I said, it's crude but it get's what I need done. I know that I have to deal with replication time and I could hit a DC that doesn't know about the change immediately which could delay my notification by up to a few minutes, but my biggest concern at this time are certain admins that can add to the DA's group. No need to start down that road...I walked into this and am slowly cleaning up this mess. Who the hell makes a file server a DC... Now...I have to ask...how would Joe do it? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group What about people who have those groups as a primary group? 30 seconds is a long time, I could be a domain admin and have it not show in the DA member attribute in milliseconds. Also
Re: [ActiveDir] single login size in bytes?
Totally guessing here from the Dr. J password literature I've read...but wouldn't it depend on the auth method involved as to the traffic size? Since NTLMv2 is MS specific... you might have to fire up the sniff tools on that one. Chapter 11 in the Riley/Johansson book on passwords LMhash ... password is padded to 14 characers lowercase converted to uppercase split into 7 byte chunks, chunk generates 8 byte odd parity DES key each 8 byte key used in DES encryption of fixed string two cipher texts are concatenated and stored NTMLv2 you are sending challenges back and forth across the wire Auth req Server challenge ntlm2 response auth result The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx Rich Milburn wrote: Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I’ve been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We’re talking simple logging in, including a single GPO or maybe two – but no replication, etc. They do already get their email using Outlook to a pst. And please don’t laugh. This is a very serious issue. ;-) Rich //---/// ///Rich Milburn/// ///MCSE, Microsoft MVP - Directory Services/// //Sr Network Analyst, Field Platform Development// //Applebee's International, Inc.// //4551 W. 107th St// //Overland Park//, KS 66207// //913-967-2819// //---// ///I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso// / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---* PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system./ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory failures? Maybe I shouldnt be pushing so hard to take over DNS operations for clients and servers. ;-) Actually, we manage the SRV records only, and while they are a bit tricky, but once its working it just works. But trying to explain whats going on to a Windows admin who doesnt have an AD background is almost a bigger challenge. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Cry 'Havoc!' and let slip the dogs of war - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, October 10, 2005 12:06 PM To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [ActiveDir] Results of survey - Most common cause of Active Directory failures? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the nothing too fancy prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory failures? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory failure (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I.
RE: [ActiveDir] Schema Updates
Title: Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn'tcreatedor even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity I wish to Christ theyd stick to hardware and stop venturing into software :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? Hmm DNS you say... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, October 10, 2005 2:06 PMTo: ActiveDir@mail.activedir.orgCc: Christine McDermottSubject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
Re: [ActiveDir] TS GPO and Citrix Settings
Hi Ryan, The greying out of the settings is a "good thing". Basically any well designed program that provides a user interface to a regitry setting should grey out settings that are managed via the Policy key. This is really saying "This setting is set via policy. Don't fiddle with it". When it used to be ungreyed, I would have thought you still would have had problem, since next time policies applied it would set it back anyway. While you could temporarily change it as Derek suggests, I presume you want to permanently fix it. As you suggested, you can block inheritance for the OU, but this is not nice since it blocks all policies (except those with No Override) from flowing to that OU. Your other options is another policy connected to the OU that reverses the policy setting, or create a group of all your CITRIX machines and put the group in the DENY list for the policy. Alan CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- Original Message - From: Derek Harris To: ActiveDir@mail.activedir.org Sent: Tuesday, October 11, 2005 6:05 AM Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc ) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] Adding custom fields to AD
Won't work for me. I have about 50,000 users in my home AD on about 3 domains and 8 DCs... Oh I also have trusts to a couple of R2 and NT4 Domains. eg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, October 10, 2005 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD :-P I think someone needs to run SBS at home. See what nice solid DNS/AD is all about :-) lurk mode back on joe wrote: Heck NetBEUI with all broadcasts would work perfect for all internal SBS needs. :o) -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] *Sent:* Monday, October 10, 2005 12:33 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adding custom fields to AD cough I love DNS and AD and argue strongly for the glue all the time. {example answer in SBS newsgroup to person not wanting a domain.why in the WORLD do you want to run as workgroup? A domain is just a workgroup with more toys!} But then again I run insecure SBS where our wizards set up the glue for us and we don't have to worry about it. okay back to lurking joe wrote: I don't think the rest of the planet loves DNS, I think a lot of people put up with it as a necessary evil due to exactly the reason you state. There isn't even a viable option on the table. WINS simply won't scale due to the lack of hierarchy. I myself also realize that it is a necessary evil but it doesn't mean I have to necessarily like it. ;o) I certainly don't like managing it nor running it as integrated into the AD itself. The fact that AD is critically dependent on a service that it itself provides smacks my internal like it or hate it sensors about. I am very much pro-someone else running DNS properly and I run AD properly. - --- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Rick Kingslan *Sent:* Sunday, October 09, 2005 11:31 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Adding custom fields to AD what would you think would be a good replacement for dns/wins? There currently isn't one. Not really even a viable option on the table. joe doesn't like DNS. The rest of the planet loves DNS - including those eggheads (loveable eggheads that they are) at IETF are the holders of the standards, and they love DNS too. :-) Microsoft fought hard to get TO standards cooperation . Don't look for anything in the near future to break away from that in regards to DNS. Rick -- Posting is provided AS IS, and confers no rights or warranties ... - --- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tom Kern *Sent:* Saturday, October 08, 2005 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adding custom fields to AD I've had the reverse- last place i worked at had corrupted WINS at least once every 2 months(this could of been due to my lousy admin skills) i've never had issues with dns(could be my dumb luck) now i work for a corp that has netbios/tcp disabled and relies solely on dns(both MS and BIND) with no name resolution issues. also wins replication seems much more complex than standard primary/secondary dns replication. and i'm not one to think i know anything as an admin or would even think of getting into such a disscussion with someone as experienced and knowldgable as you, but i've always found dns easier than wins and netbios names in general. my only diffculty came with learning dns on BIND/Linux and just wrapping my head around AD intergrated dns when i first came to Windows. sometimes when you learn something via the command line, using the gui just confuses things. then again i'm probably one of those guys who thinks he knows dns but really doesn't know anything and hasen't found out yet :( what would you think would be a good replacement for dns/wins? thanks On 10/8/05, *joe* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I wasn't saying I like WINS better than DNS or vice versa, just said I don't like DNS. I especially dislike the AD/DNS integration. I don't like chicken and egg problems. BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer admins had name resolution issues replication based issues with WINS than they do with DNS. 3. The complexity of DNS seems to put many admins off the deep end, interestingly enough, the same admins who said they couldn't figure out WINS say they know all about DNS. But again, my comment
RE: [ActiveDir] exchange confusion(OT)
You should be able to just do domain.com and it will pick up any child domains, unless you have a child that needs special priveledges. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernPosted At: Monday, October 10, 2005 2:28 PMPosted To: ActiveDirectoryConversation: [ActiveDir] exchange confusion(OT)Subject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
I mostly agree. The Data Center Edition according to some of the other links out there indicate that it will allow unlimited instances on it. As for the not running category, I think it means that unless the instance is at that moment running, it doesn't need a license. So you could have 300 images on an EE box and as long as you only have 4 running at any given moment, you only need one license for server. Someone brought up a good question on the virtual guy's blog on whether this just applies when using VS or if it also works with vmware. He indicated ESX specifically which I think is right out, but what about GSX. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Monday, October 10, 2005 3:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. My understanding is as follows: 1 licensed copy of W2K3R2 or Longhorn (EE/DC) provides the following: 1 physical host running the licensed OS 4 virtual guests running the licensed OS or a lesser version (i.e. Enterprise Edition would allow for Web Edition running in a VM) VMs developed and designed for the following purposes (as examples) need not be licensed until which time they no longer fall under the following: Copies of licensed machines (physical or virtual) used for backup purposes only Template virtual disks used for deploying new virtual guests Other virtual machines not generally online and not used for production purposes (e.g. an offline CA in a VM would not qualify) Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. Im a bit confused as to what she was trying to say in the quote below, she says four VMs, but she doesnt say four instances of Windows and she says that theyll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently Id have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. /QUOTE ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. Im a bit confused as to what she was trying to say in the quote below, she says four VMs, but she doesnt say four instances of Windows and she says that theyll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently Id have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. /QUOTE ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Active Directory wish list
I don't think the issue is there. When you make an LDAP call, you specify where you want to go, the hierarchy is all there and required in the call. Also I don't believe the issue is in SYSVOL, if you look at the sysvol structure, it has the domain component in there. In fact when I first saw that in say Oct 1999 in the gold product I was thinking... H is MS thinking about supporting multiple domains from a single DC? One of the big issues is at the level of all of the old NET style calls. You specify a server, not a domain, then it assumes there is one auth point on that one server (i.e. one SAM in the old days) and it works it. If a call came in for user bob on server123 and there were three domains or partitions or x hosted all of which have bob, which one gets sent back? If the old NET functionality got dumped, I would be rewriting quite a bit of code. The only reason I am not already doing it is that there is no impetus to, it works, I don't have to worry about it. At the same time, that holds back from doing newer and cooler things if MS did offer the option to move on. If that option were there though... I would start rewriting to get to it. At the present time, there is no sign of the death of the NET API so there is no reason to rewrite something that works fine using it unless there is some other reason (like you need something that isn't accessible through the API). Even on this list which has a lot of the more eager techofolks, we discuss the WinNT provider and other NET API based methods quite a bit for accessing AD. How come everyone isn't only using the LDAP methods? Answer, because the NET API methods still work for many things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, October 10, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying wish here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory wish list I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Well, that's really my point. You can't really take away some of those apps that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy. I can be open minded and forward thinking. Let's just leave it at provide same or better functionality as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I may just not be seeing it the right way. I may be thinking in terms of today's architecture and that it is so tied to the registry (For the love of insert your deity here is that???) that it would not be truly separated in tomorrows implementation. That's likely a wrong assumption and I can easily get over that. But I don't see the effort paying off if I have to discard 10 years of legacy software applications and process trash to get to a point where I save a few dollars on hardware vs. using VM technology (software or hardware based doesn't matter to me in this conversation although I would prefer hardware to alleviate any cross-over ties to the OS in case of failure; totally autonomous and hardware separated [2]) [1] Buzz-word-bingo champ, cubicle farm #3, cubicle cluster #2 - 1998 [2] Right. So any gains in hardware ability have historically resulted in higher prices. That would likely negate the savings I might have had if I had gone with multiple smaller hardware devices or if I had used software VM [3] [3] It's almost circular logic at some point G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of I have switch labeled Hurray that shuts off legacy support, it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -Original Message- From: [EMAIL PROTECTED]
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? You want something done right, do it yourself :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 10, 2005 1:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Maybe I shouldnt be pushing so hard to take over DNS operations for clients and servers. ;-) Actually, we manage the SRV records only, and while they are a bit tricky, but once its working it just works. But trying to explain whats going on to a Windows admin who doesnt have an AD background is almost a bigger challenge. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com --"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, October 10, 2005 12:06 PMTo: ActiveDir@mail.activedir.orgCc: Christine McDermottSubject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C.
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It takes time to build the ecosystem, but adoption only happens when there is a compelling reason. Apps are that reason. [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he said that? Because they totally dissed the dev community prior to that. Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the first place? Because they have the absolute latest and greatest technology? Nope. Because they have the best technology? Nope (seen RMS lately? I rest that case) Because they have the most applications written for their platform? Yep. Can't swing a dead cat without hitting a MS application. Even open source writes apps that run on Windows because they want their apps adopted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode - Blackcomb clients would need to be available several years before the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
VMWare Workstation I think starting with 5.0 has a similar concept to differencing disks. Usually these things endup in the GSX platform, it just takes a while. ESX has a differencing disks type story, I forget what its called, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. Im a bit confused as to what she was trying to say in the quote below, she says four VMs, but she doesnt say four instances of Windows and she says that theyll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently Id have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and hes running 10 VMs with Windows, then hes running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didnt take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4 you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat but MS wrote the Windows code, who could do it better than them? Or maybe Im way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual WindowsLicense Simplified QUOTE Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server Longhorn Datacenter Edition at no extra cost, Kelly said. /QUOTE ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly
Re: [ActiveDir] exchange confusion(OT)
thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe [EMAIL PROTECTED] wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying relay not allowed. Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Interesting Scripting Task.....
I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a golden master, and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? mcThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] exchange confusion(OT)
Not enough information. Is this one of it's domains for whichthe Exchange serverhas a recipient policy? That's the most likely reason. Can you tell us more about the scenario? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 6:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe [EMAIL PROTECTED] wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Schema Updates
Title: Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn'tcreatedor even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity I wish to Christ theyd stick to hardware and stop venturing into software :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the