Re: [ActiveDir] finding computer objects
As Brian, said, useraccountcontrol is a bitmap, where individual bit mean something instead of whole value. ( whole value becomessum of all the bit set) so when, looking forspecific function, we can't compare directly with whole value, we have to use bitwise operators, to find the exact bit is set or not. [1] by the way, The query I gave(!useraccountcontrol:AND:2), will give you all the account which are NOT disabled, this would work for workstation OS. (as it will give you all normal workstation accounts) but in the case of windows 2000/3 server, it will give domain controller accounts also. So,to exclude domain controller accounts, we will have toexplicitely check for presence of 4096 (normal workstation acocunt) and absence of 2 (disabled account) which can't be combined in single value like (4096 -2) [2], so our filter becomes (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (UserAccountControl:1.2.840.113556.1.4.803:=4096) [1] Just in case you wanted to decode the existing useraccountcontrol values, http://www.jsifaq.com/SUBQ/tip8000/rh8071.htm or use -samid switch of adfind. adfind -default -f (objectcategory=computer)(name=2k3dc01) useraccountcontrol -samdc or if have registered the acctinfo.dll, you can decode the value in addition account info tabsheet ofaccount properties. ( http://thelazyadmin.net/index.php?/archives/170-View-Additional-Account-Info-with-Acctinfo.dll.html) [2], it is always addition, say you wanted to find normal workstation accountAND disabled, you could use 4096 + 2 = 4098 for query On 10/15/05, Tom Kern [EMAIL PROTECTED] wrote: so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~Fortune and Love befriend the bold ~~~-- ~~~Fortune and Love befriend the bold~~~ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] LegalNoticeText maximum value
On 10/14/05, Free, Bob [EMAIL PROTECTED] wrote: you will make Penn State proud! Don't folks at the University of Pennsylvania take umbrage when you call it Penn State ?? They did when I lived there :-] /Child of 2 Penn State alums We most certainly do, that's why he does it to me. ;-) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Major issue not sure if 2003 created this problem
Jennifer, you'd do well to also check out centrify to see how they stack up against your requirements. You might be pleasantly surprised and I can tell you it is SOO much easier to setup *nix clients using their solution. Worth a look. From: Jennifer Fountain [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Date: Fri, 14 Oct 2005 21:43:18 -0400 Hi all, The linux client is configured with a host parameter in the ldap.conf file and isn't srv aware. I was running several network traces and sniffers, etc to determine what exactly was going on but the dumps came up empty. But, I think the issue has gone away but not sure why. On another note: I did look into vintela before we decided to go with ldap but they were extremly expense. We are heading to kerberos with the rh 3.0 upgrade and I cannot wait for that! Thanks for you input! Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem This assumes that the client knows how to retrieve SRV records though. The first thing I would say to do in troubleshooting this is to do drum roll please. Network trace, yeah you knew I was going to pull that one didn't you? Another thing to do would be to use proper authentication with Kerberos. Vintela and Centrify have products to help this be much less painless than it can be. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, October 14, 2005 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you
RE: [ActiveDir] Documenting AD - ADMap requests fulfilled
You have more than just Steve on the list from Microsoft. If you want ADMap - send me an e-mail via little 'r' (meaning - reply to me directly [EMAIL PROTECTED]) and I'll respond with a mass e-mail of the latest version of ADMap in two batches - on on Tuesday before I head out of town again, and another next weekend after I get back. Happy to oblige Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, October 13, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD I don't know about generally available but Steve Lineham of MS made it temporarily available a few months ago to list members based on a similar thread here , maybe he will do so again if he sees this. There was also the following suggestion from David Adner- If you're a Premier customer ask your TAM (or some other friendly MS employee) for a tool called ADMap This is a tool written by someone in Microsoft that will query your AD configuration and draw it in Visio (preferably version 2002 or higher). Although it's available to customers it's not available for download, hence the request to a MS employee. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, October 13, 2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD As I understand it, apparently MS used to provide an ADMap-like functionality in Visio 2000, but was removed with 2002. Since I'm at V2003, I was wondering whether the admap program could be made generally available for all our benefit. Thanks, Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 13, 2005 4:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD I sent the file separately. admap will *not* answer most of the questions you have, however. You will still need to rely upon docs and being a good detective and researcher :) neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: 13 October 2005 09:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD Cheers for the hints so far, folks. keep em coming! :) Phil: I've tried finding a copy of ADMap on the web, but can't seem to download it from the windows-servers.info site. do you know anywhere else I can grab it from? For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.tbanda.com/ Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client= nonelang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jla ddr3=addr1= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 12 October 2005 16:54 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Documenting AD Some good comments on what to document. I will chime in to say that a lot of the initial stuff can be documented using ADMap and the GPMC, that will save you a bunch of work in Visio. If you have a TAM ask them to send you ADMap. Phil On 10/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Additional components: = Schema Database Administrative support model Domain controller spec DC/GC placement Exchange topology and design DNS design (zone type, placement etc etc) SYSVOL/FRS DFS Administration: === User and group admin and tools DC admin/support and tools Forest admin and ownership GPO admin and tools I'll stop there and let others chime in... neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tim Sutton Sent: 12 October 2005 16:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Documenting AD Hey all, Being the local bod with AD knowledge at work I've been volunteered
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs joe, Steve may have completely different information that I, but at present I'm not seeing empirical or preferred practice recommendations around 64-bit GCs in relation to Exchange. So, the recommendation is not changing - again, as I know it. Steve's environment is very different from mine and he is likely to have zero-day information that I won't have until it's posted internally on a DL or whitepaper. I'll be looking for his answer, too. Currently, unless I get data that tells me otherwise, Dual Core and MP == ~ same - even more so when dealing with AMD as, IMO Intel blew their first dual core in an effort to get it to market. That being said, I suspect that the very benefit of being able to load up on memory and get the DIT in RAM is going to affect the recommendation more than proc will. By that I mean that it might be very realistic to see that I/O may begin to be a limiting factor - not so much network, but disk subsystems are going to have to be designed a bit more towards performance with the massive number of queries that these systems are capable of. As to the use single proc GCs and scaling not being linear - I would suspect that the very fact that linear performance is not seen in MP has already been taken into account. Otherwise, the recommendation might have been 5 or 6 to 1. When you mention that you see some GCs get 'beta down' when others are pretty light, is this assuming the practice of creating a AD site for Exchange with dedicated DC/GCs, or a general population scheme? If the former, I haven't seen the issue that you citein practice, if the latter - design to the former. I suppose that - in relation to counters, etc., that would be why I like to do a more formal capacity planning and performance gathering over time. I don't believe in point-in-time perf counter gathering as (you know this...)seeing it when the problem is occurring with no history for what is normal is basically - well, useless. I have no trail of bread crumbs in which to track down the problem. In relation to the counter gathering (I have no experience with Argent's offering, and SOME experience with MOM 2000 and 2005) I've found that MOM 2005 and the AD and Exchange MPs do a great job of gathering information that is valuable to me as someone who has to figure out what's wrong with these systems now and then. Before I joined Microsoft, we had MOM installed for just this reason. The history gathering abilities and leveraging AD and EXCH data over time allowed us to see exactly where our pain point was - and fix it in a relatively short period of time. This is as I know it today.. It could change later today or tomorrow :-) Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 14, 2005 4:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Speaking of which Steve I am starting to see questions of the type of how does 64 bit DC change the best practice 4:1 proc recommendations for Exchange to GC processor. Does PSS/MCS/Dev have any thoughts? Especially if you are able tocache the entire DIT. I have seen some 64 bit testing numbers from third parties but that is far from authoritative in terms of what MS thinks for the best practice numbers which weigh heavily with customers who want to do it the "Microsoft way". Ditto the dual core CPUs. Another one that recently came across my desk was if you have 4000 users on a 4 proc Exchange server and are currently using a single 1 proc GC and then you decide due to load on Exchange (say RPC load due to search/archive software which isn't impacting GCs) you want to go to 2 4 proc Exchange servers with2000 userseach do you have to go to a dual proc GC or add another single proc GC or is it ok to stay with the one single proc GC? Oh and another question I was asked was about using single proc GCs versus MP GCs and how the scaling of MP wasn't linear so should that be somehow involved in the Exchange best practice numbers? It seems from my experience that you do better with making bigger andmore powerfulGCs in general because while Exchange does some limited logic round-robin load balancing at the server level, it doesn't do it at the site level amongst all Exchange servers so you can really start beating down a few GCs while the otherssee relatively light loading. Of course you don't want to have few GCs though in case you do have a problem so you throw a couple of extra larger GCs into the mix for fault tolerance for when you have to bring a GC down for maint or it just falls down for some reason. Also it seems that there is no real good way of determing exactly when you need to change your GC strategy for Exchange because your various
RE: [ActiveDir] AD/DNS BPA?
Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. ## ## # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] salary(OT)
Cheeky so and so ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent:
Re: [ActiveDir] AD/DNS BPA?
Microsoft AD Health Check: http://www.systems-group.net/En/Consultancy+Services/Solutions/Microsoft+AD+Health+Check.htm Looks like it's talked about here too Dean Wells wrote: Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. ## ## # List info : http://www.activedir.org/List.aspx List FAQ:
[ActiveDir] rebooting a patched, but stubborn DC
So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] rebooting a patched, but stubborn DC
APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs Its a fairly simple equation. Dual Core processors have 2 full CPU's per chip. Therefore, they have two sets of cache, and can have two instructions being executed at the same time. Hyperthreading is a single CPU per chip that supports two parallel "trains" of instructions and data into the processor. The only real benefit to Hyperthreading is that it reduces some of the pain of context switching within a processor, thereby speeding things up. Regardless of how the OS presents it (IMO it should NOT reflect as 2 processors), its still only able to execute a single instruction at a time. With those ideas in mind, IMO its better to scale AD out rather than up with regards to performance, depending of course on database size. I doubt there are a lot of environments where this question is of any real relevance. Dual core is interesting more from a rack/power density stance than from its outright speed of processing. In my current environment, we're seriously limited with data center space in part due to growth of our services, so we're trying to find more efficient uses of space and power. For instance, the AMD64 x2 processors[1] draw roughly the same power at full utilization as their single core bretheren. That's a HUGE savings for power and cooling versus traditional dual processor machines. If you do go dual core, I'd also go as far as saying *which* dual core technology you choose. There's a huge difference between the architectures from Intel and AMD, both of which have their benefits. However my personal opinion is that in the vast majority of cases AMD's design is vastly superior for general computing tasks - the last time I checked, the AMD64 platform uses about half as many clock cycles to go to RAM than the Intel EM64T design requires.The end result is that for servers tasked with randomized dataretrieval(which AD definitelyqualifies as),AMD has the edge. It is worth noting however that the Intel EM64T architecture is better suited for applications where there can be a long, somewhat predictable, pipeline of data to be processed. For example, I'd expect things like hard core scientific and statistical processing to be faster on the EM64Ts. Roger D. Seielstad E-mail Geek [1] Which is what my new toy here at home is running - spanking fast! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. FunesSent: Thursday, October 13, 2005 9:56 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
[ActiveDir] Stupid question alert... where exactly is the tombstone value set?
http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_for_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
For others spending their Saturday night looking for that dll... it's not installed by default... How to Change Display Names of Active Directory Users: http://support.microsoft.com/?kbid=250455 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
...and it appears to not be on the OEM version of SBS sp1... geeze guys... SBSize this sucker and make it easier to find.. Windows 2003 ADSI Edit - Download and explore Active Directory Containers: http://www.computerperformance.co.uk/w2k3/utilities/adsi_edit.htm Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: For others spending their Saturday night looking for that dll... it's not installed by default... How to Change Display Names of Active Directory Users: http://support.microsoft.com/?kbid=250455 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
Install the support tools from the support folder of your iwndows 2003 CD (cd1 of sbs in this case). It will do the registration and all that. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 1:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? ...and it appears to not be on the OEM version of SBS sp1... geeze guys... SBSize this sucker and make it easier to find.. Windows 2003 ADSI Edit - Download and explore Active Directory Containers: http://www.computerperformance.co.uk/w2k3/utilities/adsi_edit.htm Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: For others spending their Saturday night looking for that dll... it's not installed by default... How to Change Display Names of Active Directory Users: http://support.microsoft.com/?kbid=250455 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
Or http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81- b3be-4e7ac4f0912dDisplayLang=en Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, October 16, 2005 1:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? Install the support tools from the support folder of your iwndows 2003 CD (cd1 of sbs in this case). It will do the registration and all that. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 1:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? ...and it appears to not be on the OEM version of SBS sp1... geeze guys... SBSize this sucker and make it easier to find.. Windows 2003 ADSI Edit - Download and explore Active Directory Containers: http://www.computerperformance.co.uk/w2k3/utilities/adsi_edit.htm Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: For others spending their Saturday night looking for that dll... it's not installed by default... How to Change Display Names of Active Directory Users: http://support.microsoft.com/?kbid=250455 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set
