RE: [ActiveDir] OT: Legato Replistor
Noah- Its actually like RC1 escrow build or something practically not in beta. I think you can download from download.microsoft.com. I was in a presentation about this with a bunch of other people in this list. I really hope one of them remembers better how it works, because I dont well enough to explain it. The general opinion I think is holy cow this is pretty awesome. Heres an example I remember. Lets say you have a replicated directory with some big files, a 25MB word doc is one of them. Jane User opens up the word doc, adds a couple sentences, and saves it with a new name. With FRS, the new doc will get replicated in full 25MB over a slow congested link, potentially. With DFSR, it maintains a database of hashes of the bits of all the stuff in a replica and has this recursive algorithm where it will figure out that only the 100K in this file are different from the original word doc, and it will transmit the 100K and then assemble the file with the bits in the old doc. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, November 06, 2005 1:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Thanks for the thought, Brian. After your suggestion, I tried to do some research on DFSR. Beyond the MSDN schematics and an article that seems to get reprinted on several sites, I cant really find anything about how well this works. I realize that it is in beta right now but have you seen anything about how well it works, limitations, etc.? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I think you should wait a month or two for R2 to come out. It has DFSR which will do this, and probably better than Replistor or the other products. Dont both comparing FRS to DFSR its totally different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 04, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Legato Replistor Hello: I am seeking opinions on Legatos Replistor product. Specifically, we are looking to replicate file-based data with large files over a WAN (256kbps to 1.5Mbps). The total size of the replicated data could vary from zero to tens of gigs with an individual file being as large as tens of megs. We would like to let Replistor (rather than FRS) handle the replication for DFS. My understanding from Legato folks is that this does a bit-to-bit compare and only moves the modified bits. This would be very useful to us for moving large files where only a small portion of it has changed. I am contrasting this with FRS which would file-to-file compare and then replace the entire file regardless of what changed. Am I correct in my understanding of the product? Are there other products that I should be considering for this task? Have folks on the List had good or bad experience with this product? Will this integrate with DFS the way I think it will? Thanks in advance. -- nme
RE: [ActiveDir] OT: Legato Replistor
It will actually transmit something like 10K - because of the tight compression. Or, to put it another way - in the 25Mb file scenario, the new file will get to the other side using DFRS on 2 sites connected by dialup before it gets to the other side using FRS on 2 sites connected by T1. There are various this-can't-be-true unbelievable replication magics going on here. I used to use Double-Take (from NSI) and used to think they were doing black magic because of their compression and diff replication. DFSR appears to be a quantum leap from that. I just had the pleasure of running through some test this week, following a 35meg .wmv file I downloaded from the DFSR Beta site. It's trully eye-popping. Let him join the beta - or download it and play with it. I don't think describing it will do justice to its capabilities. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Sun 11/6/2005 12:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Noah- It's actually like RC1 escrow build or something - practically not in beta. I think you can download from download.microsoft.com. I was in a presentation about this with a bunch of other people in this list. I really hope one of them remembers better how it works, because I don't well enough to explain it. The general opinion I think is holy cow this is pretty awesome. Here's an example I remember. Let's say you have a replicated directory with some big files, a 25MB word doc is one of them. Jane User opens up the word doc, adds a couple sentences, and saves it with a new name. With FRS, the new doc will get replicated in full - 25MB over a slow congested link, potentially. With DFSR, it maintains a database of hashes of the bits of all the stuff in a replica and has this recursive algorithm where it will figure out that only the 100K in this file are different from the original word doc, and it will transmit the 100K and then assemble the file with the bits in the old doc. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, November 06, 2005 1:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Thanks for the thought, Brian. After your suggestion, I tried to do some research on DFSR. Beyond the MSDN schematics and an article that seems to get reprinted on several sites, I can't really find anything about how well this works. I realize that it is in beta right now but have you seen anything about how well it works, limitations, etc.? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I think you should wait a month or two for R2 to come out. It has DFSR which will do this, and probably better than Replistor or the other products. Don't both comparing FRS to DFSR ... it's totally different. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 04, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Legato Replistor Hello: I am seeking opinions on Legato's Replistor product. Specifically, we are looking to replicate file-based data with large files over a WAN (256kbps to 1.5Mbps). The total size of the replicated data could vary from zero to tens of gigs with an individual file being as large as tens of megs. We would like to let Replistor (rather than FRS) handle the replication for DFS. My understanding from Legato folks is that this does a bit-to-bit compare and only moves the modified bits. This would be very useful to us for moving large files where only a small portion of it has changed. I am contrasting this with FRS which would file-to-file compare and then replace the entire file regardless of what changed. Am I correct in my understanding of the product? Are there other products that I should be considering for this task? Have folks on the List had good or bad experience with this product? Will this integrate with DFS the way I think it will? Thanks in advance. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Raid suggestions for DC maybe OT
http://www.ultratech-llc.com/KB/?File=ServerSpecs.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 11/6/05, Dan Cox [EMAIL PROTECTED] wrote: What would be the suggested RAID and partitioning scheme for a Domain controller. Any suggestions are appreciated. Thanks. Dan Cox List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't complain that Grandma is floating down the river with a canary on her head. That's why we say things like: A volume is full or almost full. your NTFS just MIGHT have problems. Because there are just those same folks on the Midwest flood plain that will call PSS really upset that their full or almost full NTFS drive has a problem. I'm not saying that the people that call are stupid. I am saying that most Insurance policies and contracts, as well as EULAs - have a ton of words and verbiage that only the well trained lawyer can understand because folks are just well, litigious. And, you have to address the obvious because in segments of the population - the obvious - isn't. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Ken, I agree completely. What I find very interesting in reading this KB is that it appears that the problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very specific conditions need to be met. The third seems to be the element that makes this more unlikely to occur - The scenario involves approximately 1000 simultaneous delete, create, or extend operations on files. What I find most interesting about this KB, and kudos to our stress team - is it seems that we discovered this internally and that no scale of customer impact seems to have occurred. (I don't know this for fact to be true - I just suspect it to be so because some of the Lists that I monitor internally haven't notified us of a large scale impact.) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 06, 2005 12:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Frankly my expectation from a file system that's marked as being robust and enterprise ready is that you should lose nothing if the drive is almost full, and the file system should shut down gracefully if the drive is full, especially in normal situations. Sysadmins should not have to worry that they'll lose data to corruption if the drive is almost full in the normal course of events. If you're doing something like the extreme use cases noted in the KB article, then that's possibly a different situation, but in that type of situation you're probably monitoring your disks with an eagle eye anyway. Additionally, Microsoft is correct to warn that a potential issue does exist. Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 6 November 2005 3:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Raid suggestions for DC maybe OT
Dan - there will likely be as many opinions on this topic on this list as there are knots on joe's head. Basic rules for a DC are this (IMHO): Mirrored (or RAID1) for OS Mirrored (or RAID1) for DIT and Logs You can certainly host a third mirrored pair for the logs, but that will mostly depend upon how BUSY your AD is and how high the replication traffic, changes, updates etc. that you experience. If you're asking this, you most likely have a newer AD, or are re-architecting. In either case, I'd start with the above and then monitor the performance with PerfMon. Make some decisions on whether to ADD the third mirror based upon the I/O and performance impact of log writes vs. impact on the database reads/writes. Hope this helps! Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan CoxSent: Sunday, November 06, 2005 1:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Raid suggestions for DC maybe OT What would be the suggested RAID and partitioning scheme for a Domain controller. Any suggestions are appreciated. Thanks. Dan Cox
RE: [ActiveDir] OT: Legato Replistor
I agree, I have heard some amazing things about this from folks who have done heavy testing of it. The biggest question was WTF wasn't it incorporated for sysvol but the answer is that they didn't want a core change like that for R2. R2 is about SP1 and feature packs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, November 06, 2005 3:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor It will actually transmit something like 10K - because of the tight compression. Or, to put it another way - in the 25Mb file scenario, the new file will get to the other side using DFRS on 2 sites connected by dialup before it gets to the other side using FRS on 2 sites connected by T1. There are various this-can't-be-true unbelievable replication magics going on here. I used to use Double-Take (from NSI) and used to think they were doing black magic because of their compression and diff replication. DFSR appears to be a quantum leap from that. I just had the pleasure of running through some test this week, following a 35meg .wmv file I downloaded from the DFSR Beta site. It's trully eye-popping. Let him join the beta - or download it and play with it. I don't think describing it will do justice to its capabilities. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Sun 11/6/2005 12:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Noah- It's actually like RC1 escrow build or something - practically not in beta. I think you can download from download.microsoft.com. I was in a presentation about this with a bunch of other people in this list. I really hope one of them remembers better how it works, because I don't well enough to explain it. The general opinion I think is holy cow this is pretty awesome. Here's an example I remember. Let's say you have a replicated directory with some big files, a 25MB word doc is one of them. Jane User opens up the word doc, adds a couple sentences, and saves it with a new name. With FRS, the new doc will get replicated in full - 25MB over a slow congested link, potentially. With DFSR, it maintains a database of hashes of the bits of all the stuff in a replica and has this recursive algorithm where it will figure out that only the 100K in this file are different from the original word doc, and it will transmit the 100K and then assemble the file with the bits in the old doc. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, November 06, 2005 1:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor Thanks for the thought, Brian. After your suggestion, I tried to do some research on DFSR. Beyond the MSDN schematics and an article that seems to get reprinted on several sites, I can't really find anything about how well this works. I realize that it is in beta right now but have you seen anything about how well it works, limitations, etc.? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Legato Replistor I think you should wait a month or two for R2 to come out. It has DFSR which will do this, and probably better than Replistor or the other products. Don't both comparing FRS to DFSR ... it's totally different. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 04, 2005 6:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Legato Replistor Hello: I am seeking opinions on Legato's Replistor product. Specifically, we are looking to replicate file-based data with large files over a WAN (256kbps to 1.5Mbps). The total size of the replicated data could vary from zero to tens of gigs with an individual file being as large as tens of megs. We would like to let Replistor (rather than FRS) handle the replication for DFS. My understanding from Legato folks is that this does a bit-to-bit compare and only moves the modified bits. This would be very useful to us for moving large files where only a small portion of it has changed. I am contrasting this with FRS which would file-to-file compare and then replace the entire file regardless of what changed. Am I correct in my understanding of the product? Are there other products that I
RE: [ActiveDir] Raid suggestions for DC maybe OT
LOL. I actually pinged Rick on the "official" guidelines previously for an Enterprise class DC with 4 disks, he was actually one of 4 people I queried since I hadn't seen what I considered good official docs on it. Rick quoted the K3 Deployment guide which is definitely a good start. It indicates RAID 1 - OS RAID 1 - Logs RAID 1 or 0+1- SYSVOL/DIT If you have less than 1000 users using the DC it says you can use one single RAID-1 for the whole thing. Though you have the same issue here as you have for anything, how are the 1000 users using it and what else is using it? Exchange? If so, I doubt I would do a single RAID-1 unless it was very few users. Otherwise you are looking at a minimum of 6 disks for all RAID-1s or 8 disks if 0+1 and RAID-1. When you actually look at it, the OS and the logs are using little IOPS on a dedicated DC and splitting them off onto their own "disk" is probably unneccessary. The DIT assuming it isn't all cached and is being heavily hit (like say by Exchange) is raping the disk subsystem. When you have an app that wants lots of IOPS what do you? You increase the number of spindles... So forthroughput, the fastest four disk configuration is going to be aRAID-5 or a 0+1 or 10. In tests I did several years ago with one hardware vendor RAID-10 and 5 were very close (withina fewIOPS) with RAID-5 eeking out the lead. They both blew RAID-1 away. In more recent tests I heard of from someone using another hardware vendor, RAID 0+1 eeked out over RAID-5 by a fewIOPS and again blew RAID-1 out of the water. Obviously the tests were different so I recommend folks do their own testing with their own hardware. The fastest disk configs I am aware of are 6 and 8 disk RAID-10/0+1 setups with 8 disks supposedly being rock star fast if you have the room internally. To put it another way, if I had 8 disks, I certainly wouldn't be following the deployment guide config for those disks, it would be a RAID-10/0+1 setup. The 6 disk RAID-10s (The Dells I was using then didn't support 0+1) I built about 3 or 4 years ago were screaming fast compared to everything else at the time I had worked with. Now I don't do anything with hardware, I am more cerebral. ;o) And note, obviously I am not talking software RAID, this is all hardware. Software RAID isn't something you use for production machines IMO. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, November 06, 2005 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT Dan - there will likely be as many opinions on this topic on this list as there are knots on joe's head. Basic rules for a DC are this (IMHO): Mirrored (or RAID1) for OS Mirrored (or RAID1) for DIT and Logs You can certainly host a third mirrored pair for the logs, but that will mostly depend upon how BUSY your AD is and how high the replication traffic, changes, updates etc. that you experience. If you're asking this, you most likely have a newer AD, or are re-architecting. In either case, I'd start with the above and then monitor the performance with PerfMon. Make some decisions on whether to ADD the third mirror based upon the I/O and performance impact of log writes vs. impact on the database reads/writes. Hope this helps! Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan CoxSent: Sunday, November 06, 2005 1:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Raid suggestions for DC maybe OT What would be the suggested RAID and partitioning scheme for a Domain controller. Any suggestions are appreciated. Thanks. Dan Cox
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. WroteSteve Balmer as a concernedMVP. 5. Posted this issue(pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged,quota management, mailbox permission reports, conferenceroom setup, etc. Anyway, I sat in theFriday con call whileonsite PSSdiscussed the issue and it sounded like the sameGC issue as I had stumbled on before.I mentioned that they would want to check that outand verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our "everyone gets in one room" meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend)who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what shewanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly.So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the design and so I asked the obvious question of were we designed to have public delegates work ordid we say we didn't need those too? That was an obvious setup question because most large companies usepublic delegates a lot and this widget company really used public delegates a whole lot. That spawned a whole bunch of debating which ended up with me indicating the solutions one of which was a complete redesign of the Exchange infrastructure that MS had worked hand inhand on with our Exchange dev folks for a couple of years[3]... Things got hot. In the end Dev still came back and said it was by design and would not be
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
damn... do you have a short version of this story? From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly. So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the design and so I asked the obvious question of were we designed to have public delegates work or did we say we didn't need those too? That was an obvious setup question because most large companies use public delegates a lot and this widget company really used public delegates a whole lot. That spawned a whole bunch of
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
This IS the short version ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Sun 11/6/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly. So the following week we had
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
LOL. Seriously. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, November 06, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes This IS the short version ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Sun 11/6/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
That is the short version. That comprises highlights of things that occuredover 9 months. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Sunday, November 06, 2005 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? From: [EMAIL PROTECTED] on behalf of joeSent: Sun 11/6/2005 5:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. WroteSteve Balmer as a concernedMVP. 5. Posted this issue(pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged,quota management, mailbox permission reports, conferenceroom setup, etc. Anyway, I sat in theFriday con call whileonsite PSSdiscussed the issue and it sounded like the sameGC issue as I had stumbled on before.I mentioned that they would want to check that outand verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our "everyone gets in one room" meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend)who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what shewanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly.So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
All - I've been informed by more than a few folks on this list that I am, for the most part, completely and utterly wrong on this topic. I apologize for any and all misinformation that I have conveyed, and will refrain from posting on topics that I don't have complete and total knowledge of the full circumstances surrounding the issue. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Ken, I agree completely. What I find very interesting in reading this KB is that it appears that the problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very specific conditions need to be met. The third seems to be the element that makes this more unlikely to occur - The scenario involves approximately 1000 simultaneous delete, create, or extend operations on files. What I find most interesting about this KB, and kudos to our stress team - is it seems that we discovered this internally and that no scale of customer impact seems to have occurred. (I don't know this for fact to be true - I just suspect it to be so because some of the Lists that I monitor internally haven't notified us of a large scale impact.) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 06, 2005 12:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Frankly my expectation from a file system that's marked as being robust and enterprise ready is that you should lose nothing if the drive is almost full, and the file system should shut down gracefully if the drive is full, especially in normal situations. Sysadmins should not have to worry that they'll lose data to corruption if the drive is almost full in the normal course of events. If you're doing something like the extreme use cases noted in the KB article, then that's possibly a different situation, but in that type of situation you're probably monitoring your disks with an eagle eye anyway. Additionally, Microsoft is correct to warn that a potential issue does exist. Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 6 November 2005 3:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
How long have you known joe? Short version PLEASE! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, November 06, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? _ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly. So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the design and so I asked the obvious question of were
Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Being blonde every now and then comes with technology. I still would annoying argue though that if the little pop up on the drive said 'yo you drive space is getting low' that it's still my responsibility as an admin on the box to not get it that tight. I've accidentally set up Tripwire on a server to be monitoring too many things and man... the number of log files, moving parts, things that change... it's pretty amazing and I'm just a fan in giving computers just a nice healthy dose of breathing room...even in those Enterprise spaces. I think some of those CEO's can cut down on the perks a bit and move the budget around. Rick Kingslan wrote: All - I've been informed by more than a few folks on this list that I am, for the most part, completely and utterly wrong on this topic. I apologize for any and all misinformation that I have conveyed, and will refrain from posting on topics that I don't have complete and total knowledge of the full circumstances surrounding the issue. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Ken, I agree completely. What I find very interesting in reading this KB is that it appears that the problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very specific conditions need to be met. The third seems to be the element that makes this more unlikely to occur - The scenario involves approximately 1000 simultaneous delete, create, or extend operations on files. What I find most interesting about this KB, and kudos to our stress team - is it seems that we discovered this internally and that no scale of customer impact seems to have occurred. (I don't know this for fact to be true - I just suspect it to be so because some of the Lists that I monitor internally haven't notified us of a large scale impact.) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 06, 2005 12:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Frankly my expectation from a file system that's marked as being robust and enterprise ready is that you should lose nothing if the drive is almost full, and the file system should shut down gracefully if the drive is full, especially in normal situations. Sysadmins should not have to worry that they'll lose data to corruption if the drive is almost full in the normal course of events. If you're doing something like the extreme use cases noted in the KB article, then that's possibly a different situation, but in that type of situation you're probably monitoring your disks with an eagle eye anyway. Additionally, Microsoft is correct to warn that a potential issue does exist. Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 6 November 2005 3:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
who says you can't hope for it?! ;-) grinthere may be some hope left from him to try/grin is a management summary possible? ;-) Jorge From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 11/6/2005 10:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes How long have you known joe? Short version PLEASE! Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, November 06, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said,
[ActiveDir] No Kerberos referral
Hi all, I have a problem getting Kerberos authentication to work between two forests Should Kerberos referrals work between domains in different forests trusted by a one way trust? Client and user in intranet domain, resource in extranet forest Windows Server 2003 SP1 Windows XP SP2 Extranet domain trusts intranet domain Trust is working for NTLM and Kerberos but I dont get a referral to the extranet domain when I expect it, I get one when specifically asks for a referral ticket but not when just asking for service ticket Have anyone else been able to get Kerberos referrals to work with a one way external trust? Any proposal what the problem could be if it should work with the one way trust? Regards Lars Hagberg _ Lars Hagberg Volvo Information Technology AB Dept 2560, VBBVN SE-405 08 Göteborg, Sweden Telephone: +46 31 32 21934 E-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] ADFS/DFSR webcast
http://blogs.technet.com/bpuhl/archive/2005/11/06/413838.aspx --- Coming up December 13th, Dustin Fraser and I are scheduled to do a webcast on some of the Server 2003 R2 components we've been been dogfooding for the past year. Dustin is the MS IT engineer who's been deploying the Distributed File Replication Service (DFSR) and has done an amazing job of working with the product teams to make DFSR both functional as well as manageable at an enterprise scale. I've spent a good chunk of the past year deploying Active Directory Federation Services (ADFS) in our environment, and will be talking about some of the good, bad, and ugly of our internal deployment of ADFS. This is a 300 Level webcast for IT Pro's. Note that the title is misleading, we're waiting for it to change to reflect both ADFS and DFSR, but you can click here http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMediaParams=%7eCMTYDataSvcParams%5e%7earg+Name%3d%22ID%22+Value%3d%221032285759%22%2f%5e%7earg+Name%3d%22ProviderID%22+Value%3d%22A6B43178-497C-4225-BA42-DF595171F04C%22%2f%5e%7earg+Name%3d%22lang%22+Value%3d%22en%22%2f%5e%7earg+Name%3d%22cr%22+Value%3d%22US%22%2f%5e%7esParams%5e%7e%2fsParams%5e%7e%2fCMTYDataSvcParams%5e to register for the webcast if interested. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Certificate Services AD
Hi all, Can anyone please recommend a good web resource for deploying certificate services in an Active Directory environment. I was interested in best practices for CA hierarchy, stand-alone or enterprise, hardware config. etc. Thanks in advance. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Certificate Services AD
Not a web resources, but I've found this MS Press book to be a reasonably good primer. It covers hardware (to some extent), multiple levels of hierarchy, developing your certificate policies etc. http://www.amazon.com/exec/obidos/tg/detail/-/0735620210/ Microsoft Windows Server(TM) 2003 PKI and Certificate Security Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, 7 November 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Certificate Services AD Can anyone please recommend a good web resource for deploying certificate services in an Active Directory environment. I was interested in best practices for CA hierarchy, stand-alone or enterprise, hardware config. etc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] No Kerberos referral
Just to clarify you do not have a Cross Forest Trust in place but instead a down level trust between domains in the two separate forests? If a cross forest one way trust is in place then yes you should see a referral if it is a down level trust then no you will not see a referral but as you have observed in some cases Kerberos will work. If you did not choose to create a Cross Forest Trust in this scenario was there a specific reason? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hagberg Lars Sent: Sunday, November 06, 2005 5:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Kerberos referral Hi all, I have a problem getting Kerberos authentication to work between two forests Should Kerberos referrals work between domains in different forests trusted by a one way trust? Client and user in intranet domain, resource in extranet forest Windows Server 2003 SP1 Windows XP SP2 Extranet domain trusts intranet domain Trust is working for NTLM and Kerberos but I don't get a referral to the extranet domain when I expect it, I get one when specifically asks for a referral ticket but not when just asking for service ticket Have anyone else been able to get Kerberos referrals to work with a one way external trust? Any proposal what the problem could be if it should work with the one way trust? Regards Lars Hagberg _ Lars Hagberg Volvo Information Technology AB Dept 2560, VBBVN SE-405 08 Göteborg, Sweden Telephone: +46 31 32 21934 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Certificate Services AD
Hello Devan, The book Ken references is pretty good, the author, Brian Komar, did a lot of PKI-Deployment at major companies across the US and the world, is a visiting speaker at a lot of conferences like TechEds and is MVP for Windows Security. His company is specialized in PKI-Deployments. He also was involved in a lot of stuff available at microsoft.com about the subject, you'll find a reference to the PKI Whitepapers and KBs at http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala |Sent: Monday, November 07, 2005 5:00 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Certificate Services AD | |Hi all, | |Can anyone please recommend a good web resource for deploying |certificate services in an Active Directory environment. | |I was interested in best practices for CA hierarchy, |stand-alone or enterprise, hardware config. etc. | |Thanks in advance. | | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
The admin is not at fault because he wasn't aware that the backup didn't complete? You're an awfully forgiving boss. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 7:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't complain that Grandma is floating down the river with a canary on her head. That's why we say things like: A volume is full or almost full. your NTFS just MIGHT have problems. Because there are just those same folks on the Midwest flood plain that will call PSS really upset that their full or almost full NTFS drive has a problem. I'm not saying that the people that call are stupid. I am saying that most Insurance policies and contracts, as well as EULAs - have a ton of words and verbiage that only the well trained lawyer can understand because folks are just well, litigious. And, you have to address the obvious because in segments of the population - the obvious - isn't. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx