[ActiveDir] happy new year
dear all, happy new year i hope this year has more success for all.thank you... Yahoo! DSL Something to write home about. Just $16.99/mo. or less
[ActiveDir] Solution
Dear All, do you have any solution or idea for clustring tow AD with same name.for example:server 1: soft.com server 2: soft.comthank you... Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping
[ActiveDir] WinXP and Win2003
Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] DNS SRV records
what you could do is: * make sure only the main central hub registers domain wide and site wide DC locator records * make sure regional hubs only register site wide DC locator records and NOT domain wide DC locator records * make sure remote offices only register site wide DC locator records and NOT domain wide DC locator records * Leave the priority of the central hub DCs as is * Configure a higher priority value for regional hub DCs * Leave the priority of the remote site DCs as is * Configure regional hub DCs to additionally cover the corresponding lower remote sites This way: * If regional hub DCs fail clients/servers go to the main central hub when these query for DCs in the domain * If remote site DCs fail clients/servers will first go to the corresponding upper regional hub as these also cover the remote site and second these will go to the main central hub when these query for DCs in the domain This configuration could be realized using GPOs with group filtering or SUB OUs below to the Domain Controllers OU (one OU with DCs, all remote sites, that do not register domain wide DC locator records AND one OU per regional hub with DCs that do not register domain wide DC locator records, have a highher priority for the SRV RR and additionally cover the lower remote site) or site GPOs using WMI filtering or a combination of the what is mentioned Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar Sent: Sat 2005-12-31 13:57 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS SRV records 1) AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), Authentication server (Kerberos) etc. These services are published by AD in DNS thru SRV records in _sites._msdcs for each site and it covers them all... (LDAP,DC,GC,Kerberos,Kpassword) so I was curious what applications would actually just read sitename from AD and look for a service not offered by DC in that site? AD based distributed applications (other than exchange) ? 2) DNS priorities, I know by default, its only possible per DC basis thru registry. I was hoping it was more customizable, even if it was not officially documented. Basically we do have hub and spoke stuff. We have central hub and then at its spokes regional hubs and at their spoke individual remote sites. (This is highly simplified, as there are load balancing links across regions, away from central hub, so I would say its a mash between center and regional sites and than hub and spokes at region and remote sites) Now, in case of DC failure at remote site, clients would go to any regional or Central hub DC, and not necessarily its nearest regional hub DC. With priority only per DC basis, I would have to create mess of priorities to achieve what I want. And it would be complex. One solution I thought was to publish regional hub DCs in their spoke DCs with lower priority This would surely give me some control, on where remote sites go for authentication. But this would not help cover DC failure at region level. Basically, I want to totally control the list of DCs referred to clients at each site and in what order they are referred. So, per DC per Site priority setting would have been ideal. I am open to other possible solutions. -- Kamlesh On 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: _sites.dc._msdcs.DNSDomainName is for locating a DC (hence the _msdcs) that hosts a certain service in a certain site _sites.DnsDomainName is for locating a SERVER (does not need to be a DC) that hosts a certain service in a certain site for more info on service resource records see: http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp DNS priorities are on a per DC basis, and not on a per DC per site basis. It is not possible to configure a different priority for the same DC covering another site. Why do you want to do that? if clients cannot find a DC in a site by querying for _ldap._tcp.SiteName._sites.DnsDomainName the client will search for a DC in the domain by querying for _ldap._tcp.dc._msdcs.DnsDomainName If you have a hub-and-spoke site topology it is OK to configure all spoke DCs (branches) NOT to register domain wide DC locator records and only let HUB DCs register those records Jorge From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar Sent: Fri 2005-12-30 22:42 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS SRV records From my limited knowledge of how AD uses SRV records, I have two queries. 1) Why
[ActiveDir] OT: Request for Test AD Poplulation Data
Happy New Year to all. Does anyone know where I can obtain generic user data for importing into various AD's. I am starting to improve my knowledge on the concept of Meta directories and I want a little bit more information in the user fields than User1, 2 , 3 etc etc. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Solution
Can you expand on the question? AD isn't designed for clustering per se. It's a distributed application that doesn't really need that. Perhaps you have some other requirement than just AD availability? Al On 1/1/06, tareq ttt [EMAIL PROTECTED] wrote: Dear All, do you have any solution or idea for clustring tow AD with same name. for example: server 1: soft.com server 2: soft.com thank you... Yahoo! ShoppingFind Great Deals on Holiday Gifts at Yahoo! Shopping
Re: [ActiveDir] icmp's
I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
Re: [ActiveDir] icmp's
I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: Re: [ActiveDir] icmp's
This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called legacy logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 01 January 2006 14:18 To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] WinXP and Win2003
I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the "new" thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naserSent: Sunday, January 01, 2006 6:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: Re: [ActiveDir] icmp's
Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Sunday, January 01, 2006 9:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called "legacy" logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: 01 January 2006 14:18To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as "legacy" since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was "legacy". thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as "legacy". I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in
Re: [ActiveDir] WinXP and Win2003
Did you originally use different names, or the same name for each computer? And I agree with Joe: Dual-booting is becoming obsolete. http://www.ultratech-llc.com/KB/?File=BootMgr.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, shereen naser [EMAIL PROTECTED] wrote: Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] icmp's
I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmpin the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 01, 2006 9:07 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as "legacy". I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] directory validation
That is actually sort of what I was thinking, use the tool or another tool that does migration work and see if you can disable the "for real" switch and then just let it tell you what it thinks needs to be done. Otherwise, you get to whip out your scripting skills and put together a little script to start comparing things. I don't even think I would have hesitated, I would have just started scripting. That's why we get the big bucks. ;o) The script could simply dump the important info from the two directories and let WINDIFF do the comparison work or you could do the compare in the script itself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Saturday, December 31, 2005 3:48 PMTo: [EMAIL PROTECTED]sedir.orgSubject: Re: [ActiveDir] directory validation Sorry Tom, itchy send finger :) I meant to add on that ADMT might be a useful tool for you. IIRC, ADMT has a report mode (Quest may as well, and you would do well to check into it prior) that you could run to see if the target already exists. Does that meet your criteria of success? I don't know because that would depend on your criteria of a successful migration. Will it help? I think so. Scripts could be used as well, but I think something like a migration tool already in place that is run in report mode would be much better in terms of time spent. Al On 12/31/05, Al Mulnick [EMAIL PROTECTED] wrote: i guess sidHistory is the "join criteria" in this case and would work well? sidHistory is usually a good criteria as it should only exist on one object in the target and one object in the source. sidHistory is a unique identifier and since it was a migration, that should be useful in figuring out what in the source is now in the target. I will say that it's a horrible idea to undertake a migration and still put items in the source forest waiting for some sunset event of the source forest. It might be a good idea to suggest that they rethink that strategy in favor of using the new shiny forest. but what about contact objects or non security DG's and objects without sids? there is nothing unique that would transfer from the source to the destination that I can think of unless there's a SMTP address or similar associated. Otherwise, it's more like the Microsoft shuffle: copy from source, delete original (in this case, not so much since source still exists, but you get the idea). There's no binding unless you create one. For non-security principals, you'll want to find another criteria that works for you. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: i am using sidHistory. I've been using Quest AD Migration Manager to copy objects from one forest to another. the tool comes with logging but no way to validate objects in seperate forests post migration. we haven't migrated Exchange yet, so we are co-existing with 2 forests right now. the source forest is still the forest of record. when a new user gets created or a new worktation image is deployed, it still gets staged in the source forest. Management wants to keep doing this till the old forest is decomissioned. also, since consultants from IBM did a lot of the migrating(they are now gone), i'd like a way to validate what they've done. i guess sidHistory is the "join criteria" in this case and would work well? but what about contact objects or non security DG's and objects without sids? thanks On 12/30/05, Al Mulnick [EMAIL PROTECTED] wrote: What would be your join criteria in this case? I mean, if you're not using sidHistory, what's to say that userA in domainA ForestA once moved to domainB ForestB is going to be called UserA? What if a UserA already exists in that target domain? Anyhow, there needs to be an authoritative source and a way to join the source to the target in a way that prevents ambiguity. Normally, sidHistory would fulfill that requirement, but in two separate forests there's no guarantee that you'd use that. Or if you were bringing it from multiple domains it would have multiple source sids. For that purpose, something like MIIS is a very useful tool because of the way it joins directories. If you were to home grow something, you'll have to figure out what the link is. If it's different than what 80% of the people out there need, it won't be an off-the-shelf tool that you're looking for, but more like the others have said: db, xls, script, or similar to do that work. Does that help? On 12/30/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: dont know any tool that is able to do thishow about scripting
RE: [ActiveDir] icmp's
The real benefit to the GPO method is that you can target scripts to the same _groups_ in which the GPO would affect and you can target Computer groups, which you cant do (for obvious reasons) with logon scripts. This lends itself to some very elegant solutions that Im sure one could do with some fancy environment or user/computer-based variables or attribute checking. Of course, it begs to obvious question Why? If it means developing a whole manner and method to get variables and/or attributes identified and called, when you only would need to use GPO-based scripts, I think the answer becomes self-evident. As to being called Legacy, which seems to be the real problem here, its simply verbiage that I dont think Id get my panties in a bunch over. The user-focused versus the GPO focused scripts are going to be around as far out as I can see (and, thats really not THAT far, to be honest). Cheers! Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Sunday, January 01, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] WinXP and Win2003
Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: Re: [ActiveDir] icmp's
joe stood up and attempted to smack Mark Parris with a large trout, saying: I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. Huh? Can you explain both statements, joe? I understand the context of the first, but not why. The second I just am not sure what youre getting at. Help out an old haggard road warrior. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Sunday, January 01, 2006 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called legacy logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 01 January 2006 14:18 To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL
RE: [ActiveDir] WinXP and Win2003
Re: My message to joe. Maybe 50% of the time - I'd agree. However, if you want to test that snazzy new Fibre HBA or would like to see what the impact for the user is going to be with CAD with the newest High End InterGraph workstation video card - VMs aren't going to work. The hardware selection in VMs is intended to be generic. Which for testing or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks because the hardware doesn't matter. Again - be sure of this - I love VMs. I just can't test Vista on it because Aero Glass is the target, and I can't quite put an LDDM driver on the generic graphics coded in, for example. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Sunday, January 01, 2006 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WinXP and Win2003 Did you originally use different names, or the same name for each computer? And I agree with Joe: Dual-booting is becoming obsolete. http://www.ultratech-llc.com/KB/?File=BootMgr.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, shereen naser [EMAIL PROTECTED] wrote: Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] icmp's
Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesnt mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmpin the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 01, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] WinXP and Win2003
I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, January 01, 2006 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 10:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the "new" thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naserSent: Sunday, January 01, 2006 6:01 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: Re: [ActiveDir] icmp's
Rick came out of the woodwork and rambled: "Huh? Can you explain both statements, joe?" First statement being, I would rather not set domain policies in GPOs... I am referring to actual domain policy, not a policy applied to all machines in the domain. You know, the original meaning of domain policy. Pushing any policy to domain controllers that has to do with configuration of AD is assinine in my opinion, you already have a mechanism to push those changes through the environment. You don't need to use another one. Also it is a point of confusion for tons and tons of people. There should be a clear divisor between true domain policy and a policy that gets applied to each individual machine. Second statement being programmatically handling settings in policies... You can't set GPO settings programmatically unless you reverse the format of the policy information in sysvol. All you can do is backup/restore/export/import/enable/disable. What if I want to take all policies under the OU Buildings (which could be tens, hundreds, or thousands of policy files) and set one setting, for the sake of argument say password policy for local machinesis equal to some set of values based on the specific OU name that the policy is applied to (say it has finance in the name of the OU) how will you do that programmatically without directly hacking the policy files which last I heard wasn't supported? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, January 01, 2006 1:09 PMTo: [EMAIL PROTECTED]Subject: RE: Re: [ActiveDir] icmp's joe stood up and attempted to smack Mark Parris with a large trout, saying: I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. Huh? Can you explain both statements, joe? I understand the context of the first, but not why. The second I just am not sure what youre getting at. Help out an old haggard road warrior. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Sunday, January 01, 2006 9:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called "legacy" logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: 01 January 2006 14:18To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as "legacy" since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was "legacy". thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as "legacy". I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al
RE: [ActiveDir] WinXP and Win2003
I would think software level testing would result in more than 50% of the cases for most people. I run about 30 machines in my home (I have probably a hundred on CDs) on a regular basis, nearly all are virtual. The only physical limitation I have run into in my VMs so far was the lack of USB support in VPC which I solved by using VMWARE. My next major hurdle is 64 bit guests for a piece of software that decided would only be available in 64 bit, which I will again solve with VMWARE. I haven't dual booted a machine nor had a need to dual boot a machine since vmware 2 which was about 2000/2001 or so. If you start doing hardware integration testing or production perf testing, you have no choice but to use physical hardware obviously. In every test lab for business I have been involved in the last few years, the virtualized instances have far outstripped the number of physical instances. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Re: My message to joe. Maybe 50% of the time - I'd agree. However, if you want to test that snazzy new Fibre HBA or would like to see what the impact for the user is going to be with CAD with the newest High End InterGraph workstation video card - VMs aren't going to work. The hardware selection in VMs is intended to be generic. Which for testing or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks because the hardware doesn't matter. Again - be sure of this - I love VMs. I just can't test Vista on it because Aero Glass is the target, and I can't quite put an LDDM driver on the generic graphics coded in, for example. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Sunday, January 01, 2006 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WinXP and Win2003 Did you originally use different names, or the same name for each computer? And I agree with Joe: Dual-booting is becoming obsolete. http://www.ultratech-llc.com/KB/?File=BootMgr.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, shereen naser [EMAIL PROTECTED] wrote: Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WinXP and Win2003
I would have to agree;-) At work I run completely on VMs using ESX. All my testing is done on a Dell PE1800 with about 8VMs including AD, Exchange (clustered), SQL, etc. For those looking to do simple testing of apps check out VM Player http://www.vmware.com/vmplayer You cant create VMs but you can run any pre-built VM, including MS VPC VMs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] icmp's
I don't often find myself in the position of defending the Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a "are you alive" test for a very long time. I understand why they do it, I have written several scripts and tools that do something similar. It can be considerablyfaster. When you are testing suitability or capability of a bunch of systems, sending anICMPping to see if the machine is live is considerably faster in many circumstancesthan sending higher level calls, both for machines that are live or dead. This is especially true if using netbios calls, in that case querying can cause a system to hang where a simpleICMP ping tells you right away if you should even bother. Blocking all ICMP in an internal network is generally silly in my opinion unless something is abusing it at the time. It is often a thoughtless reactive, "well we will certainly stop those viruses" knee jerk. Its like stripping all zip files in an email system because a virus is operating through zips. We don't a better way and we don't have the ability and/or time to think up a better way so lets get out the sledgehammer... Once you use ICMP you can go on to use higher level forms of testing. It is also a great way for diagnostician's to try and work out network issues... is ICMP ECHO getting through? No, well then we don't have to look at complicated upper level issues, we can focus on core basic network connectivity. One thing the Exchange folks did that I am not in agreement with is if a DC is a config DC and is operating poorly Exchange will really avoid switching for config functionality if the ping is still there. That isn't a stateless connection so I can understand the reluctance but it can be a serious pain at times. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, January 01, 2006 1:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchausnge can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesnt mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 10:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmpin the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 01, 2006 9:07 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as "legacy". I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the "legacy" method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote:
Re: [ActiveDir] WinXP and Win2003
On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote: Hehe…. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OS's, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed – I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake – this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization…. It's just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you -- Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ [EMAIL PROTECTED] šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà
Re: [ActiveDir] WinXP and Win2003
~ Hehe…. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. ~ That's what dedicated systems are for. :) Sure, a VM is not the best option here, depending on what aspect of the OS is being tested, but in that case, using a totally separate hard drive or some other separation technology will still likely prove to be more viable than dual-booting. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote: Hehe…. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OS's, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed – I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake – this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization…. It's just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] icmp's
The whole block ICMP thing is I think in many ways dating to the blaster and nachi outbreaks when routers were getting driven to 100% CPU as hundreds of machines were slamming ICMP and RPC traffic across them. Newer gear has the ability to rate limit ICMP traffic. All your admins need to do is rate limit ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the event yuou have an outbreak because you don't do patch management, go in the router and set the drop limit to something like 64kb/sec or worst case put the ACL to shutdown ICMP all together. Either way your better off than no ICMP 24/7 Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/1/2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's I don't often find myself in the position of defending the Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a are you alive test for a very long time. I understand why they do it, I have written several scripts and tools that do something similar. It can be considerably faster. When you are testing suitability or capability of a bunch of systems, sending an ICMP ping to see if the machine is live is considerably faster in many circumstances than sending higher level calls, both for machines that are live or dead. This is especially true if using netbios calls, in that case querying can cause a system to hang where a simple ICMP ping tells you right away if you should even bother. Blocking all ICMP in an internal network is generally silly in my opinion unless something is abusing it at the time. It is often a thoughtless reactive, well we will certainly stop those viruses knee jerk. Its like stripping all zip files in an email system because a virus is operating through zips. We don't a better way and we don't have the ability and/or time to think up a better way so lets get out the sledgehammer... Once you use ICMP you can go on to use higher level forms of testing. It is also a great way for diagnostician's to try and work out network issues... is ICMP ECHO getting through? No, well then we don't have to look at complicated upper level issues, we can focus on core basic network connectivity. One thing the Exchange folks did that I am not in agreement with is if a DC is a config DC and is operating poorly Exchange will really avoid switching for config functionality if the ping is still there. That isn't a stateless connection so I can understand the reluctance but it can be a serious pain at times. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's Note Exchange doesn't take kindly to ICMP echo being disabled either. If Excha us nge can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesn't mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmp in the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 01, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them.
RE: [ActiveDir] icmp's
Yep, something else I have seen in smarter networking environments is a honeypot system where you trap all ICMP traffic bound for non-routable internal networks and then a script that shuts the ports downon the switches of the machines sending that traffic. Someone with an infected machine who all of a sudden can't get network connectivity is bound to yell for help at which point the boys with the stuffed pillow cases show up From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Sunday, January 01, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's The whole block ICMP thing is I think in many ways dating to the blaster and nachi outbreaks when routers were getting driven to 100% CPU as hundreds of machines were slamming ICMP and RPC traffic across them. Newer gear has the ability to rate limit ICMP traffic. All your admins need to do is rate limit ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the event yuou have an outbreak because you don't do patch management, go in the router and set the drop limit to something like 64kb/sec or worst case put the ACL to shutdown ICMP all together. Either way your better off than no ICMP 24/7 Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joeSent: Sun 1/1/2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's I don't often find myself in the position of defending the Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a "are you alive" test for a very long time. I understand why they do it, I have written several scripts and tools that do something similar. It can be considerablyfaster. When you are testing suitability or capability of a bunch of systems, sending anICMPping to see if the machine is live is considerably faster in many circumstancesthan sending higher level calls, both for machines that are live or dead. This is especially true if using netbios calls, in that case querying can cause a system to hang where a simpleICMP ping tells you right away if you should even bother. Blocking all ICMP in an internal network is generally silly in my opinion unless something is abusing it at the time. It is often a thoughtless reactive, "well we will certainly stop those viruses" knee jerk. Its like stripping all zip files in an email system because a virus is operating through zips. We don't a better way and we don't have the ability and/or time to think up a better way so lets get out the sledgehammer... Once you use ICMP you can go on to use higher level forms of testing. It is also a great way for diagnostician's to try and work out network issues... is ICMP ECHO getting through? No, well then we don't have to look at complicated upper level issues, we can focus on core basic network connectivity. One thing the Exchange folks did that I am not in agreement with is if a DC is a config DC and is operating poorly Exchange will really avoid switching for config functionality if the ping is still there. That isn't a stateless connection so I can understand the reluctance but it can be a serious pain at times. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, January 01, 2006 1:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchausnge can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesnt mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 10:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmpin the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, January 01, 2006 9:07 AMTo:
RE: Re: [ActiveDir] icmp's
Random input below From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 11:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's Rick came out of the woodwork and rambled: "Huh? Can you explain both statements, joe?" First statement being, I would rather not set domain policies in GPOs... I am referring to actual domain policy, not a policy applied to all machines in the domain. You know, the original meaning of domain policy. Pushing any policy to domain controllers that has to do with configuration of AD is assinine in my opinion, you already have a mechanism to push those changes through the environment. You don't need to use another one. Also it is a point of confusion for tons and tons of people. There should be a clear divisor between true domain policy and a policy that gets applied to each individual machine. [Darren Mar-Elia]If you're referring to using stuff like Restricted Groups policy to control domain-based group membership, then I agree and in fact its definitely a bad idea. The thing I don't like is that there really isn't any decent way to remove that capability out of the box. I could see value in using GP to control certain AD config settings, just so that you could have a common interface for all Windows configuration settings, but GP processing should be smart enough to say, hey, I'll only apply these domain changes to the PDC emulator and let AD replicate them out, or something like that. Second statement being programmatically handling settings in policies... You can't set GPO settings programmatically unless you reverse the format of the policy information in sysvol. All you can do is backup/restore/export/import/enable/disable. What if I want to take all policies under the OU Buildings (which could be tens, hundreds, or thousands of policy files) and set one setting, for the sake of argument say password policy for local machinesis equal to some set of values based on the specific OU name that the policy is applied to (say it has finance in the name of the OU) how will you do that programmatically without directly hacking the policy files which last I heard wasn't supported?[Darren Mar-Elia]Agreed that an API into policy settings would be great. I've only asked about 55 times and it still isn't on the horizon. Why? Mostly because there is no standard within GP around how settings are stored. Since separate product teams originally wrote the various client side extensions, without any standard storage format, we are in the mess we have today and they'd basically have to re-write all of GP to make that happen, or build some interface that abstracts each of the various storage formats into a common API--in either case, not a small amount of work. That being said, it has not slowed down several ISVs from figuring out the storage formats and using it in their products to essentially give different interfaces into GP. It is do-able if you have a reasonable amount of programming experience. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, January 01, 2006 1:09 PMTo: [EMAIL PROTECTED]Subject: RE: Re: [ActiveDir] icmp's joe stood up and attempted to smack Mark Parris with a large trout, saying: I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. Huh? Can you explain both statements, joe? I understand the context of the first, but not why. The second I just am not sure what youre getting at. Help out an old haggard road warrior. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Sunday, January 01, 2006 9:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as
RE: Re: [ActiveDir] icmp's
Darren and I have had offline chats about this before so I know we are quite in sync on our thoughts. That is one of the reasons I am brave enough to spout them, if Darren isn't beating me up on my GPO thoughts they can't be too far off base. He is the GPOGUY after all. :o) http://www.gpoguy.com/ BTW, I didn't see Darren say it, but I just found today that he has started blogging... http://blogs.dirteam.com/blogs/gpoguy/. But back to this stuff... I agree that the common interface is nice, but don't fully believe the info needs to be written to a policy file in sysvol since you have the DCs right there to write the info into AD. But alas, as you mention, we are talking decent reworkingof how things work and that includes parts of AD to do really do it cool especially in terms of restricted AD groups. I do believe that for some of the stuff, code is now in there to force the change to only occur on the PDC. I am not sure when the change occurred but I am guessing K3 but I was trying to chase some code a month or two back in the Windows source tree and it appeared there was some code in the GPO processing that was looking for a PDC in order to make changes. I ran out of time and never went back to it though. RE the API for settings. It is kind of sad how that wasn't/hasn't/maynotbe implemented. It seems like it would have been easiest way for MS to have done things for themselves as well. I do agree that it is possible to reverse it out and figure out how to do it. Of course we aren't supposed to but that doesn't stop progress in the MS world. Eventuallysomeone at MS will see what someone else is doing with their tech and say hey that is pretty cool, lets dothat now. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Sunday, January 01, 2006 7:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's Random input below From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, January 01, 2006 11:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] icmp's Rick came out of the woodwork and rambled: "Huh? Can you explain both statements, joe?" First statement being, I would rather not set domain policies in GPOs... I am referring to actual domain policy, not a policy applied to all machines in the domain. You know, the original meaning of domain policy. Pushing any policy to domain controllers that has to do with configuration of AD is assinine in my opinion, you already have a mechanism to push those changes through the environment. You don't need to use another one. Also it is a point of confusion for tons and tons of people. There should be a clear divisor between true domain policy and a policy that gets applied to each individual machine. [Darren Mar-Elia]If you're referring to using stuff like Restricted Groups policy to control domain-based group membership, then I agree and in fact its definitely a bad idea. The thing I don't like is that there really isn't any decent way to remove that capability out of the box. I could see value in using GP to control certain AD config settings, just so that you could have a common interface for all Windows configuration settings, but GP processing should be smart enough to say, hey, I'll only apply these domain changes to the PDC emulator and let AD replicate them out, or something like that. Second statement being programmatically handling settings in policies... You can't set GPO settings programmatically unless you reverse the format of the policy information in sysvol. All you can do is backup/restore/export/import/enable/disable. What if I want to take all policies under the OU Buildings (which could be tens, hundreds, or thousands of policy files) and set one setting, for the sake of argument say password policy for local machinesis equal to some set of values based on the specific OU name that the policy is applied to (say it has finance in the name of the OU) how will you do that programmatically without directly hacking the policy files which last I heard wasn't supported?[Darren Mar-Elia]Agreed that an API into policy settings would be great. I've only asked about 55 times and it still isn't on the horizon. Why? Mostly because there is no standard within GP around how settings are stored. Since separate product teams originally wrote the various client side extensions, without any standard storage format, we are in the mess we have today and they'd basically have to re-write all of GP to make that happen, or build some interface that abstracts each of the various storage formats into a common API--in either case, not a small amount of work. That being said, it has not slowed down several ISVs from figuring out the storage formats and using it in their products to essentially give different interfaces into GP. It is do-able if you have a reasonable amount of programming experience.
RE: [ActiveDir] icmp's
Yeah, that's called a darknet or something like that. A classic one is where you take a random sampling of your public IP space that you're not using, and set up a box ou there in the perimeter to log any traffic to it. All that traffic is essentially bad since the IPs aren't in use. Then you have some dynamic manner of updating the rules in your firewall rulebase or the ACLs on your routers or what have you to just drop traffic from whatever source for a period of time. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/1/2006 6:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's Yep, something else I have seen in smarter networking environments is a honeypot system where you trap all ICMP traffic bound for non-routable internal networks and then a script that shuts the ports down on the switches of the machines sending that traffic. Someone with an infected machine who all of a sudden can't get network connectivity is bound to yell for help at which point the boys with the stuffed pillow cases show up From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, January 01, 2006 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's The whole block ICMP thing is I think in many ways dating to the blaster and nachi outbreaks when routers were getting driven to 100% CPU as hundreds of machines were slamming ICMP and RPC traffic across them. Newer gear has the ability to rate limit ICMP traffic. All your admins need to do is rate limit ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the event yuou have an outbreak because you don't do patch management, go in the router and set the drop limit to something like 64kb/sec or worst case put the ACL to shutdown ICMP all together. Either way your better off than no ICMP 24/7 Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 1/1/2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's I don't often find myself in the position of defending the Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a are you alive test for a very long time. I understand why they do it, I have written several scripts and tools that do something similar. It can be considerably faster. When you are testing suitability or capability of a bunch of systems, sending an ICMP ping to see if the machine is live is considerably faster in many circumstances than sending higher level calls, both for machines that are live or dead. This is especially true if using netbios calls, in that case querying can cause a system to hang where a simple ICMP ping tells you right away if you should even bother. Blocking all ICMP in an internal network is generally silly in my opinion unless something is abusing it at the time. It is often a thoughtless reactive, well we will certainly stop those viruses knee jerk. Its like stripping all zip files in an email system because a virus is operating through zips. We don't a better way and we don't have the ability and/or time to think up a better way so lets get out the sledgehammer... Once you use ICMP you can go on to use higher level forms of testing. It is also a great way for diagnostician's to try and work out network issues... is ICMP ECHO getting through? No, well then we don't have to look at complicated upper level issues, we can focus on core basic network connectivity. One thing the Exchange folks did that I am not in agreement with is if a DC is a config DC and is operating poorly Exchange will really avoid switching for config functionality if the ping is still there. That isn't a stateless connection so I can understand the reluctance but it can be a serious pain at times. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's Note Exchange doesn't take kindly to ICMP echo being disabled either. If Excha us nge can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesn't mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January