[ActiveDir] happy new year

[tareq ttttttt]

dear all,  happy new year i hope this year has more success for all.thank you...
		 Yahoo! DSL Something to write home about. Just $16.99/mo. or less

[ActiveDir] Solution

[tareq ttttttt]

  Dear All,  do you have any solution or idea for clustring tow AD with same name.for example:server 1: soft.com  server 2: soft.comthank you...
		Yahoo! Shopping 
Find Great Deals on Holiday Gifts at Yahoo! Shopping 

[ActiveDir] WinXP and Win2003

[shereen naser]

Hi list,
I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?)

Thank you

RE: [ActiveDir] DNS SRV records

[Almeida Pinto, Jorge de]

what you could do is:
 
* make sure only the main central hub registers domain wide and site wide DC 
locator records
* make sure regional hubs only register site wide DC locator records and NOT 
domain wide DC locator records
* make sure remote offices only register site wide DC locator records and NOT 
domain wide DC locator records
* Leave the priority of the central hub DCs as is
* Configure a higher priority value for regional hub DCs
* Leave the priority of the remote site DCs as is
* Configure regional hub DCs to additionally cover the corresponding lower 
remote sites
 
This way:
* If regional hub DCs fail clients/servers go to the main central hub when 
these query for DCs in the domain
* If remote site DCs fail clients/servers will first go to the corresponding 
upper regional hub as these also cover the remote site and second these will go 
to the main central hub when these query for DCs in the domain
 
This configuration could be realized using GPOs with group filtering or SUB OUs 
below to the Domain Controllers OU (one OU with DCs, all remote sites, that do 
not register domain wide DC locator records AND one OU per regional hub with 
DCs that do not register domain wide DC locator records, have a highher 
priority for the SRV RR and additionally cover the lower remote site) or site 
GPOs using WMI filtering or a combination of the what is mentioned
 
Cheers,
Jorge



From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar
Sent: Sat 2005-12-31 13:57
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS SRV records


1)
AFAIK, Site is a active directory specific concept, and AD is Directory (LDAP), 
Authentication server (Kerberos) etc. These services are published by AD in DNS 
thru SRV records in _sites._msdcs for each site and it covers them all... 
(LDAP,DC,GC,Kerberos,Kpassword) 
 
so I was curious what applications would actually just read sitename from AD 
and look for a service not offered by DC in that site? AD based distributed 
applications (other than exchange) ?
 
2)
DNS priorities, I know by default, its only possible per DC basis thru registry.
I was hoping it was more customizable, even if it was not officially documented.
 
Basically we do have hub and spoke stuff. We have central hub and then at its 
spokes regional hubs and at their spoke individual remote sites. (This is 
highly simplified, as there are load balancing links across regions, away from 
central hub, so I would say its a mash between center and regional sites and 
than hub and spokes at region and remote sites) 
 
Now, in case of DC failure at remote site, clients would go to any regional or 
Central hub DC, and not necessarily its nearest regional hub DC.
 
With priority only per DC basis, I would have to create mess of priorities to 
achieve what I want. And it would be complex.
 
One solution I thought was to publish regional hub DCs in their spoke DCs with 
lower priority
This would surely give me some control, on where remote sites go for 
authentication. But this would not help cover DC failure at region level.
 
Basically, I want to totally control the list of DCs referred to clients at 
each site and in what order they are referred.  So, per DC per Site priority 
setting would have been ideal.
 
I am open to other possible solutions.
 
--
Kamlesh
 
On 12/31/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: 

_sites.dc._msdcs.DNSDomainName is for locating a DC (hence the 
_msdcs) that hosts a certain service in a certain site 
_sites.DnsDomainName is for locating a SERVER (does not need to be a 
DC) that hosts a certain service in a certain site

for more info on service resource records see:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_sdns.asp

DNS priorities are on a per DC basis, and not on a per DC per site 
basis. 

It is not possible to configure a different priority for the same DC 
covering another site.

Why do you want to do that?

if clients cannot find a DC in a site by querying for 
_ldap._tcp.SiteName._sites.DnsDomainName 
the client will search for a DC in the domain by querying for 
_ldap._tcp.dc._msdcs.DnsDomainName

If you have a hub-and-spoke site topology it is OK to configure all 
spoke DCs (branches) NOT to register domain wide DC locator records and only 
let HUB DCs register those records 

Jorge



From: [EMAIL PROTECTED] on behalf of Kamlesh Parmar
Sent: Fri 2005-12-30 22:42
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS SRV records



From my limited knowledge of how AD uses SRV records, I have two 
queries.

1) 
Why 

[ActiveDir] OT: Request for Test AD Poplulation Data

[Mark Parris]

Happy New Year to all.

Does anyone know where I can obtain generic user data for importing into
various AD's. I am starting to improve my knowledge on the concept of Meta
directories and I want a little bit more information in the user fields than
User1, 2 , 3 etc etc.

Regards

Mark



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Solution

[Al Mulnick]

Can you expand on the question? AD isn't designed for clustering per se. It's a distributed application that doesn't really need that. Perhaps you have some other requirement than just AD availability? 

Al
On 1/1/06, tareq ttt [EMAIL PROTECTED] wrote:


Dear All,
do you have any solution or idea for clustring tow AD with same name.

for example:

server 1: soft.com
server 2: soft.com

thank you...


Yahoo! ShoppingFind Great Deals on Holiday Gifts at 
Yahoo! Shopping 

Re: [ActiveDir] icmp's

[Al Mulnick]

I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;)

I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. 


Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that.

Al
On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote:

Thats it.

Isn't that the way its refered to in MS-speak?

I hope i didn't just make that up...

On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote: 
presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond
[EMAIL PROTECTED]c - 312.731.3132From: 
[EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's.  Thanks again
 On 12/30/05, Brian Desmond [EMAIL PROTECTED]  wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. 
 The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply 
 Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. 
 Thanks, Brian Desmond [EMAIL PROTECTED]
 c - 312.731.3132   From: 
[EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory  Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest?
 any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? 
 I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. 
 Thanks

Re: [ActiveDir] icmp's

[Tom Kern]

I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way.

everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level.
maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy.
thanks

On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote:

I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;)

I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. 


Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that.

Al

On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote:
 

Thats it.

Isn't that the way its refered to in MS-speak?

I hope i didn't just make that up...

On 12/30/05, Brian Desmond [EMAIL PROTECTED] 
 wrote: 
presumably setting the scriptPath attribute on accounts...Thanks,Brian Desmond
[EMAIL PROTECTED]c - 312.731.3132From: 
[EMAIL PROTECTED] on behalf of Al MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] icmp'sWhen you say legacy way, what does that mean exactly?On 12/30/05, Tom Kern 
 [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's.  Thanks again 
 On 12/30/05, Brian Desmond [EMAIL PROTECTED]  wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. 
 The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply 
 Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. 
 Thanks, Brian Desmond [EMAIL PROTECTED]
 c - 312.731.3132   From: 
[EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory  Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? 
 any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? 
 I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. 
 Thanks

RE: Re: [ActiveDir] icmp's

[Mark Parris]

This is from the Microsoft article  Enterprise logon scripts



By default, logon
scripts written as either .bat or .cmd files (so-called legacy
logon scripts)
run in a visible command window; when executed, a command window open up on the
screen. To prevent a user from closing the command window (and thus terminating
the script), you can the Run legacy logon scripts
hidden enable policy. This ensures that all legacy logon scripts run
in a hidden window.



Mark











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 01 January 2006 14:18
To: ActiveDir@mail.activedir.org
Subject: [Norton AntiSpam] Re:
[ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al









On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL PROTECTED]
on behalf of Tom Kern

Sent: Fri 12/30/2005 9:25 AM

To: activedirectory 

Subject: [ActiveDir] icmp's



What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest? 

any?


I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GPO processing, but would blocking icmp's have
any adverse affects on clients? 

I only ask because my corp blocks icmp's on all our vlans and i get a lot of
event id 1000 from Usernev with error code of 59 which when i looked up, refers
to network connectivity issues. i think this event id is related to the fact we
block icmp packets and i was wondering if thats something i should worry about
in a win2k network. 

Thanks

RE: [ActiveDir] WinXP and Win2003

[joe]

I have no clue why it wouldn't allow you to have different 
names for the OS and then both can be joined at the same time, I have done this 
often. You did use different directories for the installations right? 


Any 
more dual booting is going the way of the dodo, the "new" thing is to 
virtualization software so you have both instances up and running at once. Look 
at Virtual PC or VMWare Workstation.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of shereen 
naserSent: Sunday, January 01, 2006 6:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] WinXP and 
Win2003

Hi list,
I have windows xp sp 2 on my machine, I need to test something so I 
installed windows 2003 server enterprise edition R2 on the same machine same 
hard disk, I can see the dual boot screen and choose the OS, but I can only 
login to the domain if one of the OS's is disconnected from the domain, meaning 
if I want to login to the windows 2003 I have to go to the windows xp and 
disjoin the machine from the domain then restart and login to the domain in 
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it 
from the domain then restart and join the xp to the domain and login, locally I 
can login to both machines no problem. the error is that the computer account is 
not found on the domain when I try to login and both OSes are joined to the 
domain. I tried to rename the machine name to different names in each OS but 
same thing happens. is there a way to do that? (login to domain using both OS's 
without having to disjoin?) 
Thank you

RE: Re: [ActiveDir] icmp's

[joe]

Come on, who ya going to believe? Microsoft who has all 
sorts of typoes in the documentation (I just saw 
a reference to objectcategory=user in an MS doc 2 days ago, I still have the 
bruise on my forehead)or our trusted source... 
Al?

:o)

Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO 
functions. I never found it difficult to 
write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of 
GPOs. Overall I am ok levelhappy 
with having a default domain GPO and default dc GPO as the only GPOs. I would 
rather not set domain policy with GPOs. 
While I am at it, I think we are far beyond the point that we should have the 
ability to programmatically handle settings in policies. 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
ParrisSent: Sunday, January 01, 2006 9:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's


This is from the Microsoft article  Enterprise logon 
scripts

By default, logon scripts written as 
either .bat or .cmd files (so-called "legacy" logon 
scripts) run in a visible command window; when executed, a command 
window open up on the screen. To prevent a user from closing the command window 
(and thus terminating the script), you can the Run legacy logon scripts 
hidden enable policy. This ensures that all legacy logon scripts run 
in a hidden window.

Mark





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: 01 January 2006 14:18To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] Re: [ActiveDir] 
icmp's


I thought i read somewhere in some MS doc it being 
refered to as "legacy" since now you can put multiple logon scripts in GPO's and 
that they recommend doing it that way.



everytime a new OS or feature comes out, MS tends to 
refer to the previous os/feature as legacy or 
down-level.

maybe i just made a silly assumption that using a logon 
script as a user attritbute( i guess somewhat simillar to the way NT did 
it)instead of a GPO was "legacy".

thanks



On 1/1/06, Al Mulnick [EMAIL PROTECTED] 
wrote: 

I personally haven't heard it referred to as 
"legacy". I think that may be because it wasn't a legacy method when I 
last heard it ;)



I haven't tested this, so your mileage may vary but: the 
"legacy" method would have been created and designed for a time before ICMP was 
the norm. As such, I wouldn't expect that to break if ICMP was disabled. 
Several things will break, but I don't believe that's one of them. 




Test it. You'll know for sure then right? 
Besides, I don't imagine alot of networks out there are configured with 
ICMPdisabled like that.



Al


On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: 


Thats it.



Isn't that the way its refered to in 
MS-speak?



I hope i didn't just make that 
up...


On 12/30/05, Brian Desmond [EMAIL PROTECTED] 
 wrote: 
presumably setting the scriptPath attribute 
on accounts...Thanks,Brian Desmond[EMAIL PROTECTED]c - 
312.731.3132From: [EMAIL PROTECTED] on behalf of Al 
MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 
icmp'sWhen you say legacy way, what does that mean 
exactly?On 12/30/05, Tom Kern  [EMAIL PROTECTED] 
wrote: would this also affect 
clients from getting logon scripts? and 
when i say logon scripts, i mean the legacy way of distributing them, NOT thru 
GPO's.  Thanks again 
 On 12/30/05, Brian Desmond 
[EMAIL PROTECTED]  
wrote: 
You need to enable ICMP echo source clients dest dc's, and icmp echo-reply 
source dc's dest clients. 
 
The rules look something like 
this: 
access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers 
echo 
access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any 
echo-reply 
 
Have your network people considered rate-limiting ICMP packets rather than 
shutting them down all together. IMHO that's the correct way to handle this. 
Ping (echo, echo-reply) and traceroute 
(traceroute, time-exceeded) are necessary pieces of a network. 
 
Thanks, 
Brian 
Desmond 
[EMAIL PROTECTED] 
c - 
312.731.3132 
 
 
From: [EMAIL PROTECTED] on behalf of Tom 
Kern 
Sent: Fri 12/30/2005 9:25 
AM 
To: activedirectory 
 
Subject: [ActiveDir] 
icmp's 
What affect would blocking icmp packets on all vlans have on win2k/xp client 
logons in a win2k forest? 
 
any? 
I know clients ping dc's to see which responds first and later ping dc's to 
determine round trip time for GPO processing, but would blocking icmp's have any 
adverse affects on clients? 
 
I only ask because my corp blocks icmp's on all our vlans and i get a lot of 
event id 1000 from Usernev with error code of 59 which when i looked up, refers 
to network connectivity issues. i think this event id is related to the fact we 
block icmp packets and i was wondering if thats something i should worry about 
in 

Re: [ActiveDir] WinXP and Win2003

[ASB]

Did you originally use different names, or the same name for each computer?

And I agree with Joe:   Dual-booting is becoming obsolete.

http://www.ultratech-llc.com/KB/?File=BootMgr.TXT



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 1/1/06, shereen naser [EMAIL PROTECTED] wrote:
 Hi list,
 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine same
 hard disk, I can see the dual boot screen and choose the OS, but I can only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003 and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)
 Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] icmp's

[joe]

I would agree, the old style logon scripts should be fine, 
UNLESS you have implemented your own speed sensing based on icmpin the 
logon script (many of us did that long before MS did it for those who didn't 
figure it out). 

Note Exchange doesn't take kindly to ICMP echo being 
disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC 
unless you have specially configured it. If you never want to fail outside of a 
segment then that is the way to do it, but most people would rather fail over to 
any DC versus say, nah, those are two far away even though none of my local DCs 
are available if things go pear shaped. 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Sunday, January 01, 2006 9:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
icmp's

I personally haven't heard it referred to as "legacy". I think that 
may be because it wasn't a legacy method when I last heard it ;)

I haven't tested this, so your mileage may vary but: the "legacy" method 
would have been created and designed for a time before ICMP was the norm. As 
such, I wouldn't expect that to break if ICMP was disabled. Several things 
will break, but I don't believe that's one of them. 

Test it. You'll know for sure then right? Besides, I don't 
imagine alot of networks out there are configured with ICMPdisabled 
like that.

Al
On 12/31/05, Tom Kern 
[EMAIL PROTECTED] wrote: 

  Thats it.
  
  Isn't that the way its refered to in MS-speak?
  
  I hope i didn't just make that up...
  
  On 12/30/05, Brian 
  Desmond [EMAIL PROTECTED] 
   wrote: 
  presumably 
setting the scriptPath attribute on accounts...Thanks,Brian 
Desmond[EMAIL PROTECTED]c - 
312.731.3132From: [EMAIL PROTECTED] on behalf of Al 
MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 
icmp'sWhen you say legacy way, what does that mean 
exactly?On 12/30/05, Tom Kern  [EMAIL PROTECTED] 
wrote: would this also affect 
clients from getting logon scripts? 
and when i say logon scripts, i mean the legacy way of distributing them, 
NOT thru GPO's.  Thanks again 
 On 12/30/05, Brian 
Desmond [EMAIL PROTECTED]  
wrote: 
You need to enable ICMP echo source clients dest dc's, and icmp echo-reply 
source dc's dest clients. 
 
The rules look something like 
this: 
access-list DC_VLAN_OUT line 1 permit icmp any object-group 
domain_controllers 
echo 
access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers 
any echo-reply 
 
Have your network people considered rate-limiting ICMP packets rather than 
shutting them down all together. IMHO that's the correct way to handle this. 
Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are 
necessary pieces of a network. 
 
Thanks, 
Brian 
Desmond 
[EMAIL PROTECTED] 
c - 
312.731.3132 
 
 
From: [EMAIL PROTECTED] on behalf of Tom 
Kern 
Sent: Fri 12/30/2005 9:25 
AM 
To: activedirectory 
 
Subject: [ActiveDir] 
icmp's 
What affect would blocking icmp packets on all vlans have on win2k/xp client 
logons in a win2k forest? 
 
any? 
I know clients ping dc's to see which responds first and later ping dc's to 
determine round trip time for GPO processing, but would blocking icmp's have 
any adverse affects on clients? 
 
I only ask because my corp blocks icmp's on all our vlans and i get a lot of 
event id 1000 from Usernev with error code of 59 which when i looked up, 
refers to network connectivity issues. i think this event id is related to 
the fact we block icmp packets and i was wondering if thats something i 
should worry about in a win2k network. 
 
Thanks

RE: [ActiveDir] directory validation

[joe]

That is actually sort of what I was thinking, use the tool 
or another tool that does migration work and see if you can disable the "for 
real" switch and then just let it tell you what it thinks needs to be 
done.

Otherwise, you get to whip out your scripting skills and 
put together a little script to start comparing things. I don't even think I 
would have hesitated, I would have just started scripting. That's why we get the 
big bucks. ;o)

The script could simply dump the important info from the 
two directories and let WINDIFF do the comparison work or you could do the 
compare in the script itself. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Saturday, December 31, 2005 3:48 PMTo: 
[EMAIL PROTECTED]sedir.orgSubject: Re: 
[ActiveDir] directory validation

Sorry Tom, itchy send finger :)

I meant to add on that ADMT might be a useful tool for you. IIRC, 
ADMT has a report mode (Quest may as well, and you would do well to check into 
it prior) that you could run to see if the target already exists. Does 
that meet your criteria of success? I don't know because that would depend 
on your criteria of a successful migration. Will it help? I think 
so. 

Scripts could be used as well, but I think something like a migration tool 
already in place that is run in report mode would be much better in terms of 
time spent. 

Al
On 12/31/05, Al 
Mulnick [EMAIL PROTECTED] 
wrote: 

  i guess sidHistory is the "join criteria" in this 
  case and would work well?
  
  sidHistory is usually a good criteria as it should only exist on one 
  object in the target and one object in the source. sidHistory is a 
  unique identifier and since it was a migration, that should be useful in 
  figuring out what in the source is now in the target. I will say that 
  it's a horrible idea to undertake a migration and still put items in the 
  source forest waiting for some sunset event of the source forest. It 
  might be a good idea to suggest that they rethink that strategy in favor of 
  using the new shiny forest. 
  
  
  but what about contact objects or non security DG's 
  and objects without sids?
  there is nothing unique that would transfer from the source to the 
  destination that I can think of unless there's a SMTP address or similar 
  associated. Otherwise, it's more like the Microsoft shuffle: copy from 
  source, delete original (in this case, not so much since source still exists, 
  but you get the idea). There's no binding unless you create one. 
  
  For non-security principals, you'll want to find another criteria that 
  works for you. 
  
  Al
  
  
  
  
  On 12/31/05, Tom 
  Kern [EMAIL PROTECTED] wrote: 
  
  
i am using sidHistory.
I've been using Quest AD Migration Manager to copy objects from one 
forest to another.
the tool comes with logging but no way to validate objects in seperate 
forests post migration.

we haven't migrated Exchange yet, so we are co-existing with 2 forests 
right now.

the source forest is still the forest of record.
when a new user gets created or a new worktation image is deployed, it 
still gets staged in the source forest.
Management wants to keep doing this till the old forest is 
decomissioned.

also, since consultants from IBM did a lot of the migrating(they are 
now gone), i'd like a way to validate what they've done.

i guess sidHistory is the "join criteria" in this case and would work 
well?

but what about contact objects or non security DG's and objects without 
sids?

thanks

On 12/30/05, Al 
Mulnick [EMAIL PROTECTED]  
wrote: 

  What would be your join criteria in this case? I mean, if 
  you're not using sidHistory, what's to say that userA in domainA ForestA 
  once moved to domainB ForestB is going to be called UserA? What if a 
  UserA already exists in that target domain? 
  
  Anyhow, there needs to be an authoritative source and a way to join 
  the source to the target in a way that prevents ambiguity. Normally, 
  sidHistory would fulfill that requirement, but in two separate forests 
  there's no guarantee that you'd use that. Or if you were bringing it 
  from multiple domains it would have multiple source sids. 
  
  For that purpose, something like MIIS is a very useful tool because 
  of the way it joins directories. If you were to home grow something, 
  you'll have to figure out what the link is. If it's different than 
  what 80% of the people out there need, it won't be an off-the-shelf tool 
  that you're looking for, but more like the others have said: db, xls, 
  script, or similar to do that work. 
  
  Does that help?
  
  On 12/30/05, Almeida Pinto, Jorge de  
  [EMAIL PROTECTED] wrote: 
  dont 
know any tool that is able to do thishow about scripting 

RE: [ActiveDir] icmp's

[Rick Kingslan]

The real benefit to the GPO method is that
you can target scripts to the same _groups_
in which the GPO would affect  and you can target Computer groups, which
you cant do (for obvious reasons) with logon scripts. This lends itself
to some very elegant solutions that Im sure one could do with some fancy
environment or user/computer-based variables or attribute checking. Of course,
it begs to obvious question  Why?



If it means developing a whole manner and
method to get variables and/or attributes identified and called, when you only
would need to use GPO-based scripts, I think the answer becomes self-evident.



As to being called Legacy,
which seems to be the real problem here, its simply verbiage that I dont
think Id get my panties in a bunch over. The user-focused versus the
GPO focused scripts are going to be around as far out as I can see (and, thats
really not THAT far, to be honest).



Cheers!



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Sunday, January 01, 2006
8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al









On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL PROTECTED]
on behalf of Tom Kern

Sent: Fri 12/30/2005 9:25 AM

To: activedirectory 

Subject: [ActiveDir] icmp's



What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest? 

any?


I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GPO processing, but would blocking icmp's have
any adverse affects on clients? 

I only ask because my corp blocks icmp's on all our vlans and i get a lot of event
id 1000 from Usernev with error code of 59 which when i looked up, refers to
network connectivity issues. i think this event id is related to the fact we
block icmp packets and i was wondering if thats something i should worry about
in a win2k network. 

Thanks

RE: [ActiveDir] WinXP and Win2003

[Rick Kingslan]

Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed 
I think dual booting still has a very strong place in the testing / learning
environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love virtualization.
Its just not the right thing for all situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the
installations right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare
Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: Re: [ActiveDir] icmp's

[Rick Kingslan]

joe stood up and attempted to smack Mark
Parris with a large trout, saying:



I would rather not set domain
policy with GPOs. While I am at it, I think we are far beyond the point that we
should have the ability to programmatically handle settings in policies.



Huh? Can you explain both
statements, joe? I understand the context of the first, but not
why. The second  I just am not sure what youre getting
at. Help out an old haggard road warrior.



;o)



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir]
icmp's





Come on, who ya going to believe?
Microsoft who has all sorts of typoes in the documentation (I just saw a
reference to objectcategory=user in an MS doc 2 days ago, I still have the
bruise on my forehead)or our trusted source... Al?



:o)



Personally I like theold style logon
scripts better than GPO logon scripts. Way too many things impact GPO
functions. I never found it difficult to write logon scripts designed to work
on specific users nor machines sodidn't need the sorting capability of
GPOs. Overall I am ok levelhappy with having a default domain GPO and
default dc GPO as the only GPOs. I would rather not set domain policy with
GPOs. While I am at it, I think we are far beyond the point that we should have
the ability to programmatically handle settings in policies. 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Sunday, January 01, 2006
9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] icmp's

This is from the Microsoft article  Enterprise logon scripts



By default, logon
scripts written as either .bat or .cmd files (so-called legacy
logon scripts)
run in a visible command window; when executed, a command window open up on the
screen. To prevent a user from closing the command window (and thus terminating
the script), you can the Run legacy logon scripts
hidden enable policy. This ensures that all legacy logon scripts run
in a hidden window.



Mark











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 01 January 2006 14:18
To: ActiveDir@mail.activedir.org
Subject: [Norton AntiSpam] Re:
[ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al









On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL 

RE: [ActiveDir] WinXP and Win2003

[Rick Kingslan]

Re: My message to joe.  Maybe 50% of the time - I'd agree.  However, if you
want to test that snazzy new Fibre HBA or would like to see what the impact
for the user is going to be with CAD with the newest High End InterGraph
workstation video card - VMs aren't going to work.

The hardware selection in VMs is intended to be generic.  Which for testing
or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks
because the hardware doesn't matter.

Again - be sure of this - I love VMs.  I just can't test Vista on it because
Aero Glass is the target, and I can't quite put an LDDM driver on the
generic graphics coded in, for example.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, January 01, 2006 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WinXP and Win2003

Did you originally use different names, or the same name for each computer?

And I agree with Joe:   Dual-booting is becoming obsolete.

http://www.ultratech-llc.com/KB/?File=BootMgr.TXT



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 1/1/06, shereen naser [EMAIL PROTECTED] wrote:
 Hi list,
 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine
same
 hard disk, I can see the dual boot screen and choose the OS, but I can
only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003
and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and
both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)
 Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] icmp's

[Rick Kingslan]

Note Exchange doesn't take kindly
to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does
not see that DC unless you have specially configured it.



Which, I always thought was a pretty funny
way of doing things anyway. As you are well aware, Ping
doesnt mean alive and healthy. I know of many people who have
spent hours to days troubleshooting a problem just to find that the machine
that they first suspected as being the problem pinged just fine. Sadly,
it was dead from the neck up and port 389 and 3268 were non-responsive (along
with all of the other really important stuff).



Rick









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's





I would agree, the old style logon scripts
should be fine, UNLESS you have implemented your own speed sensing based on
icmpin the logon script (many of us did that long before MS did it for
those who didn't figure it out). 



Note Exchange doesn't take kindly to ICMP
echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see
that DC unless you have specially configured it. If you never want to fail
outside of a segment then that is the way to do it, but most people would
rather fail over to any DC versus say, nah, those are two far away even though
none of my local DCs are available if things go pear shaped. 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 01, 2006
9:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp's



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al







On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL PROTECTED]
on behalf of Tom Kern

Sent: Fri 12/30/2005 9:25 AM

To: activedirectory 

Subject: [ActiveDir] icmp's



What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest? 

any?


I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GPO processing, but would blocking icmp's have
any adverse affects on clients? 

I only ask because my corp blocks icmp's on all our vlans and i get a lot of
event id 1000 from Usernev with error code of 59 which when i looked up, refers
to network connectivity issues. i think this event id is related to the fact we
block icmp packets and i was wondering if thats something i should worry about
in a win2k network. 

Thanks

RE: [ActiveDir] WinXP and Win2003

[joe]

I am not a big workstation OS type of person, I use XP only 
when I must. Longhorn seems to work ok in a VM.

I do agree that it isn't the right thing for all 
situations, but half the people setting up dual booting blow it anyway. VM is a 
much simpler solution for most people. Obviousy if you are doing perf or 
physical hardware related testing it is tough. Heck even if you want USB you 
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind 
of screwed too, oh wait vmware workstation does that as well... 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Sunday, January 01, 2006 1:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WinXP and 
Win2003


Hehe. Let me 
know how that full-out testing of Vista and 
Aero Glass is going for you in a VPC or a VMWare virtual machine. 


I agree, dual-booting 
is not the optimal method to running different OSs, but if you want the OS to 
have the full machine, rather than the limited virtualized hardware that the VMs 
are allowed  I think dual booting still has a very strong place in the testing 
/ learning environment.

And, make no mistake  
this is coming from a guy that when on the road, has a 250GB external with 
nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love 
virtualization. Its just not the right thing for all 
situations.

Rick





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, January 01, 2006 10:40 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WinXP and 
Win2003

I have no clue why it 
wouldn't allow you to have different names for the OS and then both can be 
joined at the same time, I have done this often. You did use different 
directories for the installations right? 



Any more dual booting 
is going the way of the dodo, the "new" thing is to virtualization software so 
you have both instances up and running at once. Look at Virtual PC or VMWare 
Workstation.







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of shereen 
naserSent: Sunday, January 01, 
2006 6:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] WinXP and 
Win2003

Hi list,

I have windows xp sp 2 on my machine, I need to test 
something so I installed windows 2003 server enterprise edition R2 on the same 
machine same hard disk, I can see the dual boot screen and choose the OS, but I 
can only login to the domain if one of the OS's is disconnected from the domain, 
meaning if I want to login to the windows 2003 I have to go to the windows xp 
and disjoin the machine from the domain then restart and login to the domain in 
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it 
from the domain then restart and join the xp to the domain and login, locally I 
can login to both machines no problem. the error is that the computer account is 
not found on the domain when I try to login and both OSes are joined to the 
domain. I tried to rename the machine name to different names in each OS but 
same thing happens. is there a way to do that? (login to domain using both OS's 
without having to disjoin?) 

Thank 
you

RE: Re: [ActiveDir] icmp's

[joe]

Rick came out of the woodwork and 
rambled:

"Huh? Can you 
explain both statements, joe?"

First statement being, I would rather not set domain 
policies in GPOs... I am referring to actual domain policy, not a policy applied 
to all machines in the domain. You know, the original meaning of domain policy. 
Pushing any policy to domain controllers that has to do with configuration of AD 
is assinine in my opinion, you already have a mechanism to push those changes 
through the environment. You don't need to use another one. Also it is a point 
of confusion for tons and tons of people. There should be a clear divisor 
between true domain policy and a policy that gets applied to each individual 
machine. 

Second statement being programmatically handling settings 
in policies... You can't set GPO settings programmatically unless you reverse 
the format of the policy information in sysvol. All you can do is 
backup/restore/export/import/enable/disable. What if I want to take all policies 
under the OU Buildings (which could be tens, hundreds, or thousands of policy 
files) and set one setting, for the sake of argument say password policy for 
local machinesis equal to some set of values based on the specific OU name 
that the policy is applied to (say it has finance in the name of the OU) how 
will you do that programmatically without directly hacking the policy files 
which last I heard wasn't supported?






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Sunday, January 01, 2006 1:09 PMTo: [EMAIL PROTECTED]Subject: RE: Re: [ActiveDir] 
icmp's


joe stood up and 
attempted to smack Mark Parris with a large trout, 
saying:

I would rather not set 
domain policy with GPOs. While I am at it, I think we are far beyond the point 
that we should have the ability to programmatically handle settings in 
policies.

Huh? Can you 
explain both statements, joe? I understand the context of the first, but 
not why. The second  I just am not sure what youre getting at. 
Help out an old haggard road warrior.

;o)

Rick





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, January 01, 2006 10:50 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's

Come on, who ya going 
to believe? Microsoft who has all sorts of typoes in the documentation (I just 
saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the 
bruise on my forehead)or our trusted source... 
Al?

:o)

Personally I like 
theold style logon scripts better than GPO logon scripts. Way too many 
things impact GPO functions. I never found it difficult to write logon scripts 
designed to work on specific users nor machines sodidn't need the sorting 
capability of GPOs. Overall I am ok levelhappy with having a default 
domain GPO and default dc GPO as the only GPOs. I would rather not set domain 
policy with GPOs. While I am at it, I think we are far beyond the point that we 
should have the ability to programmatically handle settings in policies. 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mark 
ParrisSent: Sunday, January 
01, 2006 9:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's
This is from the Microsoft article  Enterprise logon 
scripts

By default, logon scripts written as 
either .bat or .cmd files (so-called "legacy" logon 
scripts) run in a visible command window; when executed, a command 
window open up on the screen. To prevent a user from closing the command window 
(and thus terminating the script), you can the Run legacy logon scripts 
hidden enable policy. This ensures that all legacy logon scripts run 
in a hidden window.

Mark





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: 01 January 2006 14:18To: ActiveDir@mail.activedir.orgSubject: [Norton AntiSpam] Re: [ActiveDir] 
icmp's


I thought i read somewhere in some MS doc it being 
refered to as "legacy" since now you can put multiple logon scripts in GPO's and 
that they recommend doing it that way.



everytime a new OS or feature comes out, MS tends to 
refer to the previous os/feature as legacy or 
down-level.

maybe i just made a silly assumption that using a logon 
script as a user attritbute( i guess somewhat simillar to the way NT did 
it)instead of a GPO was "legacy".

thanks



On 1/1/06, Al Mulnick [EMAIL PROTECTED] 
wrote: 

I personally haven't heard it referred to as 
"legacy". I think that may be because it wasn't a legacy method when I 
last heard it ;)



I haven't tested this, so your mileage may vary but: the 
"legacy" method would have been created and designed for a time before ICMP was 
the norm. As such, I wouldn't expect that to break if ICMP was disabled. 
Several things will break, but I don't believe that's one of them. 




Test it. You'll know for sure then right? 
Besides, I don't imagine alot of networks out there are configured with 
ICMPdisabled like that.



Al

RE: [ActiveDir] WinXP and Win2003

[joe]

I would think software level testing would result in more than 50% of the
cases for most people. I run about 30 machines in my home (I have probably a
hundred on CDs) on a regular basis, nearly all are virtual. The only
physical limitation I have run into in my VMs so far was the lack of USB
support in VPC which I solved by using VMWARE. My next major hurdle is 64
bit guests for a piece of software that decided would only be available in
64 bit, which I will again solve with VMWARE. I haven't dual booted a
machine nor had a need to dual boot a machine since vmware 2 which was about
2000/2001 or so. 

If you start doing hardware integration testing or production perf testing,
you have no choice but to use physical hardware obviously. In every test lab
for business I have been involved in the last few years, the virtualized
instances have far outstripped the number of physical instances.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006 1:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and Win2003

Re: My message to joe.  Maybe 50% of the time - I'd agree.  However, if you
want to test that snazzy new Fibre HBA or would like to see what the impact
for the user is going to be with CAD with the newest High End InterGraph
workstation video card - VMs aren't going to work.

The hardware selection in VMs is intended to be generic.  Which for testing
or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks
because the hardware doesn't matter.

Again - be sure of this - I love VMs.  I just can't test Vista on it because
Aero Glass is the target, and I can't quite put an LDDM driver on the
generic graphics coded in, for example.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, January 01, 2006 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WinXP and Win2003

Did you originally use different names, or the same name for each computer?

And I agree with Joe:   Dual-booting is becoming obsolete.

http://www.ultratech-llc.com/KB/?File=BootMgr.TXT



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 1/1/06, shereen naser [EMAIL PROTECTED] wrote:
 Hi list,
 I have windows xp sp 2 on my machine, I need to test something so I 
 installed windows 2003 server enterprise edition R2 on the same 
 machine
same
 hard disk, I can see the dual boot screen and choose the OS, but I can
only
 login to the domain if one of the OS's is disconnected from the 
 domain, meaning if I want to login to the windows 2003 I have to go to 
 the windows xp and disjoin the machine from the domain then restart 
 and login to the domain in windows 2003, if I want to login to winxp I 
 go to windows 2003
and
 disjoin it from the domain then restart and join the xp to the domain 
 and login, locally I can login to both machines no problem. the error 
 is that the computer account is not found on the domain when I try to 
 login and
both
 OSes are joined to the domain. I tried to rename the machine name to 
 different names in each OS but same thing happens. is there a way to 
 do that? (login to domain using both OS's without having to disjoin?) 
 Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WinXP and Win2003

[Alex Fontana]

I would have to agree;-) At
work I run completely on VMs using ESX. All my testing is done on a Dell
PE1800 with about 8VMs including AD, Exchange (clustered), SQL, etc. 



For those looking to do simple testing of
apps check out VM Player http://www.vmware.com/vmplayer




You cant create VMs but you can run
any pre-built VM, including MS VPC VMs.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Sunday, January 01, 2006
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I am not a big workstation OS type of
person, I use XP only when I must. Longhorn seems to work ok in a VM.



I do agree that it isn't the right thing
for all situations, but half the people setting up dual booting blow it anyway.
VM is a much simpler solution for most people. Obviousy if you are doing perf
or physical hardware related testing it is tough. Heck even if you want USB you
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind
of screwed too, oh wait vmware workstation does that as well... 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed
 I think dual booting still has a very strong place in the testing /
learning environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love
virtualization. Its just not the right thing for all
situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the
installations right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: [ActiveDir] icmp's

[joe]

I don't often find myself in the position of defending the 
Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a 
"are you alive" test for a very long time. I understand why they do it, I have 
written several scripts and tools that do something similar. It can be 
considerablyfaster. When you are testing suitability or capability of a 
bunch of systems, sending anICMPping to see if the machine is live 
is considerably faster in many circumstancesthan sending higher level 
calls, both for machines that are live or dead. This is especially true if using 
netbios calls, in that case querying can cause a system to hang where a 
simpleICMP ping tells you right away if you should even bother. 


Blocking all ICMP in an internal network is generally silly 
in my opinion unless something is abusing it at the time. It is often a 
thoughtless reactive, "well we will certainly stop those viruses" knee jerk. Its 
like stripping all zip files in an email system because a virus is operating 
through zips. We don't a better way and we don't have the ability and/or time to 
think up a better way so lets get out the sledgehammer...

Once you use ICMP you can go on to use higher level forms 
of testing. It is also a great way for diagnostician's to try and work out 
network issues... is ICMP ECHO getting through? No, well then we don't have to 
look at complicated upper level issues, we can focus on core basic network 
connectivity.

One thing the Exchange folks did that I am not in agreement 
with is if a DC is a config DC and is operating poorly Exchange will really 
avoid switching for config functionality if the ping is still there. That isn't 
a stateless connection so I can understand the reluctance but it can be a 
serious pain at times.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Sunday, January 01, 2006 1:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's


Note Exchange doesn't 
take kindly to ICMP echo being disabled either. If Exchausnge can't ping a DC, DSACCESS does 
not see that DC unless you have specially configured it.

Which, I always thought 
was a pretty funny way of doing things anyway. As you are well aware, 
Ping doesnt mean alive and healthy. I 
know of many people who have spent hours to days troubleshooting a problem just 
to find that the machine that they first suspected as being the problem pinged 
just fine. Sadly, it was dead from the neck up and port 389 and 3268 were 
non-responsive (along with all of the other really important 
stuff).

Rick




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, January 01, 2006 10:54 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's

I would agree, the old 
style logon scripts should be fine, UNLESS you have implemented your own speed 
sensing based on icmpin the logon script (many of us did that long before 
MS did it for those who didn't figure it out). 

Note Exchange doesn't 
take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, 
DSACCESS does not see that DC unless you have specially configured it. If you 
never want to fail outside of a segment then that is the way to do it, but most 
people would rather fail over to any DC versus say, nah, those are two far away 
even though none of my local DCs are available if things go pear shaped. 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Sunday, January 
01, 2006 9:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
icmp's

I personally haven't heard it referred to as 
"legacy". I think that may be because it wasn't a legacy method when I 
last heard it ;)



I haven't tested this, so your mileage may vary but: the 
"legacy" method would have been created and designed for a time before ICMP was 
the norm. As such, I wouldn't expect that to break if ICMP was disabled. 
Several things will break, but I don't believe that's one of them. 




Test it. You'll know for sure then right? 
Besides, I don't imagine alot of networks out there are configured with 
ICMPdisabled like that.



Al

On 12/31/05, Tom Kern [EMAIL PROTECTED] 
wrote: 

Thats it.



Isn't that the way its refered to in 
MS-speak?



I hope i didn't just make that 
up...


On 12/30/05, Brian Desmond [EMAIL PROTECTED] 
 wrote: 
presumably setting the scriptPath attribute 
on accounts...Thanks,Brian Desmond[EMAIL PROTECTED]c - 
312.731.3132From: [EMAIL PROTECTED] on behalf of Al 
MulnickSent: Fri 12/30/2005 8:13 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 
icmp'sWhen you say legacy way, what does that mean 
exactly?On 12/30/05, Tom Kern  [EMAIL PROTECTED] 
wrote: would this also affect 
clients from getting logon scripts? and 
when i say logon scripts, i mean the legacy way of distributing them, NOT thru 
GPO's.  Thanks again 
 On 12/30/05, Brian Desmond 
[EMAIL PROTECTED]  
wrote: 

Re: [ActiveDir] WinXP and Win2003

[ASB]

On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote:


 Hehe….  Let me know how that full-out testing of Vista and Aero Glass is
 going for you in a VPC or a VMWare virtual machine.



 I agree, dual-booting is not the optimal method to running different OS's,
 but if you want the OS to have the full machine, rather than the limited
 virtualized hardware that the VMs are allowed – I think dual booting still
 has a very strong place in the testing / learning environment.



 And, make no mistake – this is coming from a guy that when on the road, has
 a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop.
  I love virtualization….  It's just not the right thing for all situations.



 Rick


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Sunday, January 01, 2006 10:40 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] WinXP and Win2003




 I have no clue why it wouldn't allow you to have different names for the OS
 and then both can be joined at the same time, I have done this often. You
 did use different directories for the installations right?





 Any more dual booting is going the way of the dodo, the new thing is to
 virtualization software so you have both instances up and running at once.
 Look at Virtual PC or VMWare Workstation.






 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 shereen naser
 Sent: Sunday, January 01, 2006 6:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] WinXP and Win2003


 Hi list,


 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine same
 hard disk, I can see the dual boot screen and choose the OS, but I can only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003 and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)


 Thank you


--
Cheap, Fast, Secure -- Pick Any TWO.
http://www.ultratech-llc.com/KB/
[EMAIL PROTECTED]   šŠV«r¯yÊý§-Š÷�Š¾4™¨¥iËb½çb®Šà

Re: [ActiveDir] WinXP and Win2003

[ASB]

~
Hehe….  Let me know how that full-out testing of Vista and Aero Glass
is going for you in a VPC or a VMWare virtual machine.
~

That's what dedicated systems are for.  :)

Sure, a VM is not the best option here, depending on what aspect of
the OS is being tested, but in that case, using a totally separate
hard drive or some other separation technology will still likely prove
to be more viable than dual-booting.

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/



On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote:


 Hehe….  Let me know how that full-out testing of Vista and Aero Glass is
 going for you in a VPC or a VMWare virtual machine.



 I agree, dual-booting is not the optimal method to running different OS's,
 but if you want the OS to have the full machine, rather than the limited
 virtualized hardware that the VMs are allowed – I think dual booting still
 has a very strong place in the testing / learning environment.



 And, make no mistake – this is coming from a guy that when on the road, has
 a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop.
  I love virtualization….  It's just not the right thing for all situations.



 Rick


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Sunday, January 01, 2006 10:40 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] WinXP and Win2003




 I have no clue why it wouldn't allow you to have different names for the OS
 and then both can be joined at the same time, I have done this often. You
 did use different directories for the installations right?





 Any more dual booting is going the way of the dodo, the new thing is to
 virtualization software so you have both instances up and running at once.
 Look at Virtual PC or VMWare Workstation.






 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 shereen naser
 Sent: Sunday, January 01, 2006 6:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] WinXP and Win2003


 Hi list,


 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine same
 hard disk, I can see the dual boot screen and choose the OS, but I can only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003 and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)


 Thank you

RE: [ActiveDir] icmp's

[Brian Desmond]

The whole block ICMP thing is I think in many ways dating to the blaster and 
nachi outbreaks when routers were getting driven to 100% CPU as hundreds of 
machines were slamming ICMP and RPC traffic across them. Newer gear has the 
ability to rate limit ICMP traffic. All your admins need to do is rate limit 
ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the 
event yuou have an outbreak because you don't do patch management, go in the 
router and set the drop limit to something like 64kb/sec or worst case put the 
ACL to shutdown ICMP all together. Either way your better off than no ICMP 
24/7
 
Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 1/1/2006 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's


I don't often find myself in the position of defending the Exchange folks but 
this isn't just an Exchange thing, the ICMP echo has been a are you alive 
test for a very long time. I understand why they do it, I have written several 
scripts and tools that do something similar. It can be considerably faster. 
When you are testing suitability or capability of a bunch of systems, sending 
an ICMP ping to see if the machine is live is considerably faster in many 
circumstances than sending higher level calls, both for machines that are live 
or dead. This is especially true if using netbios calls, in that case querying 
can cause a system to hang where a simple ICMP ping tells you right away if you 
should even bother. 
 
Blocking all ICMP in an internal network is generally silly in my opinion 
unless something is abusing it at the time. It is often a thoughtless reactive, 
well we will certainly stop those viruses knee jerk. Its like stripping all 
zip files in an email system because a virus is operating through zips. We 
don't a better way and we don't have the ability and/or time to think up a 
better way so lets get out the sledgehammer...
 
Once you use ICMP you can go on to use higher level forms of testing. It is 
also a great way for diagnostician's to try and work out network issues... is 
ICMP ECHO getting through? No, well then we don't have to look at complicated 
upper level issues, we can focus on core basic network connectivity.
 
One thing the Exchange folks did that I am not in agreement with is if a DC is 
a config DC and is operating poorly Exchange will really avoid switching for 
config functionality if the ping is still there. That isn't a stateless 
connection so I can understand the reluctance but it can be a serious pain at 
times.
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's



Note Exchange doesn't take kindly to ICMP echo being disabled either. If Excha 
us nge can't ping a DC, DSACCESS does not see that DC unless you have specially 
configured it.

 

Which, I always thought was a pretty funny way of doing things anyway.  As you 
are well aware, Ping doesn't mean alive and healthy.  I know of many people who 
have spent hours to days troubleshooting a problem just to find that the 
machine that they first suspected as being the problem pinged just fine.  
Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive 
(along with all of the other really important stuff).

 

Rick



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006 10:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's

 

I would agree, the old style logon scripts should be fine, UNLESS you have 
implemented your own speed sensing based on icmp in the logon script (many of 
us did that long before MS did it for those who didn't figure it out). 

 

Note Exchange doesn't take kindly to ICMP echo being disabled either. If 
Exchange can't ping a DC, DSACCESS does not see that DC unless you have 
specially configured it. If you never want to fail outside of a segment then 
that is the way to do it, but most people would rather fail over to any DC 
versus say, nah, those are two far away even though none of my local DCs are 
available if things go pear shaped. 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 01, 2006 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp's

I personally haven't heard it referred to as legacy.  I think that may be 
because it wasn't a legacy method when I last heard it ;)

 

I haven't tested this, so your mileage may vary but: the legacy method would 
have been created and designed for a time before ICMP was the norm. As such, I 
wouldn't expect that to break if ICMP was disabled.  Several things will break, 
but I don't believe that's one of them. 

RE: [ActiveDir] icmp's

[joe]

Yep, something else I have seen in smarter networking 
environments is a honeypot system where you trap all ICMP traffic bound for 
non-routable internal networks and then a script that shuts the ports 
downon the switches of the machines sending that traffic. Someone with an 
infected machine who all of a sudden can't get network connectivity is bound to 
yell for help at which point the boys with the stuffed pillow cases show up 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Sunday, January 01, 2006 5:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's


The whole block ICMP 
thing is I think in many ways dating to the blaster and nachi outbreaks when 
routers were getting driven to 100% CPU as hundreds of machines were slamming 
ICMP and RPC traffic across them. Newer gear has the ability to rate limit ICMP 
traffic. All your admins need to do is rate limit ICMP to something like 
512kb/sec and drop on exceed. Problem solved. In the event yuou have an outbreak 
because you don't do patch management, go in the router and set the drop limit 
to something like 64kb/sec or worst case put the ACL to shutdown ICMP all 
together. Either way your better off than no ICMP 24/7


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132


From: [EMAIL PROTECTED] on 
behalf of joeSent: Sun 1/1/2006 3:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's

I don't often find myself in the position of defending the 
Exchange folks but this isn't just an Exchange thing, the ICMP echo has been a 
"are you alive" test for a very long time. I understand why they do it, I have 
written several scripts and tools that do something similar. It can be 
considerablyfaster. When you are testing suitability or capability of a 
bunch of systems, sending anICMPping to see if the machine is live 
is considerably faster in many circumstancesthan sending higher level 
calls, both for machines that are live or dead. This is especially true if using 
netbios calls, in that case querying can cause a system to hang where a 
simpleICMP ping tells you right away if you should even bother. 


Blocking all ICMP in an internal network is generally silly 
in my opinion unless something is abusing it at the time. It is often a 
thoughtless reactive, "well we will certainly stop those viruses" knee jerk. Its 
like stripping all zip files in an email system because a virus is operating 
through zips. We don't a better way and we don't have the ability and/or time to 
think up a better way so lets get out the sledgehammer...

Once you use ICMP you can go on to use higher level forms 
of testing. It is also a great way for diagnostician's to try and work out 
network issues... is ICMP ECHO getting through? No, well then we don't have to 
look at complicated upper level issues, we can focus on core basic network 
connectivity.

One thing the Exchange folks did that I am not in agreement 
with is if a DC is a config DC and is operating poorly Exchange will really 
avoid switching for config functionality if the ping is still there. That isn't 
a stateless connection so I can understand the reluctance but it can be a 
serious pain at times.



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Sunday, January 01, 2006 1:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's


Note Exchange doesn't 
take kindly to ICMP echo being disabled either. If Exchausnge can't ping a DC, DSACCESS does 
not see that DC unless you have specially configured it.

Which, I always thought 
was a pretty funny way of doing things anyway. As you are well aware, Ping 
doesnt mean alive and healthy. I know of many people who have spent hours 
to days troubleshooting a problem just to find that the machine that they first 
suspected as being the problem pinged just fine. Sadly, it was dead from 
the neck up and port 389 and 3268 were non-responsive (along with all of the 
other really important stuff).

Rick




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, January 01, 2006 10:54 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
icmp's

I would agree, the old 
style logon scripts should be fine, UNLESS you have implemented your own speed 
sensing based on icmpin the logon script (many of us did that long before 
MS did it for those who didn't figure it out). 

Note Exchange doesn't 
take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, 
DSACCESS does not see that DC unless you have specially configured it. If you 
never want to fail outside of a segment then that is the way to do it, but most 
people would rather fail over to any DC versus say, nah, those are two far away 
even though none of my local DCs are available if things go pear shaped. 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Sunday, January 
01, 2006 9:07 AMTo: 

RE: Re: [ActiveDir] icmp's

[Darren Mar-Elia]

Random input below


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Sunday, January 01, 2006 11:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's

Rick came out of the woodwork and 
rambled:

"Huh? Can you 
explain both statements, joe?"

First statement being, I would rather not set domain 
policies in GPOs... I am referring to actual domain policy, not a policy applied 
to all machines in the domain. You know, the original meaning of domain policy. 
Pushing any policy to domain controllers that has to do with configuration of AD 
is assinine in my opinion, you already have a mechanism to push those changes 
through the environment. You don't need to use another one. Also it is a point 
of confusion for tons and tons of people. There should be a clear divisor 
between true domain policy and a policy that gets applied to each individual 
machine. [Darren 
Mar-Elia]If you're referring to using 
stuff like Restricted Groups policy to control domain-based group membership, 
then I agree and in fact its definitely a bad idea. The thing I don't like is 
that there really isn't any decent way to remove that capability out of the box. 
I could see value in using GP to control certain AD config settings, just so 
that you could have a common interface for all Windows configuration settings, 
but GP processing should be smart enough to say, hey, I'll only apply these 
domain changes to the PDC emulator and let AD replicate them out, or something 
like that. 

Second statement being programmatically handling 
settings in policies... You can't set GPO settings programmatically unless you 
reverse the format of the policy information in sysvol. All you can do is 
backup/restore/export/import/enable/disable. What if I want to take all policies 
under the OU Buildings (which could be tens, hundreds, or thousands of policy 
files) and set one setting, for the sake of argument say password policy for 
local machinesis equal to some set of values based on the specific OU name 
that the policy is applied to (say it has finance in the name of the OU) how 
will you do that programmatically without directly hacking the policy files 
which last I heard wasn't supported?[Darren Mar-Elia]Agreed 
that an API into policy settings would be great. I've only asked about 55 times 
and it still isn't on the horizon. Why? Mostly because there is no standard 
within GP around how settings are stored. Since separate product teams 
originally wrote the various client side extensions, without any standard 
storage format, we are in the mess we have today and they'd basically have to 
re-write all of GP to make that happen, or build some interface that abstracts 
each of the various storage formats into a common API--in either case, not a 
small amount of work. That being said, it has not slowed down several ISVs from 
figuring out the storage formats and using it in their products to essentially 
give different interfaces into GP. It is do-able if you have a reasonable amount 
of programming experience. 






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Sunday, January 01, 2006 1:09 PMTo: [EMAIL PROTECTED]Subject: RE: Re: [ActiveDir] 
icmp's


joe stood up and 
attempted to smack Mark Parris with a large trout, 
saying:

I would rather not set 
domain policy with GPOs. While I am at it, I think we are far beyond the point 
that we should have the ability to programmatically handle settings in 
policies.

Huh? Can you 
explain both statements, joe? I understand the context of the first, but 
not why. The second  I just am not sure what youre getting at. 
Help out an old haggard road warrior.

;o)

Rick





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, January 01, 2006 10:50 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's

Come on, who ya going 
to believe? Microsoft who has all sorts of typoes in the documentation (I just 
saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the 
bruise on my forehead)or our trusted source... 
Al?

:o)

Personally I like 
theold style logon scripts better than GPO logon scripts. Way too many 
things impact GPO functions. I never found it difficult to write logon scripts 
designed to work on specific users nor machines sodidn't need the sorting 
capability of GPOs. Overall I am ok levelhappy with having a default 
domain GPO and default dc GPO as the only GPOs. I would rather not set domain 
policy with GPOs. While I am at it, I think we are far beyond the point that we 
should have the ability to programmatically handle settings in policies. 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mark 
ParrisSent: Sunday, January 
01, 2006 9:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's
This is from the Microsoft article  Enterprise logon 
scripts

By default, logon scripts written as 

RE: Re: [ActiveDir] icmp's

[joe]

Darren and I have had offline chats about this before so I 
know we are quite in sync on our thoughts. That is one of the reasons I am brave 
enough to spout them, if Darren isn't beating me up on my GPO thoughts they 
can't be too far off base. He is the GPOGUY after all. :o)

http://www.gpoguy.com/

BTW, I didn't see Darren say it, but I just found today 
that he has started blogging... http://blogs.dirteam.com/blogs/gpoguy/. 


But back to this stuff... I agree that the common interface 
is nice, but don't fully believe the info needs to be written to a policy file 
in sysvol since you have the DCs right there to write the info into AD. But 
alas, as you mention, we are talking decent reworkingof how things work 
and that includes parts of AD to do really do it cool especially in terms of 
restricted AD groups. I do believe that for some of the stuff, code is now in 
there to force the change to only occur on the PDC. I am not sure when the 
change occurred but I am guessing K3 but I was trying to chase some code a month 
or two back in the Windows source tree and it appeared there was some code in 
the GPO processing that was looking for a PDC in order to make changes. I ran 
out of time and never went back to it though. 

RE the API for settings. It is kind of sad how that 
wasn't/hasn't/maynotbe implemented. It seems like it would have been easiest way 
for MS to have done things for themselves as well. I do agree that it is 
possible to reverse it out and figure out how to do it. Of course we aren't 
supposed to but that doesn't stop progress in the MS world. 
Eventuallysomeone at MS will see what someone else is doing with their 
tech and say hey that is pretty cool, lets dothat now. 







From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Sunday, January 01, 2006 7:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's

Random input below


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Sunday, January 01, 2006 11:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] 
icmp's

Rick came out of the woodwork and 
rambled:

"Huh? Can you 
explain both statements, joe?"

First statement being, I would rather not set domain 
policies in GPOs... I am referring to actual domain policy, not a policy applied 
to all machines in the domain. You know, the original meaning of domain policy. 
Pushing any policy to domain controllers that has to do with configuration of AD 
is assinine in my opinion, you already have a mechanism to push those changes 
through the environment. You don't need to use another one. Also it is a point 
of confusion for tons and tons of people. There should be a clear divisor 
between true domain policy and a policy that gets applied to each individual 
machine. [Darren 
Mar-Elia]If you're referring to using 
stuff like Restricted Groups policy to control domain-based group membership, 
then I agree and in fact its definitely a bad idea. The thing I don't like is 
that there really isn't any decent way to remove that capability out of the box. 
I could see value in using GP to control certain AD config settings, just so 
that you could have a common interface for all Windows configuration settings, 
but GP processing should be smart enough to say, hey, I'll only apply these 
domain changes to the PDC emulator and let AD replicate them out, or something 
like that. 

Second statement being programmatically handling 
settings in policies... You can't set GPO settings programmatically unless you 
reverse the format of the policy information in sysvol. All you can do is 
backup/restore/export/import/enable/disable. What if I want to take all policies 
under the OU Buildings (which could be tens, hundreds, or thousands of policy 
files) and set one setting, for the sake of argument say password policy for 
local machinesis equal to some set of values based on the specific OU name 
that the policy is applied to (say it has finance in the name of the OU) how 
will you do that programmatically without directly hacking the policy files 
which last I heard wasn't supported?[Darren Mar-Elia]Agreed 
that an API into policy settings would be great. I've only asked about 55 times 
and it still isn't on the horizon. Why? Mostly because there is no standard 
within GP around how settings are stored. Since separate product teams 
originally wrote the various client side extensions, without any standard 
storage format, we are in the mess we have today and they'd basically have to 
re-write all of GP to make that happen, or build some interface that abstracts 
each of the various storage formats into a common API--in either case, not a 
small amount of work. That being said, it has not slowed down several ISVs from 
figuring out the storage formats and using it in their products to essentially 
give different interfaces into GP. It is do-able if you have a reasonable amount 
of programming experience. 

RE: [ActiveDir] icmp's

[Brian Desmond]

Yeah, that's called a darknet or something like that. A classic one is where 
you take a random sampling of your public IP space that you're not using, and 
set up a box ou there in the perimeter to log any traffic to it. All that 
traffic is essentially bad since the IPs aren't in use. Then you have some 
dynamic manner of updating the rules in your firewall rulebase or the ACLs on 
your routers or what have you to just drop traffic from whatever source for a 
period of time.
 
Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 1/1/2006 6:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's


Yep, something else I have seen in smarter networking environments is a 
honeypot system where you trap all ICMP traffic bound for non-routable internal 
networks and then a script that shuts the ports down on the switches of the 
machines sending that traffic. Someone with an infected machine who all of a 
sudden can't get network connectivity is bound to yell for help at which point 
the boys with the stuffed pillow cases show up  



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Sunday, January 01, 2006 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's


The whole block ICMP thing is I think in many ways dating to the blaster and 
nachi outbreaks when routers were getting driven to 100% CPU as hundreds of 
machines were slamming ICMP and RPC traffic across them. Newer gear has the 
ability to rate limit ICMP traffic. All your admins need to do is rate limit 
ICMP to something like 512kb/sec and drop on exceed. Problem solved. In the 
event yuou have an outbreak because you don't do patch management, go in the 
router and set the drop limit to something like 64kb/sec or worst case put the 
ACL to shutdown ICMP all together. Either way your better off than no ICMP 
24/7
 
Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132



From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 1/1/2006 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's


I don't often find myself in the position of defending the Exchange folks but 
this isn't just an Exchange thing, the ICMP echo has been a are you alive 
test for a very long time. I understand why they do it, I have written several 
scripts and tools that do something similar. It can be considerably faster. 
When you are testing suitability or capability of a bunch of systems, sending 
an ICMP ping to see if the machine is live is considerably faster in many 
circumstances than sending higher level calls, both for machines that are live 
or dead. This is especially true if using netbios calls, in that case querying 
can cause a system to hang where a simple ICMP ping tells you right away if you 
should even bother. 
 
Blocking all ICMP in an internal network is generally silly in my opinion 
unless something is abusing it at the time. It is often a thoughtless reactive, 
well we will certainly stop those viruses knee jerk. Its like stripping all 
zip files in an email system because a virus is operating through zips. We 
don't a better way and we don't have the ability and/or time to think up a 
better way so lets get out the sledgehammer...
 
Once you use ICMP you can go on to use higher level forms of testing. It is 
also a great way for diagnostician's to try and work out network issues... is 
ICMP ECHO getting through? No, well then we don't have to look at complicated 
upper level issues, we can focus on core basic network connectivity.
 
One thing the Exchange folks did that I am not in agreement with is if a DC is 
a config DC and is operating poorly Exchange will really avoid switching for 
config functionality if the ping is still there. That isn't a stateless 
connection so I can understand the reluctance but it can be a serious pain at 
times.
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's



Note Exchange doesn't take kindly to ICMP echo being disabled either. If Excha 
us nge can't ping a DC, DSACCESS does not see that DC unless you have specially 
configured it.

 

Which, I always thought was a pretty funny way of doing things anyway.  As you 
are well aware, Ping doesn't mean alive and healthy.  I know of many people who 
have spent hours to days troubleshooting a problem just to find that the 
machine that they first suspected as being the problem pinged just fine.  
Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive 
(along with all of the other really important stuff).

 

Rick



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January