date:20060505

it is:
 
repadmin /showobjmeta GC: CN=User-ROOT-01,OU=Users,OU=ORG,DC=ADCORP,DC=LAN
 
the output will something like:
 
repadmin running command /showobjmeta against server 
ed0c6501-28c1-47e9-b3db-5dcf281e9e31._msdcs.ADCORP.LAN

26 entries.
Loc.USN  Originating DC   Org.USN  Org.Time/Date
Ver Attribute
===  === = =
=== =
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 objectClass
  12417Default-First-Site-Name\ROOTDC002 12417 2006-02-13 11:48:46  
  1 cn
  12417Default-First-Site-Name\ROOTDC001 14299 2006-02-13 11:41:54  
  1 description
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 givenName
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 instanceType
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 whenCreated
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 displayName
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 nTSecurityDescriptor
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 name
  12417Default-First-Site-Name\ROOTDC001 14282 2006-02-13 11:40:34  
  4 userAccountControl
  12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34  
  1 codePage
  12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34  
  1 countryCode
  12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34  
  2 dBCSPwd
  12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34  
  1 logonHours
  12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34  
  2 unicodePwd
  12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34  
  2 ntPwdHistory
  12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34  
  2 pwdLastSet
  12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34  
  1 primaryGroupID
  12417Default-First-Site-Name\ROOTDC001 14280 2006-02-13 11:40:34  
  1 supplementalCredentials
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 objectSid
  12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34  
  1 accountExpires
  12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34  
  2 lmPwdHistory
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 sAMAccountName
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 sAMAccountType
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 userPrincipalName
  12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34  
  1 objectCategory
0 entries.
TypeAttribute Last Mod Time Originating DC  
Loc.USN Org.USN Ver
===   =   = 
=== === ===
Distinguished Name
=
repadmin running command /showobjmeta against server 
01570860-7552-4789-a9ec-401dc63fc8d8._msdcs.ADCORP.LAN
DsBindWithCred to 01570860-7552-4789-a9ec-401dc63fc8d8._msdcs.ADCORP.LAN failed 
with status 5 (0x5):
Access is denied.

 
BY THE WAY: don't look at the last line with the access denied as I did this in 
a test env where I'm testing some things with lingering objects
 
cheers,
Jorge
 
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-05-03 19:29
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] which GC answers?



I have a problema running that: 

this is one of the objects I want to delete, foudn with ldp 
 Dn: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br 
1 canonicalName: esgoto.sabesp.com.br/Users/adriao; 
1 cn: adriao; 
1 distinguishedName: 
CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br; 
4 objectClass: top; person; organizationalPerson; user; 
1 name: adriao; 
what is the exactly DN I have to use? 
I tried this ways 

C:\REPADMIN /SHOWOBJMETA GC: 
CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br  OUTPUTfile.TXT 
C:\REPADMIN /SHOWOBJMETA GC: Dn: 
CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br : OUTPUTfile.TXT 
C:\REPADMIN /SHOWOBJMETA GC: 
Dn=CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br  OUTPUTfile.TXT 

none of them worked. 

What

RE: [ActiveDir] Query regarding Windows Time Service

2006-05-05 Thread James Carter

thanks joe, that seems like a straightforward command to run.a lot more simpler than the following kb (I'm looking at the external time source)http://support.microsoft.com/kb/816042/Does anyone know why this would be different?joe [EMAIL PROTECTED] wrote: I would certainly check into it, it is implying the machines aren't syncing their time which could be bad for you. Normally I just set this with net time /setsntp:serverHowever it would appear they just do the same thing.It used to be w32tm had a cool switch for testing the time sync process and outputting a
verbose listing of all of the steps and values, that doesn't appear to be in there now. I would wonder how people are supposed to troubleshoot now. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Wednesday, May 03, 2006 3:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query regarding Windows Time ServiceI have a query regarding the Windows Time Service. Our environment is Windows 2003 FFL, Single Domain. We have a Network Time Server which I have configured our PDCe to use. Having read other posts I also configured our Core DC's to use this Time Server so that if the PDCe failed, I could just seize the role to another DC and have one less thing to configure.What I am receiving is Eventlog messages saying "the time provider NtpClient is configured to acquire a time from one or more time
sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 29This is received on all of the Core DC's that I have configured to use the Network Time Server rather than the PDCe.All I did was run the following command on each DC that could potentially be used as a PDCew32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual /reliable:yes /updateAnyone know why I would be receiving these event messages, should I be concerned?James Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min.

RE: [ActiveDir] TScmd help




Oh sorry, yes, I 
completely understand that advice came from PSS from your previous post, I 
should have put the "Thanks PSS" on there too. :)

Did PSS actually say to 
check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of 
the help and direction doesn't come with much insight unless you get the "right" 
PSS people. Which ones are the "right" ones... the ones that are good of course, 
I don't believe MSFT breeds for them or even tests for them, they just sort of 
happen and then once you find them you don't want to let go. 

I once received an email 
from an old coworker still working for the former employeer asking if I heard 
this from PSS what would I have done... Keep in mind that this employee was in 
the USA and there was no local support where the server was other than say a 
janitor and a secretary nor hardware level remote control capability "This 
server you have in insert name of some small almost third world European 
nation, you want to disable NET LOGON and then reboot it and then we can 
check out the results..." and then 30-60 minutes later a call back from 
PSS "Hold on, don't do that yet, that may not be a good idea...". Then the 
coworker responding to PSS, "We already did, what now???" 

My response was that I 
would have openly laughed at the PSS guy as soon as he said the first thing and 
said go get your dad, I need to talk to a grownup. Yes that is insulting but if 
you are paying for best in class support, you better get it, if not, you insult 
them until they get you someone who will give you that support. I was once told, 
but if you insult them, they will remember you and won't want to work with you 
again. My response to that... If I am at the point that I am going to insult 
them, I would rather they not work with me again and better they spend their 
time filtering themselves out from me than spending my time while I filter them 
out. Plus I have learned that just asking 
for someone else isn't going to help you as evidenced by a problem I have been 
working through my current employer with PSS, the problem is approaching the one 
year point now, I have to be nice though, those are the rules I have to follow. 
If I didn't have to be nice, I can pretty much guarantee I wouldn't still be 
waiting for responses. I would have talked to the top person and they would 
either correct or have said no. Instead, I am treated like any customer who 
doesn't know better and sitting here not knowing anything about what PSS is 
doing. I have accomplished great things or at least brought great visibility to 
things within MSFT by being an extreme pain in the tush and making engineers 
feel stupid and making them want to "prove me wrong". I dislike very much that I 
have to do things that way but have been taught, that is how I can get results 
with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, 
they are great, you talk to them and they listen. They may not agree with you 
but they will talk to you and explain why they can't do what you are asking or 
what is wrong with what you want changed. They have some bad apples of course, 
but in that case, the barrel is mostly good apples and you aren't trying to pick 
and choose who you deal with, you can take a random deal and almost always be 
ok.

 joe




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jef 
KazimerSent: Thursday, May 04, 2006 10:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd 
help

I meant that was the advice we were given from PSS on how to solve the 
problem. :)

Though...we did end up clearing it after finding out they were not TS 
users.



  
  From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] TScmd helpDate: Thu, 4 May 2006 21:17:34 -0400
  
  

  Yes some Novell stuff 
  can be found in there as well as some other things I have heard of through the 
  years. Just clearing that attribute is a great idea... especially if you use 
  Novell stuff as well as TS stuff. :)
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jef 
  KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd 
  help
  
  My first travesty with said blos, was when an admin 
  could not reset a users password via the MMC. After some PSS support, it turns out it was 
  the NWCLIENT attributes stored in the userParameters field. As it turns out these users 
  in the NT4 days had the Netware client piece, and when 
  they were migrated with ADMT to 2000, this nugget came 
  with it.
  
  The solution? Just clear the userParameters attribute for all affected users if I 
  remember.
  
  I think there is a KB article on it now.
  

From: [EMAIL PROTECTED]To:

RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?

As Steve mentioned it is for the Trust Selective Authentication stuff. You
may have noticed this and Other Organization security principals in your
Forest after you did your Windows Server 2003 ForestPrep. If not, go peek at
your defined WellKnown Security Principals container in the config...


dn:CN=This Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
objectClass: top
objectClass: foreignSecurityPrincipal
cn: This Organization
distinguishedName: CN=This Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
instanceType: 4
whenCreated: 20050424170716.0Z
whenChanged: 20050424170716.0Z
uSNCreated: 12314
uSNChanged: 12314
showInAdvancedViewOnly: TRUE
name: This Organization
objectGUID: {EA66BC8D-F614-4906-8E20-F17A7967D58F}
objectSid: S-1-5-15
objectCategory:
CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local

dn:CN=Other Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
objectClass: top
objectClass: foreignSecurityPrincipal
cn: Other Organization
distinguishedName: CN=Other Organization,CN=WellKnown Security
Principals,CN=Configuration,DC=joeware,DC=local
instanceType: 4
whenCreated: 20050424170716.0Z
whenChanged: 20050424170716.0Z
uSNCreated: 12315
uSNChanged: 12315
showInAdvancedViewOnly: TRUE
name: Other Organization
objectGUID: {8C59DDCA-99DC-4548-A1CE-20A02D906B78}
objectSid: S-1-5-1000
objectCategory:
CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local



For some very light programmatic info regarding your favorite framework on
it check out

http://msdn2.microsoft.com/en-US/library/ms180941.aspx

and

http://msdn2.microsoft.com/en-US/library/system.directoryservices.activedire
ctory.forest.getselectiveauthenticationstatus.aspx


I don't ever recall seeing anything that mentions it in the Win32 API though
the NET stuff is thunking down to the real API at some point. NET doesn't
actually do anything itself. ;o)


  joe
 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 04, 2006 10:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security
groups?

Have you any idea what the this organization thing is? I noticed that when I
went and did gpresult on one of mine in reference to this thread.


Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir- 
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Thursday, May 04, 2006 9:47 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security 
 groups?
 
 That is odd. Here is what one of my DCs shows
 
 BUILTIN\Administrators
 Everyone
 BUILTIN\Users
 Windows Authorization Access Group
 NT AUTHORITY\NETWORK
 NT AUTHORITY\Authenticated Users
 This Organization
 ServerName$
 Domain Controllers
 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
 
 
 The first thing I would do is look at that DC directly to make sure it 
 has all the proper values on itself. If it does, then I would use 
 gpresult and ethereal and get a trace just to make sure that it is 
 using the info on the local machine. You can even set up the gateway 
 values so that you could see the traffic locally but mostly you just 
 want to see if the queries are going off the box and you don't need to 
 change any IP config to capture that, just watch the traffic for all 
 LDAP packets. If it is going off the box for the info, go look at the 
 DC it is querying and find out what is dorked up.
 
   joe
 
 
 
 
 --
 O'Reilly Active Directory Third Edition - 
 http://www.joeware.net/win/ad3e.htm
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain
 Sent: Tuesday, May 02, 2006 5:35 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] GPResult incorrectly reporting DC's security 
 groups?
 
 I am currently looking at a forest which had some issues after 
 DCPromo'ing some of the DCs, most of the problems appear to be 
 resolved.
 
 However, a few of the DCs (Windows 2003 SP1) have a rather odd entry
in
 GPResult (and GPMC) output :
 
 The computer is a part of the following security groups
 ---
 BUILTIN\Administrators
 Everyone
 BUILTIN\Users
 NT AUTHORITY\NETWORK
 NT AUTHORITY\Authenticated Users
 This Organization
 computeraccountname$
 Domain Computers
 
 So it is reporting to be a member of Domain Computers, when it should 
 not be.
 
 More concerning is that it is not reporting as being a member of the 
 following groups :
 BUILTIN\Pre-Windows 2000 Compatible Access
 Windows Authorization Access Group
 Domain Controllers
 NT

RE: [ActiveDir] TScmd help

2006-05-05 Thread Jef Kazimer



Joe,

I don't remember if they told us to check if they are TS users or not to be honest as this was almost 2 years ago. I do remember that he symptoms were quite odd in that the error message dialog box would throw out an obscure error that could not be found in any online resource. They said they had to pull it out of a source code comment reference which lead them down the NWCLIENT trail. I remember writing something to identity the users in the directory that culd be affected by this issue, an someone did remediate them.

Through the years of getting support ( and giving it) I've found it best to ALWAYS question the actions you are being told, because people do make mistakes. I hate the excuse "Well I was told to do this." and they didn't think it through before doing it.

This reminds me of a tech who noticed a certain service was using alot of CPU time on our Domain Controllers. He figured it might be a problem, so he killed the exe that was eating the CPU time because the OPs guy suggested it. I guess he thought this little exe would just restart and be fine because it had an obscure name he did not recognize..LSASS.EXE :)

And then he wondered why authentication problem tickets came in at that site...
J


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Fri, 5 May 2006 08:24:47 -0400



Oh sorry, yes, I completely understand that advice came from PSS from your previous post, I should have put the "Thanks PSS" on there too. :)

Did PSS actually say to check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of the help and direction doesn't come with much insight unless you get the "right" PSS people. Which ones are the "right" ones... the ones that are good of course, I don't believe MSFT breeds for them or even tests for them, they just sort of happen and then once you find them you don't want to let go. 

I once received an email from an old coworker still working for the former employeer asking if I heard this from PSS what would I have done... Keep in mind that this employee was in the USA and there was no local support where the server was other than say a janitor and a secretary nor hardware level remote control capability "This server you have in insert name of some small almost third world European nation, you want to disable NET LOGON and then reboot it and then we can check out the results..." and then 30-60 minutes later a call back from PSS "Hold on, don't do that yet, that may not be a good idea...". Then the coworker responding to PSS, "We already did, what now???" 

My response was that I would have openly laughed at the PSS guy as soon as he said the first thing and said go get your dad, I need to talk to a grownup. Yes that is insulting but if you are paying for best in class support, you better get it, if not, you insult them until they get you someone who will give you that support. I was once told, but if you insult them, they will remember you and won't want to work with you again. My response to that... If I am at the point that I am going to insult them, I would rather they not work with me again and better they spend their time filtering themselves out from me than spending my time while I filter them out. Plus I have learned that just asking for someone else isn't going to help you as evidenced by a problem I have been working through my current employer with PSS, the problem is approaching the one year point now, I have to be nice though, those are the rules I have to follow. If I didn't have to be nice, I can pretty much guarantee I wouldn't still be waiting for responses. I would have talked to the top person and they would either correct or have said no. Instead, I am treated like any customer who doesn't know better and sitting here not knowing anything about what PSS is doing. I have accomplished great things or at least brought great visibility to things within MSFT by being an extreme pain in the tush and making engineers feel stupid and making them want to "prove me wrong". I dislike very much that I have to do things that way but have been taught, that is how I can get results with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, they are great, you talk to them and they listen. They may not agree with you but they will talk to you and explain why they can't do what you are asking or what is wrong with what you want changed. They have some bad apples of course, but in that case, the barrel is mostly good apples and you aren't trying to pick and choose who you deal with, you can take a random deal and almost always be ok.

 joe




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Thursday, May 04, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

I meant that was the advice we were given from PSS on how to solve the

Re: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Tom Kern

How can I take ownership of it?
It doesn't have a security tab and xcacls doesn't see the folder..

Thanks
On 5/4/06, joe [EMAIL PROTECTED] wrote:


Wonder if you have a dorked up ACL, what happens if you try to take ownership of it?


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Sunday, April 30, 2006 8:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Robocopy(OT)



Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear.

I've run Process Explorer and Filemon and nothing is acessing this dir.

Yet I can delete it and its missing the security tab(its on an ntfs vol).

How the heck can I get rid of this dir?

Has anyone had an issue like this?

Thanks again
4/6/06, Bruyere, Michel [EMAIL PROTECTED]
 wrote: 



Hi, 
 I got something similar but with a PDF file. The solution was to reboot the server… 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM
To: ActiveDir@mail.activedir.org 

Subject: Re: [ActiveDir] Robocopy(OT) 




No one has this folder open.

I've run Process Explorer and Filemon and nothing is accessing this folder.



I can't delete it or share it out and its missing the security tab.



anything else I should look for?



Thanks

On 4/5/06, Mark Parris 
 [EMAIL PROTECTED] wrote: 
I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: Steve Rochford  
[EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To:
 ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. 
In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. 
SteveFrom: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory 
Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. 
If i do a RD /s, i get The system cannot find the file specified.However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no security tab(and its on an ntfs file system). 
Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the /E and /V switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks

Re: [ActiveDir] LDAP Matched DN: (Null)

2006-05-05 Thread Teo De Las Heras

Joe,

Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B.
It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. 


The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now.

Teo
On 5/4/06, joe [EMAIL PROTECTED] wrote:


I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what?


Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere?




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null)


We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: 

-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
 -NTLMSSP-
 -Lan Manager Response: 00 -
 NTLM Response: Empty
Domain name: NULL
 User name: Null

PSS has not been able to help with this nor has Citrix

RE: [ActiveDir] Robocopy(OT)




You could try

1. subinacl

2. script

3. search the web for various ACL mod tools plus I seem to 
recall one tool specifically for taking ownership out on the web somewhere, I 
believe it was called setowner.

If none of those work I see your options 
as

A. If the file is external disksuch as a SAN/NAS type 
device, see if the vendor hasa way to tap the file.

B. Open a support ticket with 
MSFT

C. Bring someoneknowledgeable other than MSFT in to 
start looking at the problem

D. Reformatting the partition




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, May 05, 2006 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

How can I take ownership of it?
It doesn't have a security tab and xcacls doesn't "see" the folder..

Thanks
On 5/4/06, joe [EMAIL PROTECTED] wrote: 

  
  Wonder if 
  you have a dorked up ACL, what happens if you try to take ownership of 
  it?
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  Sent: Sunday, April 30, 2006 8:58 AM
  To: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Robocopy(OT)
  
  
  
  Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
  disappear.
  
  I've run Process Explorer and Filemon and nothing is acessing this 
  dir.
  
  Yet I can delete it and its missing the security tab(its on an ntfs 
  vol).
  
  How the heck can I get rid of this dir?
  
  Has anyone had an issue like this?
  
  Thanks again
  4/6/06, Bruyere, 
  Michel [EMAIL PROTECTED] 
   wrote: 
  


Hi, 

 
I got something similar but with a PDF file. The solution was to reboot the 
server 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 
AM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Robocopy(OT) 




No one 
has this folder open.

I've 
run Process Explorer and Filemon and nothing is accessing this 
folder.



I can't 
delete it or share it out and its missing the security 
tab.



anything else I should look 
for?



Thanks

On 4/5/06, Mark 
Parris  
[EMAIL PROTECTED] wrote: 
I have 
seen this if another PC has explorer open on that folder and you try and 
delete from another.Mark-Original Message-From: 
"Steve Rochford"  [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 
16:37:03To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)This seems to happen when the folder is in the process 
of being deleted but hasn't quite gone. Sometimes, just waiting a while will 
clear the problem - I suspect that a process is holding open the folder (or, 
possibly, a file in the folder). More than once I've hit this and gone to 
use Sysinternals process explorer to find out which process is guilty. By 
the time I've run up the program and searched for the folder name there's 
nothing there. going back to the folder finds that it's either gone or can 
now be deleted. In your case, I'd guess that robocopy had started 
creating folders and when it got interrupted, something took a while for 
things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives 
he was using then I think that this might help. 
SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom 
KernSent: 05 April 2006 15:45To: activedirectory Subject: 
[ActiveDir] Robocopy(OT)I have a strange issue.I had a 
help desk admin robocopy a dir from one server to another. During the 
copy, for whatever reason, he canceled the robocopy job.When he went to 
the target server a empty dir was created which now cannot be deleted.I 
can't delete it through explorer or the command console at the server and 
get an error of "cannot delete file:cannot read from the source file or 
disk". If i do a RD /s, i get "The system cannot find the file 
specified."However the dir shows up in a dir listing or 
explorer.The weird thing is also, the dir has no "security" tab(and its 
on an ntfs file system). Some backround on the robocopy job-the 
admin mapped 2 drives from his local box(win2k).One drive to the root of 
the volume on the source server and another to the root on the target.he 
then CD'ed to the source and ran robocopy with the "/E" and "/V" switches. 
after sometime, he killed the job and now I'm stuck with this 
undeletable DIR.Any insight would be 
great.thanks

RE: [ActiveDir] LDAP Matched DN: (Null)




Yep, the first thing I would do is use nltest to verify the 
secure channel back to the Domain A DC from the member, then from the Domain A 
DC to Domain B. Don't just look at the results of nltest query, actually reset 
the channel as I have seen times where it says it is fine but can't reset. 


If the secure channel testingall pans out I would 
start looking at network traces as I expect you will find a network issue or 
firewall helping outsomewhere. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Friday, May 05, 2006 9:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: 
(Null)

Joe,

Thanks for replying.The critrix server is a member of domain A and 
the user accounts were having problems resolving are members of domain 
B.
It's hard to explain what we're seeing. Our Citrix admin is trying 
grant user account access to a 'published application' since the SID 
doesn't resolve, he's getting errors. If we try and add those same users 
to the local admins group, the SID also fails to resolve. 

The trust does validate, but we havent done extensive tests with 
nltest. I'm going to go and try that now.

Teo
On 5/4/06, joe [EMAIL PROTECTED] wrote: 

  
  I am not a 
  citrix (or even TS for that matter) person so you will have to bear with me. 
  What do you mean you are trying to add user accounts? Is this a citrix thing? 
  Add to what? 
  
  Is the 
  citrix server a DC or is it a member in a domain? If you try to add user 
  accounts to local groups on the server does that work? Do the accounts 
  resolve? If not, have you chases the trust channels with nltest to see if 
  there is a break somewhere? 
  
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Teo De Las 
  HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  LDAP Matched DN: (Null)
  
  
  We have a citrix server that where we're trying to add user accounts to 
  from a trusted Windows 2000 domain. When we add the user account, only 
  the SID shows up. In addition, we get an error when trying to save the 
  permissions change. A trace of the communication between the citrix 
  server and the Windows 2000 domain controller shows the following: 
  -LDAP Message - 
  Matched DN: (null)
  Error Message: (null)
  Error: Couldn't parse LDAP Controls: Wrong type for that item
   -NTLMSSP-
   
  -Lan Manager Response: 00 -
   
  NTLM Response: Empty
  Domain 
  name: NULL
   
  User name: Null
  
  PSS has not been able to help with this nor has 
  Citrix

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Gil Kirkpatrick









CHKDSK?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tom Kern
Sent: Friday, May 05, 2006 6:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Robocopy(OT)







How can I take ownership of it?





It doesn't have a security tab and xcacls doesn't see the
folder..











Thanks







On 5/4/06, joe
[EMAIL PROTECTED] wrote:




Wonder if you have a dorked up ACL, what
happens if you try to take ownership of it?







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm



















From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent: Sunday, April
30, 2006 8:58 AM






To: ActiveDir@mail.activedir.org

Subject: Re:
[ActiveDir] Robocopy(OT)




















Well, I've rebooted the server,ran a chkdsk, and still the dir will not
disappear.











I've run Process Explorer and Filemon and nothing is acessing this dir.











Yet I can delete it and its missing the security tab(its on an ntfs
vol).











How the heck can I get rid of this dir?











Has anyone had an issue like this?











Thanks again







4/6/06, Bruyere,
Michel [EMAIL PROTECTED]
 wrote: 





Hi, 


I got something similar but with a PDF file. The solution was to reboot the
server 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Thursday, April 06, 2006
9:18 AM






To: ActiveDir@mail.activedir.org






Subject: Re:
[ActiveDir] Robocopy(OT) 











No one
has this folder open.





I've run
Process Explorer and Filemon and nothing is accessing this folder.











I can't
delete it or share it out and its missing the security tab.











anything
else I should look for?











Thanks







On
4/5/06, Mark Parris 
[EMAIL PROTECTED] wrote: 

I have
seen this if another PC has explorer open on that folder and you try and delete
from another.

Mark
-Original Message-
From: Steve Rochford  [EMAIL PROTECTED]
Date: Wed, 5 Apr 2006 16:37:03
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Robocopy(OT)

This seems to happen when the folder is in the process of being deleted but
hasn't quite gone. Sometimes, just waiting a while will clear the problem - I
suspect that a process is holding open the folder (or, possibly, a file in the
folder). More than once I've hit this and gone to use Sysinternals process
explorer to find out which process is guilty. By the time I've run up the
program and searched for the folder name there's nothing there. going back to
the folder finds that it's either gone or can now be deleted. 

In your case, I'd guess that robocopy had started creating folders and when it
got interrupted, something took a while for things to get tidied up - if the
helpdesk guy hasn't yet unmapped the drives he was using then I think that this
might help. 

Steve



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]
] On Behalf Of Tom Kern
Sent: 05 April 2006 15:45
To: activedirectory 
Subject: [ActiveDir] Robocopy(OT)



I have a strange issue.
I had a help desk admin robocopy a dir from one server to another. 
During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be
deleted.
I can't delete it through explorer or the command console at the server and get
an error of cannot delete file:cannot read from the source file or
disk. 

If i do a RD /s, i get The system cannot find the file specified.

However the dir shows up in a dir listing or explorer.
The weird thing is also, the dir has no security tab(and its on an
ntfs file system). 

Some backround on the robocopy job-
the admin mapped 2 drives from his local box(win2k).
One drive to the root of the volume on the source server and another to the
root on the target.
he then CD'ed to the source and ran robocopy with the /E and
/V switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.

Any insight would be great.
thanks

Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?


ADAM rocks!  It's exactly what I look for in a directory of that type
- stable, scalable, easy to deploy.  What's missing are the tools to
easily administer it for the average Joe (note the capitalization and
the reference to the average :) which would help it compete against
more expensive tools such, as, oh I don't know, SunOne. It's that
toolset that will differentiate it (and the price of course) for the
purchaser that doesn't have the time to roll their own toolsets.
RedHat's directory will have other tools available.  Will they be
better? Hard to say, but the expectation that if you pay for it, you
have a better tool set is certainly there.

Not sure about the happiness factor with ADAM tools. I have to say I
think they're rough(er) than I expected from a Microsoft product, but
then again, they are suitable to the task that ADAM is designed for. 
I cannot think that there is anything more specific that Microsoft

could/would have come up with that would make sense for the intended
ADAM audience.  That's really the key, the ADAM audience.  It's a
programmer's directory - by design. Not an Admin's directory, not an
end user's directory, but a programmer's directory intended to be
repackaged and delivered to the masses.  Directories everywhere :)

As for interface, ...and if people wanted to use it bad enough, they
would figure it out.  I have to disagree to some extent.  I think of
people writing those extensions as being like water: they tend to take
the path of least resistance appropriate for the task.  Sure, not
everyone does, but we're not talking about everyone.  We're talking
about the John Q here, and even then we're narrowing that down to a
subset of those that are interested enough to read the ADAM
documentation in the first place or the MMC extension documentation
(yuck.)  The stability of the MMC resource pig has not be favorable
when taking that route, IMHO.  Nice concept, but yikes difficult to
work with for the average admin.  Not what I have in mind for ADAM
management.

I like the idea of a drag and drop concept if you're going to make
tools.  Should it be specific to ADAM?  I don't think so.  I think it
should read the directory it's working with and present based on that
as much as possible. I think it should be web based with drag and drop
abilities. .Net, JAVA, AJAX, whatever, but it should be easy to use
and customizable by the average geek that picks it up with minimal
coding skillz.

They said that admins would all become scripters when they released AD
many years back.  Hmm... Not sure that's the case, but some tasks are
certainly easier if you can script them against the directory.

If you can't make it read and adapt to the directory structure it's
going to use, I'm not sure I see much value in a tool aimed at ADAM
joe.

My $0.04 worth anyway.

Al

On 5/4/06, joe [EMAIL PROTECTED] wrote:

I was thinking of something a little more robust than ADUC with extensions. 
More of a combination of ADUC, DSSITES, ADSIEDIT, Schema Managemer, and some 
yet to be publicly seen ADAM specific management stuff. Maybe some form of tie 
in to MIIS/IIFP/ADAMSynch for easily configuring those products so you don't 
have to hurt your forehead slamming the wall.

I understand the desire for extension capability but even there, how many 
people are actually taking advantage of it? Yes it is a pain now for ADUC but 
it exists and if people wanted to use it bad enough, they would figure it out. 
Next question, how do you do EASY extension capability that is flexible and 
powerful and useable? Add to that not requiring people to use NET to do things. 
I haven't completely shut the door on NET but it is bottom of the pile for 
things I want to do or require. I have had way too many people write me (some 
of whom I even respect) and say that one of the beautiful things about my code 
is that I am not using/requiring NET.

I feel similar when I hear people say that NET and MONAD are going to make most 
everyone scripters and programmers. I think we will see Australian Ice Hockey 
becoming the next great global sport before we see everyone or even a majority 
of admins becoming scripters and programmers with NET unless MSFT dumbs it down 
considerably more, the object model is enough to scare most people away. Don't 
get me wrong, I think NET is going to be popular, just like JAVA was/is. But 
there are a lot of coders who won't go near it.

So the next question is What kind of extension model do you go with? 
Honestly it would have to be some RAD drag and drop with field tweak kind of 
extension in my opinion. I would visualize you saying ADD TAB, then laying out 
the form the way you like to see data, specifying the attribute to be displayed 
in the various fields and specifying HOW it should be displayed with the schema 
being used to determine a default and possibly helping control what other ways 
it could be displayed. Possibly adding in data rules that control what can be 
typed in the fields

[ActiveDir] NT4Emulator Reg Key

2006-05-05 Thread Mark Parris

I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I have added to 
the HKLM...Netlogon\parameters the key NT4Emulator with a value of 1 and then 
done the inplace upgrade. I now try to promote in another AD DC and it does not 
work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT)

DNS is configured correctly and removing the key and rebooting the upgraded DC 
makes the issue go away and I can add new AD DC's.

Is this normal or is it a new feature of R2?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LDAP Matched DN: (Null)

2006-05-05 Thread Teo De Las Heras

Joe,

On some domain controllers we're getting the following:
I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
So I think we are closer

Teo
On 5/5/06, joe [EMAIL PROTECTED] wrote:


Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. 


If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. 




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Teo De Las Heras
Sent: Friday, May 05, 2006 9:31 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] LDAP Matched DN: (Null)


Joe,

Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B.
It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. 


The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now.

Teo
On 5/4/06, joe [EMAIL PROTECTED] wrote:
 


I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? 


Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? 




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null)


We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: 

-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
 -NTLMSSP-
 -Lan Manager Response: 00 -
 NTLM Response: Empty
Domain name: NULL
 User name: Null

PSS has not been able to help with this nor has Citrix

RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?




So did yours Al... I read it over on OWA... 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Friday, May 05, 2006 10:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: Re: [ActiveDir] ADAM 
Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: 
Pointers?

RE: [ActiveDir] LDAP Matched DN: (Null)




That is name resolution failure, DomainB DC issues,or 
network issues...

You can try this

nltest /sc_reset:domainb\dcname

If it works, it means that you probably have name res 
issues.




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Friday, May 05, 2006 10:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: 
(Null)

Joe,

On some domain controllers we're getting the following:
I:\nltest /server:domain naming master 
dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b 
ERROR_NO_SUCH_DOMAIN
So I think we are closer

Teo
On 5/5/06, joe [EMAIL PROTECTED] wrote: 

  
  Yep, the 
  first thing I would do is use nltest to verify the secure channel back to the 
  Domain A DC from the member, then from the Domain A DC to Domain B. Don't just 
  look at the results of nltest query, actually reset the channel as I have seen 
  times where it says it is fine but can't reset. 
  
  If the 
  secure channel testingall pans out I would start looking at network 
  traces as I expect you will find a network issue or firewall helping 
  outsomewhere. 
  
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo 
  De Las Heras
  Sent: Friday, May 05, 2006 9:31 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] LDAP Matched DN: 
  (Null)
  
  
  Joe,
  
  Thanks for replying.The critrix server is a member of domain A and 
  the user accounts were having problems resolving are members of domain 
  B.
  It's hard to explain what we're seeing. Our Citrix admin is trying 
  grant user account access to a 'published application' since the SID 
  doesn't resolve, he's getting errors. If we try and add those same users 
  to the local admins group, the SID also fails to resolve. 
  
  The trust does validate, but we havent done extensive tests with 
  nltest. I'm going to go and try that now.
  
  Teo
  On 5/4/06, joe 
  [EMAIL PROTECTED] 
  wrote: 
  

I am not 
a citrix (or even TS for that matter) person so you will have to bear with 
me. What do you mean you are trying to add user accounts? Is this a citrix 
thing? Add to what? 

Is the 
citrix server a DC or is it a member in a domain? If you try to add user 
accounts to local groups on the server does that work? Do the accounts 
resolve? If not, have you chases the trust channels with nltest to see if 
there is a break somewhere? 



--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Teo De Las 
HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] LDAP Matched DN: (Null)


We have a citrix server that where we're trying to add user accounts to 
from a trusted Windows 2000 domain. When we add the user account, only 
the SID shows up. In addition, we get an error when trying to save the 
permissions change. A trace of the communication between the citrix 
server and the Windows 2000 domain controller shows the following: 
-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
 -NTLMSSP-
 
-Lan Manager Response: 00 -
 
NTLM Response: Empty
Domain 
name: NULL
 
User name: Null

PSS has not been able to help with this nor has 
Citrix

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Brian Desmond









Cacls

Xcacls

Subinacl

Format q c:

rm rf /

a consultant

google set ownership tools perhaps too



Thanks,
Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, May 05, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Robocopy(OT)







How can I take ownership of it?





It doesn't have a security tab and xcacls doesn't
see the folder..











Thanks







On 5/4/06, joe [EMAIL PROTECTED] wrote: 



Wonder
if you have a dorked up ACL, what happens if you try to take ownership of it?







--

O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm



















From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent: Sunday, April 30, 2006 8:58 AM






To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Robocopy(OT)
















Well, I've rebooted the server,ran a chkdsk, and still the
dir will not disappear.











I've run Process Explorer and Filemon and nothing is
acessing this dir.











Yet I can delete it and its missing the security tab(its on
an ntfs vol).











How the heck can I get rid of this dir?











Has anyone had an issue like this?











Thanks again







4/6/06, Bruyere, Michel
[EMAIL PROTECTED]
 wrote: 





Hi, 


I got something similar but with a PDF file. The solution was to reboot the
server 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Thursday, April 06, 2006 9:18 AM






To: ActiveDir@mail.activedir.org






Subject: Re: [ActiveDir] Robocopy(OT) 











No one has this folder open.





I've run Process Explorer and Filemon and nothing is accessing this folder.











I can't delete it or share it out and its missing the security tab.











anything else I should look for?











Thanks







On 4/5/06, Mark Parris  [EMAIL PROTECTED] wrote: 

I have seen this if another PC has explorer open on that folder and you try
and delete from another.

Mark
-Original Message-
From: Steve Rochford  [EMAIL PROTECTED]
Date: Wed, 5 Apr 2006 16:37:03
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Robocopy(OT)

This seems to happen when the folder is in the process of being deleted but
hasn't quite gone. Sometimes, just waiting a while will clear the problem - I
suspect that a process is holding open the folder (or, possibly, a file in the
folder). More than once I've hit this and gone to use Sysinternals process
explorer to find out which process is guilty. By the time I've run up the program
and searched for the folder name there's nothing there. going back to the
folder finds that it's either gone or can now be deleted. 

In your case, I'd guess that robocopy had started creating folders and when it
got interrupted, something took a while for things to get tidied up - if the
helpdesk guy hasn't yet unmapped the drives he was using then I think that this
might help. 

Steve



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]
] On Behalf Of Tom Kern
Sent: 05 April 2006 15:45
To: activedirectory 
Subject: [ActiveDir] Robocopy(OT)



I have a strange issue.
I had a help desk admin robocopy a dir from one server to another. 
During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be
deleted.
I can't delete it through explorer or the command console at the server and get
an error of cannot delete file:cannot read from the source file or
disk. 

If i do a RD /s, i get The system cannot find the file specified.

However the dir shows up in a dir listing or explorer.
The weird thing is also, the dir has no security tab(and its on an
ntfs file system). 

Some backround on the robocopy job-
the admin mapped 2 drives from his local box(win2k).
One drive to the root of the volume on the source server and another to the
root on the target.
he then CD'ed to the source and ran robocopy with the /E and
/V switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.

Any insight would be great.
thanks

RE: [ActiveDir] Robocopy(VERY OT)

2006-05-05 Thread Burns, Clyde R.






Other ways...
Dos bootdisk with Fdisk - www.bootdisk.com
And theres also this.
http://www.semshred.com/contentmgr/showdetails.php/id/680/tp/VE1HUj0xLHRpZD02NzIs

Clyde Burns
Louisville Ky.
The one guy in the office who didn't go the track on Oaks 
day.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Friday, May 05, 2006 10:53 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)


Cacls
Xcacls
Subinacl
Format q 
c:
rm rf 
/
a 
consultant
google set 
ownership tools perhaps too

Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132







From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, May 05, 2006 9:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)


How can I take ownership of it?

It doesn't have a security tab and xcacls doesn't "see" the 
folder..



Thanks

On 5/4/06, joe [EMAIL PROTECTED] wrote: 


Wonder if you have a 
dorked up ACL, what happens if you try to take ownership of 
it?


--
O'Reilly Active 
Directory Third Edition - http://www.joeware.net/win/ad3e.htm








From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
Kern

Sent: Sunday, April 30, 2006 8:58 
AM

To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT)




Well, I've rebooted the server,ran a chkdsk, and still the 
dir will not disappear.



I've run Process Explorer and Filemon and nothing is acessing 
this dir.



Yet I can delete it and its missing the security tab(its on 
an ntfs vol).



How the heck can I get rid of this dir?



Has anyone had an issue like this?



Thanks again

4/6/06, Bruyere, Michel 
[EMAIL PROTECTED]  wrote: 


Hi, 

 
I got something similar but with a PDF file. The solution was to reboot the 
server 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom 
KernSent: Thursday, April 06, 2006 9:18 
AM

To: ActiveDir@mail.activedir.org 

Subject: Re: [ActiveDir] Robocopy(OT) 




No one has this folder open.

I've run Process Explorer and Filemon and nothing is accessing this 
folder.



I can't delete it or share it out and its missing the security 
tab.



anything else I should look for?



Thanks

On 4/5/06, Mark Parris  [EMAIL PROTECTED] wrote: 
I have seen this if another PC has explorer open on that folder and you try 
and delete from another.Mark-Original Message-From: 
"Steve Rochford"  [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 
16:37:03To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)This seems to happen when the folder is in the process of 
being deleted but hasn't quite gone. Sometimes, just waiting a while will clear 
the problem - I suspect that a process is holding open the folder (or, possibly, 
a file in the folder). More than once I've hit this and gone to use Sysinternals 
process explorer to find out which process is guilty. By the time I've run up 
the program and searched for the folder name there's nothing there. going back 
to the folder finds that it's either gone or can now be deleted. In your 
case, I'd guess that robocopy had started creating folders and when it got 
interrupted, something took a while for things to get tidied up - if the 
helpdesk guy hasn't yet unmapped the drives he was using then I think that this 
might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom 
KernSent: 05 April 2006 15:45To: activedirectory Subject: 
[ActiveDir] Robocopy(OT)I have a strange issue.I had a help 
desk admin robocopy a dir from one server to another. During the copy, for 
whatever reason, he canceled the robocopy job.When he went to the target 
server a empty dir was created which now cannot be deleted.I can't delete it 
through explorer or the command console at the server and get an error of 
"cannot delete file:cannot read from the source file or disk". If i do a 
RD /s, i get "The system cannot find the file specified."However the dir 
shows up in a dir listing or explorer.The weird thing is also, the dir has 
no "security" tab(and its on an ntfs file system). Some backround on the 
robocopy job-the admin mapped 2 drives from his local box(win2k).One 
drive to the root of the volume on the source server and another to the root on 
the target.he then CD'ed to the source and ran robocopy with the "/E" and 
"/V" switches. after sometime, he killed the job and now I'm stuck with this 
undeletable DIR.Any insight would be 
great.thanks







This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended

Re: [ActiveDir] LDAP Matched DN: (Null)

2006-05-05 Thread Teo De Las Heras

Thanks Joe...I think we figured it outthe domain controller having issues has lost it's route to domain bI think we can get this fixed if we can get the citrix server to log on to another DC.

Thanks!

Teo
On 5/5/06, joe [EMAIL PROTECTED] wrote:


That is name resolution failure, DomainB DC issues,or network issues...

You can try this

nltest /sc_reset:domainb\dcname

If it works, it means that you probably have name res issues.





--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Teo De Las Heras
Sent: Friday, May 05, 2006 10:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Matched DN: (Null)



Joe,

On some domain controllers we're getting the following:
I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
So I think we are closer

Teo
On 5/5/06, joe [EMAIL PROTECTED] wrote:
 


Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. 


If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. 




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Teo De Las Heras
Sent: Friday, May 05, 2006 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Matched DN: (Null)


Joe,

Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B.
It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. 


The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now.

Teo
On 5/4/06, joe [EMAIL PROTECTED] wrote: 



I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? 


Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? 




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null)


We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: 

-LDAP Message - 
Matched DN: (null)
Error Message: (null)
Error: Couldn't parse LDAP Controls: Wrong type for that item
 -NTLMSSP-
 -Lan Manager Response: 00 -
 NTLM Response: Empty
Domain name: NULL
 User name: Null

PSS has not been able to help with this nor has Citrix

Re: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Tom Kern

Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error-
The system cannot find the file specified.

Chkdsk with a reboot didn't help at all.

Thanks
On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote:



Cacls
Xcacls
Subinacl
Format –q c:
rm –rf /
a consultant
google set ownership tools perhaps too

Thanks,Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Friday, May 05, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Robocopy(OT)





How can I take ownership of it?

It doesn't have a security tab and xcacls doesn't see the folder..



Thanks

On 5/4/06, joe [EMAIL PROTECTED] wrote: 

Wonder if you have a dorked up ACL, what happens if you try to take ownership of it?


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm








From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom Kern

Sent: Sunday, April 30, 2006 8:58 AM

To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT)





Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear.



I've run Process Explorer and Filemon and nothing is acessing this dir.



Yet I can delete it and its missing the security tab(its on an ntfs vol).



How the heck can I get rid of this dir?



Has anyone had an issue like this?



Thanks again

4/6/06, Bruyere, Michel [EMAIL PROTECTED]  wrote: 


Hi, 
 I got something similar but with a PDF file. The solution was to reboot the server… 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Thursday, April 06, 2006 9:18 AM

To: ActiveDir@mail.activedir.org 

Subject: Re: [ActiveDir] Robocopy(OT) 



No one has this folder open.

I've run Process Explorer and Filemon and nothing is accessing this folder.



I can't delete it or share it out and its missing the security tab.



anything else I should look for?



Thanks

On 4/5/06, Mark Parris  [EMAIL PROTECTED] wrote: 
I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: Steve Rochford  
[EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. 
In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. 
SteveFrom: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory 
Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. 
If i do a RD /s, i get The system cannot find the file specified.However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no security tab(and its on an ntfs file system). 
Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the /E and /V switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks

RE: [ActiveDir] which GC answers?

2006-05-05 Thread adriaoramos


Jorge, thanks a lot, but I don´t know
either I am doing something wrong or there´s a problem here. 
This is the case:

I have a user (jjunior
- Jose Marcondes Junior) that is a lingering
object for sure.
I used ldp and found it as I can see here

***Searching...
ldap_search_s(ld, DC=SABESP,DC=COM,DC=BR,
2, (sAMAccountName=jjunior), attrList, 0, msg)
Result 0: (null)
Matched DNs: 
Getting 1 entries:
 Dn: CN=Jose Marcondes
Junior,OU=Usuarios,OU=Pindamonhangaba,DC=sjc,DC=sabesp,DC=com,DC=br
1
canonicalName: sjc.sabesp.com.br/Pindamonhangaba/Usuarios/Jose Marcondes
Junior; 
1
cn: Jose Marcondes Junior; 
1
distinguishedName: CN=Jose Marcondes Junior,OU=Usuarios,OU=Pindamonhangaba,DC=sjc,DC=sabesp,DC=com,DC=br;

4
objectClass: top; person; organizationalPerson; user; 
1
objectGUID: 5efc7740-29c6-432f-b255-133b5018c2e3; 
1
name: Jose Marcondes Junior; 

Using the command you´ve sent to me I
get this messager in all my GC´s

repadmin running command /SHOWOBJMETA
against server 526daaa4-e98a-444c-8474-eca005b4651b._msdcs.sabesp.com.br

Caching GUIDs.

..Assertion Assertion 

17 entries.
Loc.USN   
 Originating
DC  Org.USN Org.Time/DateVer Attribute
===   
 ===
= ==== =
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 objectClass
153144   
RGT-AFERNANDES\RGT-ETARGT1  153144
2006-04-17 17:44:36  1 cn
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 sn
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47424 2004-01-08 11:11:42  1 description
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 givenName
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 instanceType
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 whenCreated
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47424 2004-01-08 11:11:42  1 displayName
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47426 2004-01-08 11:11:43  2 nTSecurityDescriptor
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 name
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47431 2004-01-08 11:11:43  3 userAccountControl
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47424 2004-01-08 11:11:42  1 primaryGroupID
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 objectSid
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 sAMAccountName
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 sAMAccountType
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 userPrincipalName
153144   4b6fb9d1-a80f-4100-8647-f92d9cdc0995
  47423 2004-01-08 11:11:42  1 objectCategory
Caching GUIDs.
..Assertion Assertion 
DsReplicaGetInfo() failed with
status 50 (0x32):
  Não há suporte
para o pedido. 
 (what´s the meaning of this error message?)

and so on in all of them

With adsiedit looked in many GC and I can
not find the user in the OU showed with LDP. 
It must be somewhere, mustn´t it? cause
LDP is displaying it and I can not use that name (jjnunior) because it
is already in use.

I wait your help.

___
Adrião Ferreira Ramos
[EMAIL PROTECTED]
Equipe Suporte Windows
(11) 3388-8193





Almeida Pinto, Jorge
de [EMAIL PROTECTED] 
Enviado Por: [EMAIL PROTECTED]
05/05/2006 04:30



Favor responder a
ActiveDir@mail.activedir.org





Para
ActiveDir@mail.activedir.org


cc



Assunto
RE: [ActiveDir] which GC answers?








it is:
 
repadmin /showobjmeta GC: CN=User-ROOT-01,OU=Users,OU=ORG,DC=ADCORP,DC=LAN
 
the output will something like:
 
repadmin running command /showobjmeta against server ed0c6501-28c1-47e9-b3db-5dcf281e9e31._msdcs.ADCORP.LAN

26 entries.
Loc.USN 
   Originating DC  Org.USN Org.Time/Date
   Ver Attribute
=== 
   === = = 
  === =
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 objectClass
 12417Default-First-Site-Name\ROOTDC002
  12417 2006-02-13 11:48:46  1 cn
 12417Default-First-Site-Name\ROOTDC001
  14299 2006-02-13 11:41:54  1 description
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 givenName
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 instanceType
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 whenCreated
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 displayName
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 nTSecurityDescriptor
 12417Default-First-Site-Name\ROOTDC001
  14277 2006-02-13 11:40:34  1 name
 12417Default-First-Site-Name\ROOTDC001
  14282 2006-02-13 11:40:34  4 userAccountControl
 12417Default-First-Site-Name\ROOTDC001
  14278 2006-02-13 11:40:34  1 codePage
 12417Default-First-Site-Name\ROOTDC001
  14278

RE: [ActiveDir] LDAP Matched DN: (Null)




You can try to do that by forcing the secure channel to go 
to another DC. You would use the SC_RESET command and specify the DC you want 
like I mentioned below. That may not work at all or it may not work long term 
though so try and see if it gets you running but really try to get your routing 
straightened up asap.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las 
HerasSent: Friday, May 05, 2006 11:22 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: 
(Null)

Thanks Joe...I think we figured it outthe domain controller having 
issues has lost it's route to domain bI think we can get this fixed if we 
can get the citrix server to log on to another DC.

Thanks!

Teo
On 5/5/06, joe [EMAIL PROTECTED] wrote: 

  
  That is 
  name resolution failure, DomainB DC issues,or network 
  issues...
  
  You can 
  try this
  
  nltest 
  /sc_reset:domainb\dcname
  
  If it 
  works, it means that you probably have name res 
  issues.
  
  
  
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo 
  De Las Heras
  Sent: Friday, May 05, 2006 10:31 AM
  To: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] LDAP Matched DN: (Null)
  
  
  
  Joe,
  
  On some domain controllers we're getting the following:
  I:\nltest /server:domain naming master 
  dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b 
  ERROR_NO_SUCH_DOMAIN
  So I think we are closer
  
  Teo
  On 5/5/06, joe 
  [EMAIL PROTECTED] 
  wrote: 
  

Yep, the 
first thing I would do is use nltest to verify the secure channel back to 
the Domain A DC from the member, then from the Domain A DC to Domain B. 
Don't just look at the results of nltest query, actually reset the channel 
as I have seen times where it says it is fine but can't reset. 


If the 
secure channel testingall pans out I would start looking at network 
traces as I expect you will find a network issue or firewall helping 
outsomewhere. 



--
O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
Teo De Las Heras
Sent: Friday, May 05, 2006 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Matched DN: 
(Null)


Joe,

Thanks for replying.The critrix server is a member of domain A 
and the user accounts were having problems resolving are members of domain 
B.
It's hard to explain what we're seeing. Our Citrix admin is 
trying grant user account access to a 'published application' since 
the SID doesn't resolve, he's getting errors. If we try and add those 
same users to the local admins group, the SID also fails to resolve. 


The trust does validate, but we havent done extensive tests with 
nltest. I'm going to go and try that now.

Teo
On 5/4/06, joe 
[EMAIL PROTECTED] wrote: 

  
  I am 
  not a citrix (or even TS for that matter) person so you will have to bear 
  with me. What do you mean you are trying to add user accounts? Is this a 
  citrix thing? Add to what? 
  
  Is the 
  citrix server a DC or is it a member in a domain? If you try to add user 
  accounts to local groups on the server does that work? Do the accounts 
  resolve? If not, have you chases the trust channels with nltest to see if 
  there is a break somewhere? 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Teo De Las 
  HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] LDAP Matched DN: (Null)
  
  
  We have a citrix server that where we're trying to add user accounts 
  to from a trusted Windows 2000 domain. When we add the user account, 
  only the SID shows up. In addition, we get an error when trying to 
  save the permissions change. A trace of the communication between 
  the citrix server and the Windows 2000 domain controller shows the 
  following: 
  -LDAP Message - 
  Matched DN: (null)
  Error Message: (null)
  Error: Couldn't parse LDAP Controls: Wrong type for that item
   
-NTLMSSP-
   
  -Lan Manager Response: 00 -
   
  NTLM Response: Empty
  Domain 
  name: NULL
   
  User name: Null
  
  PSS has not been able to help with this nor has 
  Citrix

RE: [ActiveDir] NT4Emulator Reg Key

As the key says, the NT4Emulator key makes a AD DC behave like an NT4
DC. When trying to promote additional DCs or using w2k/wxp/w2k3 clients
to manage AD you are not able to connect. 
The main reason the NT4Emulator key is to prevent ALL w2k/wxp/w2k3
clients and servers swamping down the PDC FSMO as that is the first AD
DC in the field. Another reason could me you want to in place upgrade
and see if everything goes OK without starting using kerberos already.
As soon as you are satisfied and you have enough AD DCs you can remove
the NT4Emulator keys from the AD DCs and ALL w2k/wxp/w2k3 clients and
servers will start using kerberos instead of NTLM as soon as they find
the AD DCs.

OK, back to the connecting thing
To be able to connect and to add additional AD DCs you must introduce
the NeutralizeNT4Emulator key on the client that tries to connect or on
the DC you are promoting. For the DC you are promoting, make sure you
introduce the NT4Emulator key (if needed!) otherwise the w2k/wxp/w2k3
clients and servers will find that DC and use it!

Normal? No
Feature of R2? No
You? Who knows... ;-))

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, May 05, 2006 16:11
To: ActiveDir.org
Subject: [ActiveDir] NT4Emulator Reg Key

I am upgrading an NT4.0 domain to Windows 2003R2 and on the 
PDC I have added to the HKLM...Netlogon\parameters the key 
NT4Emulator with a value of 1 and then done the inplace 
upgrade. I now try to promote in another AD DC and it does 
not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT)

DNS is configured correctly and removing the key and 
rebooting the upgraded DC makes the issue go away and I can 
add new AD DC's.

Is this normal or is it a new feature of R2?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Tyson Leslie




I've seen this in NT4, but not recently. In our case, 
the fix was to share out a parent folder, and delete the offending sub-folder 
from another machine via the share.

 Tyson.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, May 05, 2006 9:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give 
the same error-
"The system cannot find the file specified".

Chkdsk with a reboot didn't help at all.

Thanks
On 5/5/06, Brian 
Desmond [EMAIL PROTECTED] 
wrote: 

  
  
  Cacls
  Xcacls
  Subinacl
  Format 
  q c:
  rm rf 
  /
  a 
  consultant
  google 
  set ownership tools perhaps too
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED] 
  
  c - 
  312.731.3132
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Friday, May 05, 2006 9:14 AM
  To: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Robocopy(OT)
  
  
  
  
  
  How can I take ownership of it?
  
  It doesn't have a security tab and xcacls doesn't "see" the 
  folder..
  
  
  
  Thanks
  
  On 5/4/06, joe [EMAIL PROTECTED] 
  wrote: 
  
  Wonder if 
  you have a dorked up ACL, what happens if you try to take ownership of 
  it?
  
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom 
  Kern
  
  Sent: Sunday, April 30, 2006 8:58 AM
  
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
  
  
  
  Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
  disappear.
  
  I've run Process Explorer and Filemon and nothing is acessing this 
  dir.
  
  Yet I can delete it and its missing the security tab(its on an ntfs 
  vol).
  
  How the heck cn I get rid of this dir?
  
  Has anyone had an issue like this?
  
  
  
  Thanks again
  
  4/6/06, Bruyere, Michel [EMAIL PROTECTED] 
   wrote: 
  
  
  Hi, 
  
   
  I got something similar but with a PDF file. The solution was to reboot the 
  server 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Thursday, April 06, 2006 9:18 AM
  
  To: ActiveDir@mail.activedir.org 
  
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
  No one has this folder open.
  
  I've run Process Explorer and Filemon and nothing is accessing this 
  folder.
  
  I can't delete i or share it out and its missing the security 
tab.
  
  anything else I should look for?
  
  Thanks
  
  On 4/5/06, Mark Parris  
  [EMAIL PROTECTED] wrote: 
  I have seen this if another PC has explorer open on that folder and you try 
  and delete from another.Mark-Original Message-From: 
  "Steve Rochford"  [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 
  16:37:03To: 
  ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 
  Robocopy(OT)This seems to happen when the folder is in the process of 
  being deleted but hasn't quite gone. Sometimes, just waiting a while will 
  clear the problem - I suspect that a process is holding open the folder (or, 
  possibly, a file in the folder). More than once I've hit this and gone to use 
  Sysinternals process explorer to find out which process is guilty. By the time 
  I've run up the program and searched for the folder name there's nothing 
  there. going back to the folder finds that it's either gone or can now be 
  deleted. In your case, I'd guess that robocopy had started creating 
  folders and when it got interrupted, something took a while for things to get 
  tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using 
  then I think that this might help. 
  SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom 
  KernSent: 05 April 2006 15:45To: activedirectory Subject: 
  [ActiveDir] Robocopy(OT)I have a strange issue.I had a help 
  desk admin robocopy a dir from one server to another. During the copy, for 
  whatever reason, he canceled the robocopy job.When he went to the target 
  server a empty dir was created which now cannot be deleted.I can't delete 
  it through explorer or the command console at the server and get an error of 
  "cannot delete file:cannot read from the source file or disk". If i do 
  a RD /s, i get "The system cannot find the file specified."However the 
  dir shows up in a dir listing or explorer.The weird thing is also, the dir 
  has no "security" tab(and its on an ntfs file system). Some backround 
  on the robocopy job-the admin mapped 2 drives from his local 
  box(win2k).One drive to the root of the volume on the source server and 
  another to the root on the target.he then CD'ed to the source and ran 
  robocopy with the "/E" and "/V" switches. after sometime, he killed the 
  job and now I'm stuck with this undeletable DIR.Any insight would be 
  great.thanks

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Rocky Habeeb




Tough to do if it's at the 
root. I would try this, have the originating user log on to the 
originating machine that originally mapped the two drives and disconnect the 
target's mapped drive, if not already done, then reboot it. Have him 
log back on, map the target againusing the same drive letter and same 
security credential andhave him see if the folder in question shows 
up. If so, have him try whacking it.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Tyson 
  LeslieSent: Friday, May 05, 2006 11:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  Robocopy(OT)
  I've seen this in NT4, but not recently. In our 
  case, the fix was to share out a parent folder, and delete the offending 
  sub-folder from another machine via the share.
  
   
  Tyson.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Friday, May 05, 2006 9:24 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
  Robocopy(OT)
  
  Subinacl,Xacls(which I stated I used already, Brian),and Setowner all 
  give the same error-
  "The system cannot find the file specified".
  
  Chkdsk with a reboot didn't help at all.
  
  Thanks
  On 5/5/06, Brian 
  Desmond [EMAIL PROTECTED] 
  wrote: 
  


Cacls
Xcacls
Subinacl
Format q 
c:
rm 
rf /
a 
consultant
google set 
ownership tools perhaps too

Thanks,Brian 
Desmond
[EMAIL PROTECTED] 

c - 
312.731.3132





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Friday, May 05, 2006 9:14 AM
To: ActiveDir@mail.activedir.org Subject: Re: 
[ActiveDir] Robocopy(OT)





How can I take ownership of it?

It doesn't have a security tab and xcacls doesn't "see" the 
folder..



Thanks

On 5/4/06, joe [EMAIL PROTECTED] wrote: 

Wonder if 
you have a dorked up ACL, what happens if you try to take ownership of 
it?

O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
Tom Kern

Sent: Sunday, April 30, 2006 8:58 AM

To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Robocopy(OT) 





Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
disappear.

I've run Process Explorer and Filemon and nothing is acessing this 
dir.

Yet I can delete it and its missing the security tab(its on an ntfs 
vol).

How the heck cn I get rid of this dir?

Has anyone had an issue like this?



Thanks again

4/6/06, Bruyere, Michel [EMAIL PROTECTED] 
 wrote: 


Hi, 

 
I got something similar but with a PDF file. The solution was to reboot the 
server 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Thursday, April 06, 2006 9:18 
AM

To: ActiveDir@mail.activedir.org 

Subject: Re: [ActiveDir] Robocopy(OT) 


No one has this folder open.

I've run Process Explorer and Filemon and nothing is accessing this 
folder.

I can't delete i or share it out and its missing the security 
tab.

anything else I should look for?

Thanks

On 4/5/06, Mark Parris  
[EMAIL PROTECTED] wrote: 
I have seen this if another PC has explorer open on that folder and you 
try and delete from another.Mark-Original 
Message-From: "Steve Rochford"  [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 
16:37:03To: 
ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 
Robocopy(OT)This seems to happen when the folder is in the process 
of being deleted but hasn't quite gone. Sometimes, just waiting a while will 
clear the problem - I suspect that a process is holding open the folder (or, 
possibly, a file in the folder). More than once I've hit this and gone to 
use Sysinternals process explorer to find out which process is guilty. By 
the time I've run up the program and searched for the folder name there's 
nothing there. going back to the folder finds that it's either gone or can 
now be deleted. In your case, I'd guess that robocopy had started 
creating folders and when it got interrupted, something took a while for 
things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives 
he was using then I think that this might help. 
SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom 
KernSent: 05 April 2006 15:45To: activedirectory Subject: 
[ActiveDir] Robocopy(OT)I have a strange issue.I had a help 
desk admin robocopy a

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Thomas O'Brien




Is there a trailing space at the end of the folder 
name?I got bit by this one and didn't really understand why at first 
because the trailing space was almost unnoticeable. To date I have not been able 
to remove the folder.I found a number of tools that address deleting 
files with trailing spaces, but not a lot of help for folders.If anyone 
solves this, I'd sure like to know how. Mostly, it's a tidiness issue for 
me.

Thomas


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Friday, May 05, 2006 9:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)

Tough to do if it's at the 
root. I would try this, have the originating user log on to the 
originating machine that originally mapped the two drives and disconnect the 
target's mapped drive, if not already done, then reboot it. Have him 
log back on, map the target againusing the same drive letter and same 
security credential andhave him see if the folder in question shows 
up. If so, have him try whacking it.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Tyson 
  LeslieSent: Friday, May 05, 2006 11:58 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  Robocopy(OT)
  I've seen this in NT4, but not recently. In our 
  case, the fix was to share out a parent folder, and delete the offending 
  sub-folder from another machine via the share.
  
   
  Tyson.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Friday, May 05, 2006 9:24 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
  Robocopy(OT)
  
  Subinacl,Xacls(which I stated I used already, Brian),and Setowner all 
  give the same error-
  "The system cannot find the file specified".
  
  Chkdsk with a reboot didn't help at all.
  
  Thanks
  On 5/5/06, Brian 
  Desmond [EMAIL PROTECTED] 
  wrote: 
  


Cacls
Xcacls
Subinacl
Format q 
c:
rm 
rf /
a 
consultant
google set 
ownership tools perhaps too

Thanks,Brian 
Desmond
[EMAIL PROTECTED] 

c - 
312.731.3132





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Friday, May 05, 2006 9:14 AM
To: ActiveDir@mail.activedir.org Subject: Re: 
[ActiveDir] Robocopy(OT)





How can I take ownership of it?

It doesn't have a security tab and xcacls doesn't "see" the 
folder..



Thanks

On 5/4/06, joe [EMAIL PROTECTED] wrote: 

Wonder if 
you have a dorked up ACL, what happens if you try to take ownership of 
it?

O'Reilly 
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
Tom Kern

Sent: Sunday, April 30, 2006 8:58 AM

To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] Robocopy(OT) 





Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
disappear.

I've run Process Explorer and Filemon and nothing is acessing this 
dir.

Yet I can delete it and its missing the security tab(its on an ntfs 
vol).

How the heck cn I get rid of this dir?

Has anyone had an issue like this?



Thanks again

4/6/06, Bruyere, Michel [EMAIL PROTECTED] 
 wrote: 


Hi, 

 
I got something similar but with a PDF file. The solution was to reboot the 
server 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Tom KernSent: Thursday, April 06, 2006 9:18 
AM

To: ActiveDir@mail.activedir.org 

Subject: Re: [ActiveDir] Robocopy(OT) 


No one has this folder open.

I've run Process Explorer and Filemon and nothing is accessing this 
folder.

I can't delete i or share it out and its missing the security 
tab.

anything else I should look for?

Thanks

On 4/5/06, Mark Parris  
[EMAIL PROTECTED] wrote: 
I have seen this if another PC has explorer open on that folder and you 
try and delete from another.Mark-Original 
Message-From: "Steve Rochford"  [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 
16:37:03To: 
ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 
Robocopy(OT)This seems to happen when the folder is in the process 
of being deleted but hasn't quite gone. Sometimes, just waiting a while will 
clear the problem - I suspect that a process is holding open the folder (or, 
possibly, a file in the folder). More than once I've hit this and gone to 
use Sysinternals process explorer to find out which process is guilty. By 
the time I've run up the program and searched for the folder name

Re: [ActiveDir] NT4Emulator Reg Key

2006-05-05 Thread Mark Parris

Thanks Jorge.

I have not done an inplace before, only migrations.

Mark
-Original Message-
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
Date: Fri, 5 May 2006 17:52:35 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT4Emulator Reg Key

As the key says, the NT4Emulator key makes a AD DC behave like an NT4
DC. When trying to promote additional DCs or using w2k/wxp/w2k3 clients
to manage AD you are not able to connect. 
The main reason the NT4Emulator key is to prevent ALL w2k/wxp/w2k3
clients and servers swamping down the PDC FSMO as that is the first AD
DC in the field. Another reason could me you want to in place upgrade
and see if everything goes OK without starting using kerberos already.
As soon as you are satisfied and you have enough AD DCs you can remove
the NT4Emulator keys from the AD DCs and ALL w2k/wxp/w2k3 clients and
servers will start using kerberos instead of NTLM as soon as they find
the AD DCs.

OK, back to the connecting thing
To be able to connect and to add additional AD DCs you must introduce
the NeutralizeNT4Emulator key on the client that tries to connect or on
the DC you are promoting. For the DC you are promoting, make sure you
introduce the NT4Emulator key (if needed!) otherwise the w2k/wxp/w2k3
clients and servers will find that DC and use it!

Normal? No
Feature of R2? No
You? Who knows... ;-))

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, May 05, 2006 16:11
To: ActiveDir.org
Subject: [ActiveDir] NT4Emulator Reg Key

I am upgrading an NT4.0 domain to Windows 2003R2 and on the 
PDC I have added to the HKLM...Netlogon\parameters the key 
NT4Emulator with a value of 1 and then done the inplace 
upgrade. I now try to promote in another AD DC and it does 
not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT)

DNS is configured correctly and removing the key and 
rebooting the upgraded DC makes the issue go away and I can 
add new AD DC's.

Is this normal or is it a new feature of R2?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]   V«r¯yÊý§-÷¾4¨¥iËb½çb®à

RE: [ActiveDir] Optimize Exchange Pagefile

2006-05-05 Thread Douglas M. Long

If you get another drive a RAID 01 (or is it 10) would be a better choice in
my eyes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

If you have 4gig of RAM then you should get minimal paging. (I know this is
a great generalization)

 

1) Log file access is sequential, database is random

2) Keeping Log files write queue down is key to performance

3) log files are write only

4) raid-5 tends to have poor write performance (again greate
generalization).

 

So I would try and get another drive in the box so I could have a mirrored
pair for OS  LOGS, and a mirrored pair for Databases. . Putting these on
seperate drives will do far more for performance than changing the page
file. RAID-5 is a real bad performer on write. These days I woudl avoid as
far as possible...

 

I am sure other folks may disagree... 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 21:36 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

Yes, far less than 100, on this box it is under 20.

You do not think it is necessary to mess with the page file, even if only to
make it static?

 

 

Dan

 

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

There is no point in messing about with memory config if you only have a
three drive RAID 5 array. Disk config is critical. How many users do you
want to put on this box. less than 100?

 

 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile

I was wondering if anyone can point me to any MS document that discusses
optimizing the page file on an Exchange box. I found
http://support.microsoft.com/kb/815372, but this article does not discuss
the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical
memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing
the Exchange binaries on the first logical drive (which will also contain
the system and boot partitions) and the Exchange databases, logs, queues,
etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set it to be static
and 1.5x physical RAM. I also create a pagefile on each disk and let Windows
choose the best one (which will be the second logical drive). I do not want
to disable the pagefile on C: because, from what I understand, this will
disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be
appropriate to set the pagefile on C: to something small like 256MB since
the OS will be using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other differences
between the memory/pagefile settings on a regular Exchange box running WS2k3
and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services via
[EMAIL PROTECTED] and then permanently remove it from your
system. 

Thank you.

http://www.stockport.gov.uk

**

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
 http://www.info-lution.com/ http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.

 

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
 http://www.info-lution.com/ http://www.info-lution.com
Office: 727 546-9143
FAX: 727 541-5888

If you have received this message in error please notify the sender,
disregard any content  and remove it from your possession.

 

attachment: winmail.dat

RE: [ActiveDir] NT4Emulator Reg Key

You're welcome! 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, May 05, 2006 18:58
To: ActiveDir.org
Subject: Re: [ActiveDir] NT4Emulator Reg Key

Thanks Jorge.

I have not done an inplace before, only migrations.

Mark
-Original Message-
From: Almeida Pinto, Jorge de 
[EMAIL PROTECTED]
Date: Fri, 5 May 2006 17:52:35
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NT4Emulator Reg Key

As the key says, the NT4Emulator key makes a AD DC behave 
like an NT4 DC. When trying to promote additional DCs or 
using w2k/wxp/w2k3 clients to manage AD you are not able to connect. 
The main reason the NT4Emulator key is to prevent ALL 
w2k/wxp/w2k3 clients and servers swamping down the PDC FSMO 
as that is the first AD DC in the field. Another reason 
could me you want to in place upgrade and see if everything 
goes OK without starting using kerberos already.
As soon as you are satisfied and you have enough AD DCs you 
can remove the NT4Emulator keys from the AD DCs and ALL 
w2k/wxp/w2k3 clients and servers will start using kerberos 
instead of NTLM as soon as they find the AD DCs.

OK, back to the connecting thing
To be able to connect and to add additional AD DCs you must 
introduce the NeutralizeNT4Emulator key on the client that 
tries to connect or on the DC you are promoting. For the DC 
you are promoting, make sure you introduce the NT4Emulator 
key (if needed!) otherwise the w2k/wxp/w2k3 clients and 
servers will find that DC and use it!

Normal? No
Feature of R2? No
You? Who knows... ;-))

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
Mark Parris
Sent: Friday, May 05, 2006 16:11
To: ActiveDir.org
Subject: [ActiveDir] NT4Emulator Reg Key

I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I 
have added to the HKLM...Netlogon\parameters the key 
NT4Emulator with 
a value of 1 and then done the inplace upgrade. I now try 
to promote 
in another AD DC and it does not work I get DNS timeout errors 
(0x05B4 ERROR_TIMEOUT)

DNS is configured correctly and removing the key and 
rebooting the 
upgraded DC makes the issue go away and I can add new AD DC's.

Is this normal or is it a new feature of R2?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the 
intended recipient(s) only. It may contain proprietary 
material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, 
retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail 
and any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

[EMAIL PROTECTED]
Ö«r¯zm§ÿðÃ šŠV«r¯yÊý§-Š÷Š¾4™¨¥iËb½çb®Šà

RE: [ActiveDir] GC Promotion

2006-05-05 Thread Lee, Wook

I wasn't claiming that it would pick the DC for regular replication. We
were talking GC promotion and I did throw in the weasel words about PAS
replication since my confidence level wasn't sky high. It's been so long
since we've done anything but IFM that I forget these little details. I
know that the PAS replication partner selection algorithm isn't very
smart but it does try to pick based on something other than just random
selection. It'll be interesting to see what Microsoft does about that.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 04, 2006 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Not sure how well that would scale, say you have 50 GCs in a site and
only
one DC of a certain domain, all GCs would want to replicate with that
one DC
which I wouldn't expect.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try
to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does
not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it
will
start pulling the additional NCs from that GC.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a
DC
in the relevant domain for the GC information?

Make sense?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Default Domain

First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far.

Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory.

One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important.

One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way?

I thank you in advance for you help. I would expect I'll be around here a bunch during this move.

Paul Glenn
University of Kentucky-- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken
***

[ActiveDir] Trust for delegation error

2006-05-05 Thread adriaoramos


Hi all,

I have
a new problem:
When
I try to enbale this option :Trust
Computer for delegationfor a computer
account in DSA.msc I recive this error 


Your security
setting do not allow you to Specify whether or not This account is to be
trusted for delagation

I have
already applied an instrution to change local user rights, But it is still
showing that message
The
mos strange is that we have 18 subdomains, and it works in all, but that.

That
is happening to user, too, I can not enable TUST FOR delegation
for a user account
Is
htere a way to solve that problem?

___
Adrião Ferreira Ramos
[EMAIL PROTECTED]
Equipe Suporte Windows
(11) 3388-8193

[ActiveDir] Visio Stencil for AD Forest

2006-05-05 Thread Stewart, Fitz

Title: Visio Stencil for AD Forest






Anyone know where I can find a good stencil for this? I just want a cool triangle  3D and all  and not a server or a domain, or an OU.



-fitz

J. Fitzgerald (Fitz) Stewart

Systems Architect

IRM/OPS/ENM

Worldwide Information Network Systems

USAID/DoS IT Infrastructure Collaboration Program

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

703-866-7473

703-626-5741 (cell)

RE: [ActiveDir] Default Domain

2006-05-05 Thread Walton, Randy









Havent tried it, but check out this
TID:



http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=10023078sliceId=dialogID=2929119stateId=0%200%202927987



Note that the registry entry in Workaround
#2 has left out one level of the registry structure. It should be:



HKLM\Software\Novell\Location
Profiles\Services\{1E6CEEA1-FB73-11CF-BD76-0001B27DA23}\Default\Tab3]



Tab=NT Credentials

DefaultDomainName=MyDomain



Cheers,

Randy









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn
Sent: Friday, May 05, 2006 1:38 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Default
Domain







First off let me do a small introduction. I come from a Netware
background. My university's students have been using eDirectory for
several years without any problems. However, we have decided
(mostly because of the business model of Novell) to move all of our student
logins, storage, and lab computers to Active Directory. Needless to say,
this will not be a small undertaking for us. We have started testing to
make sure we have all of our procedures down and have faired well so far. 











Our first big hurdle was ghosting the machines and having them
automatically join the AD in the correct container. Done. We've
also been testing out the GPOs to move what we do now with ZenWorks to
them. We will be providing our home storage solution via File System
Factory which we've been using for several years under Netware - They
have decided now is the time for them to write itfor Active Directory. 











One small problem we are having now (and we all think we're just
missing something simple) is getting the domain to showup in the logon box the
first time. We know after a student logs on the first time things will be
OK. However, after ghosting 900 machines, the last thing we want to do is
touch each one just to get this setting correct. We've ripped the
registry to pieces, looked everywhere we know to look, but nothing seems to set
it the first time. I realize this may not seem like a big deal to most
people out there, but if you've ever had to deal with a student population you
know why this is important. 











One other thing for now. We have found a few custom templates we
would like to use (one modifying the logon screen to tell the students what the
Domain should be set as). I have added them to my test AD domain
controllers' INF folder. They work just fine. When I told one of
our administrators about this, he said, he didn't like that idea much (placing
this on the DC). In my testing, I wasn't able to get any of the custom
templates to work until I did put them there and in the INF folder. Is
there another way? 











I thank you in advance for you help. I would expect I'll be
around here a bunch during this move.











Paul Glenn





University
 of Kentucky

-- 
***
I've got a fever and the only prescription is more
cowbell.--Christopher Walken 
***










--
Confidentiality Note:  This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error,  please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy.  Thank you.

Visit us online at our award-winning http://www.clevelandclinic.org for a complete listing of Cleveland Clinic services, staff and locations from one of the country's leading hospitals.
==

Re: [ActiveDir] Optimize Exchange Pagefile


yeah, there would be some general disagreement from me.  Why? Only
because this is SBS box vs. an enterprise Exchange server hosting 5K
users.

My laptop (crud that it is) could host 20 heavy exchange users with
usable/good performance with that amount of memory.  I don't think the
focus of a machine that will only ever have 75 users should be
optimized for more than space in most situations.  It would be a waste
of money that could be spent on other things like better backups,
better coffee, etc.

I don't believe there's any value in buying a system such as SBS and
then having to make adjustments to things like pagefile size.  That's
counter to the product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the
biggest benefit, but it's SBS and as such it's special.  Just ask
SBS-Lady ;)

Al

On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote:

If you have 4gig of RAM then you should get minimal paging. (I know this is a 
great generalization)

1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate generalization).

So I would try and get another drive in the box so I could have a mirrored pair for 
OS  LOGS, and a mirrored pair for Databases. . Putting these on seperate 
drives will do far more for performance than changing the page file. RAID-5 is a 
real bad performer on write. These days I woudl avoid as far as possible...

I am sure other folks may disagree...

   -Original Message-
   From: [EMAIL PROTECTED] on behalf of Dan DeStefano
   Sent: Thu 04/05/2006 21:36
   To: ActiveDir@mail.activedir.org
   Cc:
   Subject: RE: [ActiveDir] Optimize Exchange Pagefile



   Yes, far less than 100, on this box it is under 20.

   You do not think it is necessary to mess with the page file, even if 
only to make it static?





   Dan








 _


   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
   Sent: Thursday, May 04, 2006 4:06 PM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Optimize Exchange Pagefile



   There is no point in messing about with memory config if you only have a 
three drive RAID 5 array. Disk config is critical. How many users do you want 
to put on this box. less than 100?





   -Original Message-
   From: [EMAIL PROTECTED] on behalf of Dan DeStefano
   Sent: Thu 04/05/2006 20:16
   To: ActiveDir@mail.activedir.org
   Cc:
   Subject: [ActiveDir] Optimize Exchange Pagefile

   I was wondering if anyone can point me to any MS document that 
discusses optimizing the page file on an Exchange box. I found 
http://support.microsoft.com/kb/815372, but this article does not discuss the 
page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 
3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange 
binaries on the first logical drive (which will also contain the system and 
boot partitions) and the Exchange databases, logs, queues, etc on the second 
logical drive.



   The way I normally set the pagefile on my systems is to set it 
to be static and 1.5x physical RAM. I also create a pagefile on each disk and 
let Windows choose the best one (which will be the second logical drive). I do 
not want to disable the pagefile on C: because, from what I understand, this 
will disable crash dumps, which I do not want. However, I set the crash dump to 
kernel only, not the entire pagefile. That being said, would it be appropriate 
to set the pagefile on C: to something small like 256MB since the OS will be 
using the one on the second drive anyway?



   Also, other than not using the /3GB switch, are there any other 
differences between the memory/pagefile settings on a regular Exchange box 
running WS2k3 and the SBS2k3 version?



   I would appreciate any guidance.





   Dan DeStefano

   Info-lution Corporation

   www.info-lution.com

   MCSE - 2073750



   **

   This email and any files transmitted with it are confidential and

   intended solely for the use of the individual or entity to whom they

   are addressed. As a public body, the Council may be required to disclose 
this email, or any response to it, under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act.

   If you receive this email in error please notify Stockport e-Services 
via [EMAIL PROTECTED] and then permanently remove it from your system.

   Thank you.

   http://www.stockport.gov.uk

   **

Dan DeStefano
Info-lution Corporation
[EMAIL

RE: [ActiveDir] Default Domain




Welcome.

I am not sure if you can set a domain by default for the 
initial logon. If you could, I would expect it to be to some of the reg entries 
maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon 
portion of the registry. 

You could step around that by telling people to use UPNs 
for logon instead of SAM Names. That would meanyou would use something 
like [EMAIL PROTECTED] instead of 
something\PGlenn. That is the direction the auth is going so if you are starting 
fresh now, might as well start that way. Then the domain dropdown is a moot 
point. It also means you can dork with the domain's almostto your heart's 
content and never have to worry about telling the users their new domain, it 
will just work because the UPN does not have to match the Domain 
structure.



I am curious about the direction to move as you state it as 
"the Novell business model", what specifically is pushing this change? With 
Novell embracing Open Source I would expect schools and the like to be more, not 
less, interested in it. Also I am curious why not a move to say BSD or Linux. If 
anywhere that stuff works well en masse it is in school environments because 
they are so closed and geographically small.






--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
GlennSent: Friday, May 05, 2006 1:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Default 
Domain

First off let me do a small introduction. I come from a Netware 
background. My university's students have been using eDirectory for 
several years without any problems. However, we have decided (mostly 
because of the business model of Novell) to move all of our student logins, 
storage, and lab computers to Active Directory. Needless to say, this will 
not be a small undertaking for us. We have started testing to make sure we 
have all of our procedures down and have faired well so far. 

Our first big hurdle was ghosting the machines and having them 
automatically join the AD in the correct container. Done. We've also 
been testing out the GPOs to move what we do now with ZenWorks to them. We 
will be providing our home storage solution via File System Factory which we've 
been using for several years under Netware - They have decided now is the 
time for them to write itfor Active Directory. 

One small problem we are having now (and we all think we're just missing 
something simple) is getting the domain to showup in the logon box the first 
time. We know after a student logs on the first time things will be 
OK. However, after ghosting 900 machines, the last thing we want to do is 
touch each one just to get this setting correct. We've ripped the registry 
to pieces, looked everywhere we know to look, but nothing seems to set it the 
first time. I realize this may not seem like a big deal to most people out 
there, but if you've ever had to deal with a student population you know why 
this is important. 

One other thing for now. We have found a few custom templates we 
would like to use (one modifying the logon screen to tell the students what the 
Domain should be set as). I have added them to my test AD domain 
controllers' INF folder. They work just fine. When I told one of our 
administrators about this, he said, he didn't like that idea much (placing this 
on the DC). In my testing, I wasn't able to get any of the custom 
templates to work until I did put them there and in the INF folder. Is 
there another way? 

I thank you in advance for you help. I would expect I'll be around 
here a bunch during this move.

Paul Glenn
University of Kentucky-- 
***"I've 
got a fever and the only prescription is 
morecowbell."--Christopher Walken 
***

Re: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Ross Stingley




Back in the days of DOS, you could 
deletea file that had invalid characters or spaces in the file name 
byfirst renaming the file substituting a "?" for the invalid characters or 
spaces to a valid file name, you could then delete the file.
HTH
 

  - Original Message - 
  From: 
  Thomas O'Brien 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, May 05, 2006 9:57 AM
  Subject: RE: [ActiveDir] 
  Robocopy(OT)
  
  Is there a trailing space at the end of the folder 
  name?I got bit by this one and didn't really understand why at first 
  because the trailing space was almost unnoticeable. To date I have not been 
  able to remove the folder.I found a number of tools that address 
  deleting files with trailing spaces, but not a lot of help for 
  folders.If anyone solves this, I'd sure like to know how. Mostly, it's 
  a tidiness issue for me.
  
  Thomas
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
  HabeebSent: Friday, May 05, 2006 9:11 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  Robocopy(OT)
  
  Tough to do if it's at the 
  root. I would try this, have the originating user log on to the 
  originating machine that originally mapped the two drives and disconnect the 
  target's mapped drive, if not already done, then reboot it. Have 
  him log back on, map the target againusing the same drive letter and 
  same security credential andhave him see if the folder in question shows 
  up. If so, have him try whacking it.
  
  RH
  _
  
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Tyson 
LeslieSent: Friday, May 05, 2006 11:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)
I've seen this in NT4, but not recently. In our 
case, the fix was to share out a parent folder, and delete the offending 
sub-folder from another machine via the share.

 
Tyson.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, May 05, 2006 9:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

Subinacl,Xacls(which I stated I used already, Brian),and Setowner all 
give the same error-
"The system cannot find the file specified".

Chkdsk with a reboot didn't help at all.

Thanks
On 5/5/06, Brian 
Desmond [EMAIL PROTECTED] 
wrote: 

  
  
  Cacls
  Xcacls
  Subinacl
  Format q 
  c:
  rm 
  rf /
  a 
  consultant
  google set 
  ownership tools perhaps too
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED] 
  
  c - 
  312.731.3132
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Tom KernSent: Friday, May 05, 2006 9:14 AM
  To: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Robocopy(OT)
  
  
  
  
  
  How can I take ownership of it?
  
  It doesn't have a security tab and xcacls doesn't "see" the 
  folder..
  
  
  
  Thanks
  
  On 5/4/06, joe [EMAIL PROTECTED] wrote: 
  
  Wonder 
  if you have a dorked up ACL, what happens if you try to take ownership of 
  it?
  
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  

  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
  Tom Kern
  
  Sent: Sunday, April 30, 2006 8:58 AM
  
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
  
  
  
  Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
  disappear.
  
  I've run Process Explorer and Filemon and nothing is acessing this 
  dir.
  
  Yet I can delete it and its missing the security tab(its on an ntfs 
  vol).
  
  How the heck cn I get rid of this dir?
  
  Has anyone had an issue like this?
  
  
  
  Thanks again
  
  4/6/06, Bruyere, Michel [EMAIL PROTECTED]  wrote: 
  
  
  Hi, 
  
   
  I got something similar but with a PDF file. The solution was to reboot 
  the server 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Tom KernSent: Thursday, April 06, 2006 9:18 
  AM
  
  To: ActiveDir@mail.activedir.org 
  
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
  No one has this folder open.
  
  I've run Process Explorer and Filemon and nothing is accessing this 
  folder.
  
  I can't delete i or share it out and its missing the security 
  tab.
  
  anything else I should look for?
  
  Thanks
  
  On 4/5/06, Mark Parris

RE: [ActiveDir] GC Promotion

Ah sorry, you mean the initial population, I dropped that piece... That
would make sense if it did that because you wouldn't have to worry about
promoing a new GC and getting lingering objects passed onto it... I am still
not sure it does it that way though as I swear I have talked to folks with
new GCs with long dead lingering objects getting replicated in. :) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I wasn't claiming that it would pick the DC for regular replication. We were
talking GC promotion and I did throw in the weasel words about PAS
replication since my confidence level wasn't sky high. It's been so long
since we've done anything but IFM that I forget these little details. I know
that the PAS replication partner selection algorithm isn't very smart but it
does try to pick based on something other than just random selection. It'll
be interesting to see what Microsoft does about that.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 04, 2006 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Not sure how well that would scale, say you have 50 GCs in a site and only
one DC of a certain domain, all GCs would want to replicate with that one DC
which I wouldn't expect.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it will
start pulling the additional NCs from that GC.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a DC
in the relevant domain for the GC information?

Make sense?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Default Domain

Randy,

Not quite sure that will work since I won't have a Novell hive after this semesterPaul

On 5/5/06, Walton, Randy [EMAIL PROTECTED] wrote:



Haven't tried it, but check out this TID:


http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=10023078sliceId=dialogID=2929119stateId=0%200%202927987

Note that the registry entry in Workaround #2 has left out one level of the registry structure. It should be:


HKLM\Software\Novell\Location Profiles\Services\{1E6CEEA1-FB73-11CF-BD76-0001B27DA23}\Default\Tab3]


"Tab"="NT Credentials"
"DefaultDomainName"="MyDomain"

Cheers,
Randy




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Paul GlennSent: Friday, May 05, 2006 1:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Default Domain



First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far. 




Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory. 




One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important. 




One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way? 




I thank you in advance for you help. I would expect I'll be around here a bunch during this move.



Paul Glenn



University of Kentucky-- ***I've got a fever and the only prescription is more
cowbell.--Christopher Walken ***

--Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you.
Visit us online at our award-winning http://www.clevelandclinic.org for a complete listing of Cleveland Clinic services, staff and locations from one of the country's leading hospitals.
==-- ***
I've got a fever and the only prescription is morecowbell.--Christopher Walken***

RE: [ActiveDir] [OT] Optimize Exchange Pagefile

2006-05-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Yeah I might as well pop in a similar feeling that the disk is not optimal
for Exchange. Certainly I wouldn't worry about which logical drive the page
file was on, it is all the same physicals underneath so it doesn't much
matter from a perf standpoint.
 
With Exchange you want as many spindles as you can get your hands on.
Otherwise your IOPS eat you alive and your RPC starts going down the toilet
and clients get popups. 
 
Oh I also added the [OT] to the subject to fit the rules.
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Friday, May 05, 2006 1:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile



If you get another drive a RAID 01 (or is it 10) would be a better choice in
my eyes

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

If you have 4gig of RAM then you should get minimal paging. (I know this is
a great generalization)

 

1) Log file access is sequential, database is random

2) Keeping Log files write queue down is key to performance

3) log files are write only

4) raid-5 tends to have poor write performance (again greate
generalization).

 

So I would try and get another drive in the box so I could have a mirrored
pair for OS  LOGS, and a mirrored pair for Databases. . Putting these on
seperate drives will do far more for performance than changing the page
file. RAID-5 is a real bad performer on write. These days I woudl avoid as
far as possible...

 

I am sure other folks may disagree... 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 21:36 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

Yes, far less than 100, on this box it is under 20.

You do not think it is necessary to mess with the page file, even if only to
make it static?

 

 

Dan

 

 

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 04, 2006 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Optimize Exchange Pagefile

 

There is no point in messing about with memory config if you only have a
three drive RAID 5 array. Disk config is critical. How many users do you
want to put on this box. less than 100?

 

 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Dan DeStefano 
Sent: Thu 04/05/2006 20:16 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] Optimize Exchange Pagefile

I was wondering if anyone can point me to any MS document that discusses
optimizing the page file on an Exchange box. I found
http://support.microsoft.com/kb/815372, but this article does not discuss
the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical
memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing
the Exchange binaries on the first logical drive (which will also contain
the system and boot partitions) and the Exchange databases, logs, queues,
etc on the second logical drive.

 

The way I normally set the pagefile on my systems is to set it to be static
and 1.5x physical RAM. I also create a pagefile on each disk and let Windows
choose the best one (which will be the second logical drive). I do not want
to disable the pagefile on C: because, from what I understand, this will
disable crash dumps, which I do not want. However, I set the crash dump to
kernel only, not the entire pagefile. That being said, would it be
appropriate to set the pagefile on C: to something small like 256MB since
the OS will be using the one on the second drive anyway?

 

Also, other than not using the /3GB switch, are there any other differences
between the memory/pagefile settings on a regular Exchange box running WS2k3
and the SBS2k3 version?

 

I would appreciate any guidance.

 

 

Dan DeStefano

Info-lution Corporation

www.info-lution.com

MCSE - 2073750

 

**

This email and any files transmitted with it are confidential and

intended solely for the use of the individual or entity to whom they

are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act. 

If you receive this email in error please notify Stockport e-Services via
[EMAIL PROTECTED] and then permanently remove it from your
system. 

Thank you.

http://www.stockport.gov.uk

**

Dan DeStefano
Info-lution Corporation
[EMAIL PROTECTED]
 http://www.info-lution.com/ http://www.info-lution.com
Office: 727 546-9143
FAX: 727

RE: [ActiveDir] GC Promotion

2006-05-05 Thread Lee, Wook

The lingering object problems we've seen have always involved partitions
that didn't have a writeable copy in site. In general, we've had more
problems with ghosts than with zombies.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, May 05, 2006 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Ah sorry, you mean the initial population, I dropped that piece... That
would make sense if it did that because you wouldn't have to worry about
promoing a new GC and getting lingering objects passed onto it... I am
still
not sure it does it that way though as I swear I have talked to folks
with
new GCs with long dead lingering objects getting replicated in. :) 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I wasn't claiming that it would pick the DC for regular replication. We
were
talking GC promotion and I did throw in the weasel words about PAS
replication since my confidence level wasn't sky high. It's been so long
since we've done anything but IFM that I forget these little details. I
know
that the PAS replication partner selection algorithm isn't very smart
but it
does try to pick based on something other than just random selection.
It'll
be interesting to see what Microsoft does about that.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 04, 2006 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Not sure how well that would scale, say you have 50 GCs in a site and
only
one DC of a certain domain, all GCs would want to replicate with that
one DC
which I wouldn't expect.  


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try
to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does
not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it
will
start pulling the additional NCs from that GC.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a
DC
in the relevant domain for the GC information?

Make sense?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Optimize Exchange Pagefile

Word  of advice --  put SBS in the subject line and you'll get SBSlady 
from the get go  :-)


By design SBS is maxed at 75 users/devices.

As you have already stateddo not do a /3GB  (let me repeat that 
again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't 
impact a thing.


Remember with SP2 we now have 75 gigs to play with so plan accordingly 
(and no snickers from the terrabyte people)


SBS is pretty tuned as it is.. set your page files to be 1.5 and I have 
mine spread on two drives.  What is more important is the layout of 
those partitions..and boy... did a recent blog post bring out a lot of 
comments  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx


Set the crash dump to minidump or even full dump... when that sucker 
blows (and it's not that often and kinda fun when it does as you can use 
the debugger tool) you want that dumpfile to be there and juicy.


Exchange 'by design' will suck down the memory and release when needed.  
Honestly Exchange ..while being a hog.. isn't the annoyance on my 
boxes.. it's MSDE that is the troublesome child.


After applications of SP1 (if it is not integrated that is) you need to 
rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.


Now then.. about that MSDE.

The SBS health monitor function is set to warn you with an allocated 
memory alert when the use is above 2 gigs..when you have a 4 gig 
box..that 2 gig limit is a bit stupid.  So step one is to monitor your 
box.. see where it hovers at.   I bumped mine up a bit.


Next... the problem children.  ISA running on MSDE 'by design' will be 
like Exchange and suck up all RAM and release when needed... sorry ISA 
.. you don't need to do that (and before Joe has the inevitable heart 
attack of a firewall on my DC.. it's in all honesty my 'second' firewall 
as I have a hardware one in front..but I like the monitoring and with 
Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts 
of the firewall hits that 'do' hit my domain controller are way 
coolI know, I know... it's the GUI..just shake your head and walk away).


SBSMonitoring 'can' and 'has' on my box and others in the community 
gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring 
there's a command (yes Joe, I did command line) to stomp on those msde 
instances and make them behave


http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

This is the ISA
http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

This is SBS montoring
http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

So for memory optimization... forget about Exchange.. it behaves.. but 
be prepared to stomp on those MSDE's


...and we're using a lot of RAID 5's down here (and even SATA drives)

Al Mulnick wrote:


yeah, there would be some general disagreement from me.  Why? Only
because this is SBS box vs. an enterprise Exchange server hosting 5K
users.

My laptop (crud that it is) could host 20 heavy exchange users with
usable/good performance with that amount of memory.  I don't think the
focus of a machine that will only ever have 75 users should be
optimized for more than space in most situations.  It would be a waste
of money that could be spent on other things like better backups,
better coffee, etc.

I don't believe there's any value in buying a system such as SBS and
then having to make adjustments to things like pagefile size.  That's
counter to the product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the
biggest benefit, but it's SBS and as such it's special.  Just ask
SBS-Lady ;)

Al

On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote:

If you have 4gig of RAM then you should get minimal paging. (I know 
this is a great generalization)


1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate 
generalization).


So I would try and get another drive in the box so I could have a 
mirrored pair for OS  LOGS, and a mirrored pair for Databases. . 
Putting these on seperate drives will do far more for performance 
than changing the page file. RAID-5 is a real bad performer on write. 
These days I woudl avoid as far as possible...


I am sure other folks may disagree...

   -Original Message-
   From: [EMAIL PROTECTED] on behalf of Dan 
DeStefano

   Sent: Thu 04/05/2006 21:36
   To: ActiveDir@mail.activedir.org
   Cc:
   Subject: RE: [ActiveDir] Optimize Exchange Pagefile



   Yes, far less than 100, on this box it is under 20.

   You do not think it is necessary to mess with the page file, 
even if only to make it static?






   Dan








 _


   From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade

   Sent: Thursday, May 04, 2006 4:06 PM
   To: ActiveDir@mail.activedir.org
   Subject:

RE: [ActiveDir] GC Promotion

To my knowledge a GC searches for a replication partner it can use to source 
the partitions from and it does not care if it uses the writable versions or 
read-only version. Both have the data needed. On the other side, if it did use 
only writable NCs, that would mean replication could place over all kinds of 
WAN links while a partner GC will all the data was standing next it.
 
Or have I missed something?
 
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 2006-05-05 20:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion



Ah sorry, you mean the initial population, I dropped that piece... That
would make sense if it did that because you wouldn't have to worry about
promoing a new GC and getting lingering objects passed onto it... I am still
not sure it does it that way though as I swear I have talked to folks with
new GCs with long dead lingering objects getting replicated in. :)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I wasn't claiming that it would pick the DC for regular replication. We were
talking GC promotion and I did throw in the weasel words about PAS
replication since my confidence level wasn't sky high. It's been so long
since we've done anything but IFM that I forget these little details. I know
that the PAS replication partner selection algorithm isn't very smart but it
does try to pick based on something other than just random selection. It'll
be interesting to see what Microsoft does about that.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 04, 2006 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Not sure how well that would scale, say you have 50 GCs in a site and only
one DC of a certain domain, all GCs would want to replicate with that one DC
which I wouldn't expect. 


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it will
start pulling the additional NCs from that GC.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a DC
in the relevant domain for the GC information?

Make sense?

Mark
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment

Re: [ActiveDir] Default Domain

On 5/5/06, joe [EMAIL PROTECTED] wrote:

Welcome.

I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry.

That is exactly thekeywe have found what little information we have. No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing.

You could step around that by telling people to use UPNs for logon instead of SAM Names. That would meanyou would use something like
[EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almostto your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure.

We would like, if possible, to stay away from this because of the way we have the students logging on now. Currently they don't have to use any context for their Netware logins. A far cry from the days they had to put in .pglenn.uxx.student.usr.uky The direction our university is leaning is to do everything via LDAP lookups. We are doing this because we have 2 major AD domains and on major eDirectory. Account information is handles by Novell's Identity Manager.

I am curious about the direction to move as you state it as the Novell business model, what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small.

Going open source is great for many things. However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing. Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had. After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD. This will allow us to put out images without a non-native client. This also pleases my VP, who really wants me to move toward AD.

Paul

Re: [ActiveDir] Default Domain


Of course, it makes supporting non-windows clients a different challenge :)

Paul, what method are you using to join the workstation to the domain?
It sounds like the domains are being enumerated at initial logon as
if it has no list when it joins. Could be something in the process or
something else, but figured I'd ask.

al

On 5/5/06, Paul Glenn [EMAIL PROTECTED] wrote:




On 5/5/06, joe [EMAIL PROTECTED] wrote:


 Welcome.

 I am not sure if you can set a domain by default for the initial logon. If
you could, I would expect it to be to some of the reg entries maintained in
the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of
the registry.

That is exactly the key we have found what little information we have.  No
matter what you set for defaultdomainname or altdefaultdomainname it's the
same thing.




 You could step around that by telling people to use UPNs for logon instead
of SAM Names. That would mean you would use something like
[EMAIL PROTECTED] instead of something\PGlenn. That is the direction
the auth is going so if you are starting fresh now, might as well start that
way. Then the domain dropdown is a moot point. It also means you can dork
with the domain's almost to your heart's content and never have to worry
about telling the users their new domain, it will just work because the UPN
does not have to match the Domain structure.

We would like, if possible, to stay away from this because of the way we
have the students logging on now.  Currently they don't have to use any
context for their Netware logins.  A far cry from the days they had to put
in .pglenn.uxx.student.usr.uky  The direction our university is leaning is
to do everything via LDAP lookups.  We are doing this because we have 2
major AD domains and on major eDirectory.  Account information is handles by
Novell's Identity Manager.






 I am curious about the direction to move as you state it as the Novell
business model, what specifically is pushing this change? With Novell
embracing Open Source I would expect schools and the like to be more, not
less, interested in it. Also I am curious why not a move to say BSD or
Linux. If anywhere that stuff works well en masse it is in school
environments because they are so closed and geographically small.



Going open source is great for many things.  However, after many years or
struggling with different vendors and their lack of support for anything
that is not Windows, open source wasn't that appealing.  Our vendors include
made dicipline specific software who don't want to support anything else and
hardware vendors that support others things when they get around to it - and
example of the latter being the horrible tech support from Tivoli after
loosing about 2 terabytes of data (took them 6 months to get it resolved).
Using Netware OES or eDirectory on SUsE were other options I had.  After
wieghing several things - most importantly my learning curve for such a move
to either one given the time table - I chose AD.  This will allow us to put
out images without a non-native client.  This also pleases my VP, who really
wants me to move toward AD.


Paul

RE: [ActiveDir] Robocopy(OT)

2006-05-05 Thread Thomas O'Brien




Thanks for the reply. I've tried exactly this approach. 
Works great for files. Not so well for folders. Executing

move source-folder destination-folder 

yields "The system cannot find the file 
specified".

Thomas


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ross 
StingleySent: Friday, May 05, 2006 11:15 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

Back in the days of DOS, you could 
deletea file that had invalid characters or spaces in the file name 
byfirst renaming the file substituting a "?" for the invalid characters or 
spaces to a valid file name, you could then delete the file.
HTH
 

  - Original Message - 
  From: 
  Thomas O'Brien 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, May 05, 2006 9:57 AM
  Subject: RE: [ActiveDir] 
  Robocopy(OT)
  
  Is there a trailing space at the end of the folder 
  name?I got bit by this one and didn't really understand why at first 
  because the trailing space was almost unnoticeable. To date I have not been 
  able to remove the folder.I found a number of tools that address 
  deleting files with trailing spaces, but not a lot of help for 
  folders.If anyone solves this, I'd sure like to know how. Mostly, it's 
  a tidiness issue for me.
  
  Thomas
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
  HabeebSent: Friday, May 05, 2006 9:11 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
  Robocopy(OT)
  
  Tough to do if it's at the 
  root. I would try this, have the originating user log on to the 
  originating machine that originally mapped the two drives and disconnect the 
  target's mapped drive, if not already done, then reboot it. Have 
  him log back on, map the target againusing the same drive letter and 
  same security credential andhave him see if the folder in question shows 
  up. If so, have him try whacking it.
  
  RH
  _
  
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Tyson 
LeslieSent: Friday, May 05, 2006 11:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Robocopy(OT)
I've seen this in NT4, but not recently. In our 
case, the fix was to share out a parent folder, and delete the offending 
sub-folder from another machine via the share.

 
Tyson.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, May 05, 2006 9:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Robocopy(OT)

Subinacl,Xacls(which I stated I used already, Brian),and Setowner all 
give the same error-
"The system cannot find the file specified".

Chkdsk with a reboot didn't help at all.

Thanks
On 5/5/06, Brian 
Desmond [EMAIL PROTECTED] 
wrote: 

  
  
  Cacls
  Xcacls
  Subinacl
  Format q 
  c:
  rm 
  rf /
  a 
  consultant
  google set 
  ownership tools perhaps too
  
  Thanks,Brian 
  Desmond
  [EMAIL PROTECTED] 
  
  c - 
  312.731.3132
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Tom KernSent: Friday, May 05, 2006 9:14 AM
  To: ActiveDir@mail.activedir.org Subject: Re: 
  [ActiveDir] Robocopy(OT)
  
  
  
  
  
  How can I take ownership of it?
  
  It doesn't have a security tab and xcacls doesn't "see" the 
  folder..
  
  
  
  Thanks
  
  On 5/4/06, joe [EMAIL PROTECTED] wrote: 
  
  Wonder 
  if you have a dorked up ACL, what happens if you try to take ownership of 
  it?
  
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  

  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of 
  Tom Kern
  
  Sent: Sunday, April 30, 2006 8:58 AM
  
  To: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] Robocopy(OT) 
  
  
  
  
  
  Well, I've rebooted the server,ran a chkdsk, and still the dir will not 
  disappear.
  
  I've run Process Explorer and Filemon and nothing is acessing this 
  dir.
  
  Yet I can delete it and its missing the security tab(its on an ntfs 
  vol).
  
  How the heck cn I get rid of this dir?
  
  Has anyone had an issue like this?
  
  
  
  Thanks again
  
  4/6/06, Bruyere, Michel [EMAIL PROTECTED]  wrote: 
  
  
  Hi, 
  
   
  I got something similar but with a PDF file. The solution was to reboot 
  the server 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  Tom KernSent: Thursday, April 06, 2006 9:18 
  AM
  
  To:

Re: [ActiveDir] Default Domain

2006-05-05 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Al,

We are accomplishing this by Ghost. We push out a configuration that tells it the domain and OU to join. The rights are associated with the Ghost Console user that gets installed. After the workstations join and reboot it's getting all the AD domains on campus via the DNS server (I'm assuming). there are actually 3 domains and the local workstation that show up in the drop down menu.

BTW, if you all ever need a Ghost question answered, we have one of the best guys in the world for those!

Paul
On 5/5/06, Al Mulnick [EMAIL PROTECTED] wrote:
Of course, it makes supporting non-windows clients a different challenge :)Paul, what method are you using to join the workstation to the domain?
It sounds like the domains are being enumerated at initial logon asif it has no list when it joins. Could be something in the process orsomething else, but figured I'd ask.alOn 5/5/06, Paul Glenn
[EMAIL PROTECTED] wrote: On 5/5/06, joe [EMAIL PROTECTED] wrote:Welcome.
I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of
the registry. That is exactly the key we have found what little information we have.No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing.
You could step around that by telling people to use UPNs for logon instead of SAM Names. That would mean you would use something like
[EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork
with the domain's almost to your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure.
We would like, if possible, to stay away from this because of the way we have the students logging on now.Currently they don't have to use any context for their Netware logins.A far cry from the days they had to put
in .pglenn.uxx.student.usr.ukyThe direction our university is leaning is to do everything via LDAP lookups.We are doing this because we have 2 major AD domains and on major eDirectory.Account information is handles by
Novell's Identity Manager. I am curious about the direction to move as you state it as the Novell business model, what specifically is pushing this change? With Novell
embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school
environments because they are so closed and geographically small. Going open source is great for many things.However, after many years or struggling with different vendors and their lack of support for anything
that is not Windows, open source wasn't that appealing.Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and
example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had.After
wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD.This will allow us to put out images without a non-native client.This also pleases my VP, who really
wants me to move toward AD. Paul-- ***I've got a fever and the only prescription is more
cowbell.--Christopher Walken***

[ActiveDir] OT: KVM switches

2006-05-05 Thread Ken Cornetet

Does anyone have any suggestions for cheap KVM switches? We are
currently using Belkin 16 port switches. They are cheap enough, but we
seem to experience issues with them.

I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GC Promotion

2006-05-05 Thread Lee, Wook

Title: RE: [ActiveDir] GC Promotion








Hi, Jorge,



Were talking in the context of an
AD replication site. If it were picking writeable anywhere, then yeah, that
would not be good for network utilization unless youre a provider and
charge by the bit. The point is that in a site, the writeable copy of a
partition is potentially higher fidelity than any of the read-only copies. The
KCC must take the write-ability of a partition into account when its
working out the topology since it at least has to make sure the writeable
copies all replicate amongst themselves.



Wook











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, May 05, 2006 11:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion









To my knowledge a GC
searches for a replication partner it can use to source the partitions from and
it does not care if it uses the writableversions or read-only version.
Both have the data needed. On the other side, if it did use only writable NCs,
that would mean replication could place over all kinds of WAN links while a
partner GC will all the data was standing next it.











Or have I missed something?











jorge

















Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server- Directory Services













LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





( Mobile : +31-(0)6-26.26.62.80



* E-mail : see
sender address

















From:
[EMAIL PROTECTED] on behalf of joe
Sent: Fri 2006-05-05 20:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC
Promotion





Ah sorry,
you mean the initial population, I dropped that piece... That
would make sense if it did that because you wouldn't have to worry about
promoing a new GC and getting lingering objects passed onto it... I am still
not sure it does it that way though as I swear I have talked to folks with
new GCs with long dead lingering objects getting replicated in. :)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Lee, Wook
Sent: Friday, May 05, 2006 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I wasn't claiming that it would pick the DC for regular replication. We were
talking GC promotion and I did throw in the weasel words about PAS
replication since my confidence level wasn't sky high. It's been so long
since we've done anything but IFM that I forget these little details. I know
that the PAS
replication partner selection algorithm isn't very smart but it
does try to pick based on something other than just random selection. It'll
be interesting to see what Microsoft does about that.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Thursday, May 04, 2006 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Not sure how well that would scale, say you have 50 GCs in a site and only
one DC of a certain domain, all GCs would want to replicate with that one DC
which I wouldn't expect.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Lee, Wook
Sent: Friday, April 28, 2006 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

I thought that if there is a writable NC in the same site, it would try to
use that, but maybe that's just for PAS replication.

Wook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Friday, April 28, 2006 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GC Promotion

Yes a GC promotion can/will source readonly NCs from another GC, it does not
have to go back to a DC that maintains a writeable replica. If the DC is
already replicating with a DC that is also a GC, it is likely that it will
start pulling the additional NCs from that GC.

 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Mark Parris
Sent: Friday, April 28, 2006 12:28 PM
To: ActiveDir.org
Subject: [ActiveDir] GC Promotion

When elevating a DC to be a GC and say there are 3 domains, located say
located on 3 continents. Is the GC that already exists in each domain
authorative in the elevation of the DC to a GC or does each DC contact a DC
in the relevant domain for the GC information?

Make sense?

Mark
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/List.aspx
List FAQ :

[ActiveDir] OT: Blank messages to lists???

2006-05-05 Thread Douglas M. Long

Anyone else receiving blank emails? The reply from Al (below Susans email) and 
a couple of others I have got over the past couple of days have had empty 
bodies.




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, May 05, 2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

Word  of advice --  put SBS in the subject line and you'll get SBSlady 
from the get go  :-)

By design SBS is maxed at 75 users/devices.

As you have already stateddo not do a /3GB  (let me repeat that 
again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't 
impact a thing.

Remember with SP2 we now have 75 gigs to play with so plan accordingly 
(and no snickers from the terrabyte people)

SBS is pretty tuned as it is.. set your page files to be 1.5 and I have 
mine spread on two drives.  What is more important is the layout of 
those partitions..and boy... did a recent blog post bring out a lot of 
comments  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx

Set the crash dump to minidump or even full dump... when that sucker 
blows (and it's not that often and kinda fun when it does as you can use 
the debugger tool) you want that dumpfile to be there and juicy.

Exchange 'by design' will suck down the memory and release when needed.  
Honestly Exchange ..while being a hog.. isn't the annoyance on my 
boxes.. it's MSDE that is the troublesome child.

After applications of SP1 (if it is not integrated that is) you need to 
rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.

Now then.. about that MSDE.

The SBS health monitor function is set to warn you with an allocated 
memory alert when the use is above 2 gigs..when you have a 4 gig 
box..that 2 gig limit is a bit stupid.  So step one is to monitor your 
box.. see where it hovers at.   I bumped mine up a bit.

Next... the problem children.  ISA running on MSDE 'by design' will be 
like Exchange and suck up all RAM and release when needed... sorry ISA 
.. you don't need to do that (and before Joe has the inevitable heart 
attack of a firewall on my DC.. it's in all honesty my 'second' firewall 
as I have a hardware one in front..but I like the monitoring and with 
Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts 
of the firewall hits that 'do' hit my domain controller are way 
coolI know, I know... it's the GUI..just shake your head and walk away).

SBSMonitoring 'can' and 'has' on my box and others in the community 
gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring 
there's a command (yes Joe, I did command line) to stomp on those msde 
instances and make them behave

http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

This is the ISA
http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

This is SBS montoring
http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

So for memory optimization... forget about Exchange.. it behaves.. but 
be prepared to stomp on those MSDE's

...and we're using a lot of RAID 5's down here (and even SATA drives)

Al Mulnick wrote:

 yeah, there would be some general disagreement from me.  Why? Only
 because this is SBS box vs. an enterprise Exchange server hosting 5K
 users.

 My laptop (crud that it is) could host 20 heavy exchange users with
 usable/good performance with that amount of memory.  I don't think the
 focus of a machine that will only ever have 75 users should be
 optimized for more than space in most situations.  It would be a waste
 of money that could be spent on other things like better backups,
 better coffee, etc.

 I don't believe there's any value in buying a system such as SBS and
 then having to make adjustments to things like pagefile size.  That's
 counter to the product's reason for being.

 Saying that, Dave is correct that optimizing the disk layout has the
 biggest benefit, but it's SBS and as such it's special.  Just ask
 SBS-Lady ;)

 Al

 On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote:

 If you have 4gig of RAM then you should get minimal paging. (I know 
 this is a great generalization)

 1) Log file access is sequential, database is random
 2) Keeping Log files write queue down is key to performance
 3) log files are write only
 4) raid-5 tends to have poor write performance (again greate 
 generalization).

 So I would try and get another drive in the box so I could have a 
 mirrored pair for OS  LOGS, and a mirrored pair for Databases. . 
 Putting these on seperate drives will do far more for performance 
 than changing the page file. RAID-5 is a real bad performer on write. 
 These days I woudl avoid as far as possible...

 I am sure other folks may disagree...

-Original Message-
From: [EMAIL PROTECTED] on behalf of Dan 
 DeStefano
Sent: Thu 04/05/2006 21:36
To: ActiveDir@mail.activedir.org

Re: [ActiveDir] OT: Blank messages to lists???

2006-05-05 Thread Kevin Gent

i'm seeing lots of blanks over the past week

- Original Message - 
From: Douglas M. Long [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, May 05, 2006 4:05 PM
Subject: [ActiveDir] OT: Blank messages to lists???

Anyone else receiving blank emails? The reply from Al (below Susans email) 
and a couple of others I have got over the past couple of days have had 
empty bodies.

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA 
aka Ebitz - SBS Rocks [MVP]

Sent: Friday, May 05, 2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

Word  of advice --  put SBS in the subject line and you'll get SBSlady
from the get go  :-)

By design SBS is maxed at 75 users/devices.

As you have already stateddo not do a /3GB  (let me repeat that
again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't
impact a thing.

Remember with SP2 we now have 75 gigs to play with so plan accordingly
(and no snickers from the terrabyte people)

SBS is pretty tuned as it is.. set your page files to be 1.5 and I have
mine spread on two drives.  What is more important is the layout of
those partitions..and boy... did a recent blog post bring out a lot of
comments  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx

Set the crash dump to minidump or even full dump... when that sucker
blows (and it's not that often and kinda fun when it does as you can use
the debugger tool) you want that dumpfile to be there and juicy.

Exchange 'by design' will suck down the memory and release when needed.
Honestly Exchange ..while being a hog.. isn't the annoyance on my
boxes.. it's MSDE that is the troublesome child.

After applications of SP1 (if it is not integrated that is) you need to
rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.

Now then.. about that MSDE.

The SBS health monitor function is set to warn you with an allocated
memory alert when the use is above 2 gigs..when you have a 4 gig
box..that 2 gig limit is a bit stupid.  So step one is to monitor your
box.. see where it hovers at.   I bumped mine up a bit.

Next... the problem children.  ISA running on MSDE 'by design' will be
like Exchange and suck up all RAM and release when needed... sorry ISA
.. you don't need to do that (and before Joe has the inevitable heart
attack of a firewall on my DC.. it's in all honesty my 'second' firewall
as I have a hardware one in front..but I like the monitoring and with
Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts
of the firewall hits that 'do' hit my domain controller are way
coolI know, I know... it's the GUI..just shake your head and walk away).

SBSMonitoring 'can' and 'has' on my box and others in the community
gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring
there's a command (yes Joe, I did command line) to stomp on those msde
instances and make them behave

http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

This is the ISA
http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

This is SBS montoring
http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

So for memory optimization... forget about Exchange.. it behaves.. but
be prepared to stomp on those MSDE's

...and we're using a lot of RAID 5's down here (and even SATA drives)

Al Mulnick wrote:

yeah, there would be some general disagreement from me.  Why? Only
because this is SBS box vs. an enterprise Exchange server hosting 5K
users.

My laptop (crud that it is) could host 20 heavy exchange users with
usable/good performance with that amount of memory.  I don't think the
focus of a machine that will only ever have 75 users should be
optimized for more than space in most situations.  It would be a waste
of money that could be spent on other things like better backups,
better coffee, etc.

I don't believe there's any value in buying a system such as SBS and
then having to make adjustments to things like pagefile size.  That's
counter to the product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the
biggest benefit, but it's SBS and as such it's special.  Just ask
SBS-Lady ;)

Al

On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote:

If you have 4gig of RAM then you should get minimal paging. (I know
this is a great generalization)

1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate
generalization).

So I would try and get another drive in the box so I could have a
mirrored pair for OS  LOGS, and a mirrored pair for Databases. .
Putting these on seperate drives will do far more for performance
than changing the page file. RAID-5 is a real bad performer on write.
These days I woudl avoid as far as possible...

I am sure other folks may

Re: [ActiveDir] OT: Blank messages to lists???


Okay dumb questions to folks..

E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on 
Microsoft Update:

http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx

Are the folks that are sending blank emails .. have you deployed 911829?

Kevin Gent wrote:


i'm seeing lots of blanks over the past week


- Original Message - From: Douglas M. Long 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, May 05, 2006 4:05 PM
Subject: [ActiveDir] OT: Blank messages to lists???


Anyone else receiving blank emails? The reply from Al (below Susans 
email) and a couple of others I have got over the past couple of days 
have had empty bodies.





-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Sent: Friday, May 05, 2006 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Optimize Exchange Pagefile

Word  of advice --  put SBS in the subject line and you'll get SBSlady
from the get go  :-)

By design SBS is maxed at 75 users/devices.

As you have already stateddo not do a /3GB  (let me repeat that
again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't
impact a thing.

Remember with SP2 we now have 75 gigs to play with so plan accordingly
(and no snickers from the terrabyte people)

SBS is pretty tuned as it is.. set your page files to be 1.5 and I have
mine spread on two drives.  What is more important is the layout of
those partitions..and boy... did a recent blog post bring out a lot of
comments  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx

Set the crash dump to minidump or even full dump... when that sucker
blows (and it's not that often and kinda fun when it does as you can use
the debugger tool) you want that dumpfile to be there and juicy.

Exchange 'by design' will suck down the memory and release when needed.
Honestly Exchange ..while being a hog.. isn't the annoyance on my
boxes.. it's MSDE that is the troublesome child.

After applications of SP1 (if it is not integrated that is) you need to
rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.

Now then.. about that MSDE.

The SBS health monitor function is set to warn you with an allocated
memory alert when the use is above 2 gigs..when you have a 4 gig
box..that 2 gig limit is a bit stupid.  So step one is to monitor your
box.. see where it hovers at.   I bumped mine up a bit.

Next... the problem children.  ISA running on MSDE 'by design' will be
like Exchange and suck up all RAM and release when needed... sorry ISA
.. you don't need to do that (and before Joe has the inevitable heart
attack of a firewall on my DC.. it's in all honesty my 'second' firewall
as I have a hardware one in front..but I like the monitoring and with
Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts
of the firewall hits that 'do' hit my domain controller are way
coolI know, I know... it's the GUI..just shake your head and walk 
away).


SBSMonitoring 'can' and 'has' on my box and others in the community
gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring
there's a command (yes Joe, I did command line) to stomp on those msde
instances and make them behave

http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

This is the ISA
http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

This is SBS montoring
http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

So for memory optimization... forget about Exchange.. it behaves.. but
be prepared to stomp on those MSDE's

...and we're using a lot of RAID 5's down here (and even SATA drives)

Al Mulnick wrote:


yeah, there would be some general disagreement from me.  Why? Only
because this is SBS box vs. an enterprise Exchange server hosting 5K
users.

My laptop (crud that it is) could host 20 heavy exchange users with
usable/good performance with that amount of memory.  I don't think the
focus of a machine that will only ever have 75 users should be
optimized for more than space in most situations.  It would be a waste
of money that could be spent on other things like better backups,
better coffee, etc.

I don't believe there's any value in buying a system such as SBS and
then having to make adjustments to things like pagefile size.  That's
counter to the product's reason for being.

Saying that, Dave is correct that optimizing the disk layout has the
biggest benefit, but it's SBS and as such it's special.  Just ask
SBS-Lady ;)

Al

On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote:


If you have 4gig of RAM then you should get minimal paging. (I know
this is a great generalization)

1) Log file access is sequential, database is random
2) Keeping Log files write queue down is key to performance
3) log files are write only
4) raid-5 tends to have poor write performance (again greate
generalization).

So I would try and get another drive in the box so I could have a
mirrored

RE: [ActiveDir] OT: Blank messages to lists???

Nope, don't have that one installed. 

The blanks I have been seeing are limited to this list of all of the lists I am 
on.  


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, May 05, 2006 4:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Blank messages to lists???

Okay dumb questions to folks..

E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on Microsoft 
Update:
http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx

Are the folks that are sending blank emails .. have you deployed 911829?

Kevin Gent wrote:

 i'm seeing lots of blanks over the past week


 - Original Message - From: Douglas M. Long 
 [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Friday, May 05, 2006 4:05 PM
 Subject: [ActiveDir] OT: Blank messages to lists???


 Anyone else receiving blank emails? The reply from Al (below Susans
 email) and a couple of others I have got over the past couple of days 
 have had empty bodies.




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
 Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Friday, May 05, 2006 2:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Optimize Exchange Pagefile

 Word  of advice --  put SBS in the subject line and you'll get 
 SBSlady from the get go  :-)

 By design SBS is maxed at 75 users/devices.

 As you have already stateddo not do a /3GB  (let me repeat that
 again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't 
 impact a thing.

 Remember with SP2 we now have 75 gigs to play with so plan accordingly 
 (and no snickers from the terrabyte people)

 SBS is pretty tuned as it is.. set your page files to be 1.5 and I 
 have mine spread on two drives.  What is more important is the layout 
 of those partitions..and boy... did a recent blog post bring out a lot 
 of comments  
 http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx

 Set the crash dump to minidump or even full dump... when that sucker 
 blows (and it's not that often and kinda fun when it does as you can 
 use the debugger tool) you want that dumpfile to be there and juicy.

 Exchange 'by design' will suck down the memory and release when needed.
 Honestly Exchange ..while being a hog.. isn't the annoyance on my 
 boxes.. it's MSDE that is the troublesome child.

 After applications of SP1 (if it is not integrated that is) you need 
 to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.

 Now then.. about that MSDE.

 The SBS health monitor function is set to warn you with an allocated 
 memory alert when the use is above 2 gigs..when you have a 4 gig 
 box..that 2 gig limit is a bit stupid.  So step one is to monitor your
 box.. see where it hovers at.   I bumped mine up a bit.

 Next... the problem children.  ISA running on MSDE 'by design' will be 
 like Exchange and suck up all RAM and release when needed... sorry ISA 
 .. you don't need to do that (and before Joe has the inevitable heart 
 attack of a firewall on my DC.. it's in all honesty my 'second' 
 firewall as I have a hardware one in front..but I like the monitoring 
 and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI 
 pie charts of the firewall hits that 'do' hit my domain controller are 
 way coolI know, I know... it's the GUI..just shake your head and 
 walk away).

 SBSMonitoring 'can' and 'has' on my box and others in the community 
 gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring 
 there's a command (yes Joe, I did command line) to stomp on those msde 
 instances and make them behave

 http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

 This is the ISA
 http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

 This is SBS montoring
 http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

 So for memory optimization... forget about Exchange.. it behaves.. but 
 be prepared to stomp on those MSDE's

 ...and we're using a lot of RAID 5's down here (and even SATA drives)

 Al Mulnick wrote:

 yeah, there would be some general disagreement from me.  Why? Only 
 because this is SBS box vs. an enterprise Exchange server hosting 5K 
 users.

 My laptop (crud that it is) could host 20 heavy exchange users with 
 usable/good performance with that amount of memory.  I don't think 
 the focus of a machine that will only ever have 75 users should be 
 optimized for more than space in most situations.  It would be a 
 waste of money that could be spent on other things like better 
 backups, better coffee, etc.

 I don't believe there's any value in buying a system such as SBS and 
 then having to make adjustments to things like pagefile size.  That's 
 counter to the product's reason for being.

 Saying that, Dave is

RE: [ActiveDir] OT: KVM switches

2006-05-05 Thread Derek Harris

I had issues with Belkin KVMs too, and I found an even cheaper KVM that
works great.  I have 4, 8,  16-port StarTech KVMs: the 4-port ones use
proprietary cables, but the 8  16-port models use standard cables -
probably the same as your Belkin (Omniview?).  http://startech.com

Derek

Not affiliated in any way, just happy with a couple of their products. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, May 05, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: KVM switches

Does anyone have any suggestions for cheap KVM switches? We are
currently using Belkin 16 port switches. They are cheap enough, but we
seem to experience issues with them.

I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: KVM switches

2006-05-05 Thread Al Garrett

BlackBoxrock-solid reliable.

http://www.blackbox.com/Catalog/Category.aspx?cid=537




-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 05, 2006 12:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: KVM switches

Does anyone have any suggestions for cheap KVM switches? We are
currently using Belkin 16 port switches. They are cheap enough, but we
seem to experience issues with them.

I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Trust for delegation error

2006-05-05 Thread Bernard, Aric

It sounds like you are configuring this setting on many directory objects: For 
what purpose?

What functional level is the domain having these problems and is different from 
the other domains?

Aric


Sent from my Windows Mobile 5 device.

-Original Message-
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 5/5/06 10:59 AM
Subject: [ActiveDir] Trust for delegation error 

Hi all,

I have  a new problem:
When I try to enbale this option :Trust Computer for delegation
for a computer account  in DSA.msc  I recive this error 
Your security setting do not allow you to Specify whether or not This 
account is to be trusted for delagation
 
I have already applied an instrution to change local user rights, 
But it is still showing that message
The mos strange is that we have 18 subdomains, and it works in 
all, but that.

That is happening to user, too, I can not enable TUST FOR 
delegation for a user account
Is htere a way to solve that problem?

___
Adrião Ferreira Ramos
[EMAIL PROTECTED]
Equipe Suporte Windows
(11) 3388-8193
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Blank messages to lists???


I'm using GMail.  Fixes would all be client side and since I see the
content in the mail I send, I doubt it's client side. Else it's highly
consistent client-side issues.  Tony might be the person to contact
about some of this, but I think there're also some server side issues
possibly at GMAIL, possibly at the receiving end.

Al

On 5/5/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:

Okay dumb questions to folks..

E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on
Microsoft Update:
http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx

Are the folks that are sending blank emails .. have you deployed 911829?

Kevin Gent wrote:

 i'm seeing lots of blanks over the past week


 - Original Message - From: Douglas M. Long
 [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Friday, May 05, 2006 4:05 PM
 Subject: [ActiveDir] OT: Blank messages to lists???


 Anyone else receiving blank emails? The reply from Al (below Susans
 email) and a couple of others I have got over the past couple of days
 have had empty bodies.




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
 Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Friday, May 05, 2006 2:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Optimize Exchange Pagefile

 Word  of advice --  put SBS in the subject line and you'll get SBSlady
 from the get go  :-)

 By design SBS is maxed at 75 users/devices.

 As you have already stateddo not do a /3GB  (let me repeat that
 again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't
 impact a thing.

 Remember with SP2 we now have 75 gigs to play with so plan accordingly
 (and no snickers from the terrabyte people)

 SBS is pretty tuned as it is.. set your page files to be 1.5 and I have
 mine spread on two drives.  What is more important is the layout of
 those partitions..and boy... did a recent blog post bring out a lot of
 comments  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx

 Set the crash dump to minidump or even full dump... when that sucker
 blows (and it's not that often and kinda fun when it does as you can use
 the debugger tool) you want that dumpfile to be there and juicy.

 Exchange 'by design' will suck down the memory and release when needed.
 Honestly Exchange ..while being a hog.. isn't the annoyance on my
 boxes.. it's MSDE that is the troublesome child.

 After applications of SP1 (if it is not integrated that is) you need to
 rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert.

 Now then.. about that MSDE.

 The SBS health monitor function is set to warn you with an allocated
 memory alert when the use is above 2 gigs..when you have a 4 gig
 box..that 2 gig limit is a bit stupid.  So step one is to monitor your
 box.. see where it hovers at.   I bumped mine up a bit.

 Next... the problem children.  ISA running on MSDE 'by design' will be
 like Exchange and suck up all RAM and release when needed... sorry ISA
 .. you don't need to do that (and before Joe has the inevitable heart
 attack of a firewall on my DC.. it's in all honesty my 'second' firewall
 as I have a hardware one in front..but I like the monitoring and with
 Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts
 of the firewall hits that 'do' hit my domain controller are way
 coolI know, I know... it's the GUI..just shake your head and walk
 away).

 SBSMonitoring 'can' and 'has' on my box and others in the community
 gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring
 there's a command (yes Joe, I did command line) to stomp on those msde
 instances and make them behave

 http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1

 This is the ISA
 http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx

 This is SBS montoring
 http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx

 So for memory optimization... forget about Exchange.. it behaves.. but
 be prepared to stomp on those MSDE's

 ...and we're using a lot of RAID 5's down here (and even SATA drives)

 Al Mulnick wrote:

 yeah, there would be some general disagreement from me.  Why? Only
 because this is SBS box vs. an enterprise Exchange server hosting 5K
 users.

 My laptop (crud that it is) could host 20 heavy exchange users with
 usable/good performance with that amount of memory.  I don't think the
 focus of a machine that will only ever have 75 users should be
 optimized for more than space in most situations.  It would be a waste
 of money that could be spent on other things like better backups,
 better coffee, etc.

 I don't believe there's any value in buying a system such as SBS and
 then having to make adjustments to things like pagefile size.  That's
 counter to the product's reason for being.

 Saying that, Dave is correct that optimizing the disk layout has the
 biggest benefit, but it's SBS and as such it's

RE: [ActiveDir] OT: Blank messages to lists???

2006-05-05 Thread Ken Schaefer

I've seen this happen occasionally on other lists, but I don't know if it's
the same underlying cause.

The original post is encoded in some way, and then the addition of the list
footer means that the post isn't properly encoded anymore. Some email clients
then display this as a blank post. If you are able to get to the message
source in your client, you will see the message contents.

HTH

Cheers
Ken

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of joe
: Sent: Saturday, 6 May 2006 6:57 AM
: To: ActiveDir@mail.activedir.org
: Subject: RE: [ActiveDir] OT: Blank messages to lists???
: 
: Nope, don't have that one installed.
: 
: The blanks I have been seeing are limited to this list of all of the lists
: I am on.
: 
: 
: --
: O'Reilly Active Directory Third Edition -
: http://www.joeware.net/win/ad3e.htm
: 
: 
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS
: Rocks [MVP]
: Sent: Friday, May 05, 2006 4:41 PM
: To: ActiveDir@mail.activedir.org
: Subject: Re: [ActiveDir] OT: Blank messages to lists???
: 
: Okay dumb questions to folks..
: 
: E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on
: Microsoft Update:
: http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx
: 
: Are the folks that are sending blank emails .. have you deployed 911829?
: 
: Kevin Gent wrote:
: 
:  i'm seeing lots of blanks over the past week
: 
: 
:  - Original Message - From: Douglas M. Long
:  [EMAIL PROTECTED]
:  To: ActiveDir@mail.activedir.org
:  Sent: Friday, May 05, 2006 4:05 PM
:  Subject: [ActiveDir] OT: Blank messages to lists???
: 
: 
:  Anyone else receiving blank emails? The reply from Al (below Susans
:  email) and a couple of others I have got over the past couple of days
:  have had empty bodies.
: 
: 
: 
: 
:  -Original Message-
:  From: [EMAIL PROTECTED]
:  [mailto:[EMAIL PROTECTED] On Behalf Of Susan
:  Bradley, CPA aka Ebitz - SBS Rocks [MVP]
:  Sent: Friday, May 05, 2006 2:53 PM
:  To: ActiveDir@mail.activedir.org
:  Subject: Re: [ActiveDir] Optimize Exchange Pagefile
: 
:  Word  of advice --  put SBS in the subject line and you'll get
:  SBSlady from the get go  :-)
: 
:  By design SBS is maxed at 75 users/devices.
: 
:  As you have already stateddo not do a /3GB  (let me repeat that
:  again) DO NOT do a /3GB on a SBS box.  It's not necessary and doesn't
:  impact a thing.
: 
:  Remember with SP2 we now have 75 gigs to play with so plan accordingly
:  (and no snickers from the terrabyte people)
: 
:  SBS is pretty tuned as it is.. set your page files to be 1.5 and I
:  have mine spread on two drives.  What is more important is the layout
:  of those partitions..and boy... did a recent blog post bring out a lot
:  of comments
:  http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx
: 
:  Set the crash dump to minidump or even full dump... when that sucker
:  blows (and it's not that often and kinda fun when it does as you can
:  use the debugger tool) you want that dumpfile to be there and juicy.
: 
:  Exchange 'by design' will suck down the memory and release when needed.
:  Honestly Exchange ..while being a hog.. isn't the annoyance on my
:  boxes.. it's MSDE that is the troublesome child.
: 
:  After applications of SP1 (if it is not integrated that is) you need
:  to rerun the SBS monitoring wizard to get rid of a bogus STORE memory
: alert.
: 
:  Now then.. about that MSDE.
: 
:  The SBS health monitor function is set to warn you with an allocated
:  memory alert when the use is above 2 gigs..when you have a 4 gig
:  box..that 2 gig limit is a bit stupid.  So step one is to monitor your
:  box.. see where it hovers at.   I bumped mine up a bit.
: 
:  Next... the problem children.  ISA running on MSDE 'by design' will be
:  like Exchange and suck up all RAM and release when needed... sorry ISA
:  .. you don't need to do that (and before Joe has the inevitable heart
:  attack of a firewall on my DC.. it's in all honesty my 'second'
:  firewall as I have a hardware one in front..but I like the monitoring
:  and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI
:  pie charts of the firewall hits that 'do' hit my domain controller are
:  way coolI know, I know... it's the GUI..just shake your head and
:  walk away).
: 
:  SBSMonitoring 'can' and 'has' on my box and others in the community
:  gotten too 'hot' on my box as well.  So for both ISA and SBSmonitoring
:  there's a command (yes Joe, I did command line) to stomp on those msde
:  instances and make them behave
: 
:  http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1
: 
:  This is the ISA
:  http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx
: 
:  This is SBS montoring
:  http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx
: 
:  So for memory optimization... forget about Exchange.. it behaves.. but
:  be

RE: [ActiveDir] Trust for delegation error




Try to set the userAccountControl value manually with 
either LDP or admod (with -exterr) and report back the full LDAP error with 
DSID. 

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, May 05, 2006 12:10 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Trust for delegation error 
Hi all, I have a new 
problem: When I 
try to enbale this option :"Trust 
Computer for delegation"for a computer account 
in DSA.msc I recive this error 

  
  
"Your security 
  setting do not allow you to Specify whether or not This account is to be 
  trusted for delagation" 
   I have already applied an instrution to change local user 
rights, But it is still showing that message The mos strange is that we have 18 
subdomains, and it works in all, but that. That is happening to user, too, I can not 
enable "TUST FOR delegation" for a user account Is htere a way to solve that 
problem?___Adrião Ferreira 
Ramos[EMAIL PROTECTED]Equipe Suporte Windows(11) 
3388-8193

RE: [ActiveDir] Default Domain




I agree with Al that the process to get the trusted domains 
list could possibly be wiping out the value you are tucking 
in.


If you are trying to get away from "contexts", I think one 
of the best things you could do is go to UPN logon then, then they don't have to 
remember their domain for the most part, you could do something like [EMAIL PROTECTED] or [EMAIL PROTECTED] even.


Hmm your words of kindness towards IBM and their Tivoli 
product is not the first I have heard for that. ;o) The rest of the info 
is quite interesting to me, thanks for sharing. 

 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
GlennSent: Friday, May 05, 2006 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Default 
Domain

On 5/5/06, joe [EMAIL PROTECTED] wrote: 

  
  Welcome.
  
  I am not 
  sure if you can set a domain by default for the initial logon. If you could, I 
  would expect it to be to some of the reg entries maintained in the 
  HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the 
  registry. 
That is exactly thekeywe have found what little information we 
have. No matter what you set for defaultdomainname or altdefaultdomainname 
it's the same thing.


  
  
  You could 
  step around that by telling people to use UPNs for logon instead of SAM Names. 
  That would meanyou would use something like  
  [EMAIL PROTECTED] instead of something\PGlenn. That is the 
  direction the auth is going so if you are starting fresh now, might as well 
  start that way. Then the domain dropdown is a moot point. It also means you 
  can dork with the domain's almostto your heart's content and never have 
  to worry about telling the users their new domain, it will just work because 
  the UPN does not have to match the Domain structure. 


We would like, if possible, to stay away from this because of the way we 
have the students logging on now. Currently they don't have to use any 
context for their Netware logins. A far cry from the days they had to put 
in .pglenn.uxx.student.usr.uky The direction our university is leaning is 
to do everything via LDAP lookups. We are doing this because we have 2 
major AD domains and on major eDirectory. Account information is handles 
by Novell's Identity Manager. 

  
  
  
  
  I am 
  curious about the direction to move as you state it as "the Novell business 
  model", what specifically is pushing this change? With Novell embracing Open 
  Source I would expect schools and the like to be more, not less, interested in 
  it. Also I am curious why not a move to say BSD or Linux. If anywhere that 
  stuff works well en masse it is in school environments because they are so 
  closed and geographically small. 
  
  
Going open source is great for many things. However, after many years 
or struggling with different vendors and their lack of support for anything that 
is not Windows, open source wasn't that appealing. Our vendors include 
made dicipline specific software who don't want to support anything else and 
hardware vendors that support others things when they get around to it - and 
example of the latter being the horrible tech support from Tivoli after loosing 
about 2 terabytes of data (took them 6 months to get it resolved). Using 
Netware OES or eDirectory on SUsE were other options I had. After wieghing 
several things - most importantly my learning curve for such a move to either 
one given the time table - I chose AD. This will allow us to put out 
images without a non-native client. This also pleases my VP, who really 
wants me to move toward AD. 


Paul

RE: [ActiveDir] Default Domain